Lesson #2: AI Is Creating a Governance Challenge, Not Just a Technology Challenge

No topic received more attention throughout the Summit than artificial intelligence. AI influenced nearly every conversation, from security operations and identity management to software development, risk management, and enterprise architecture.

Yet one of the most interesting observations from the week was that the hardest AI problems are not technical.

They are governance problems.

Many organizations are rapidly adopting AI capabilities without fully understanding how to govern them. New AI-powered features are appearing across productivity suites, development platforms, security tools, business applications, and cloud services. In many cases, the technology is advancing faster than policies, processes, and governance frameworks can adapt.

The discussions around agentic AI were particularly revealing. Unlike previous generations of software, AI agents may eventually perform tasks, make decisions, interact with systems, and execute actions with varying degrees of autonomy. This raises entirely new questions regarding accountability, oversight, access control, and risk ownership.

Josh Woodruff’s work around agentic AI and Zero Trust helped frame several of these discussions. Participants repeatedly returned to questions that organizations are only beginning to answer. Who owns the decisions made by autonomous systems? How should access be governed when non-human actors begin operating at scale? How do organizations establish accountability when AI systems are embedded across business processes?

These concerns extend beyond technology implementation. They strike at the heart of governance itself.

Many organizations already struggle to manage human identities and access rights. The emergence of potentially thousands of AI agents, service accounts, machine identities, and autonomous processes threatens to introduce complexity at a scale that exceeds traditional oversight models. As one executive observed during our luncheon discussions, there may soon be no single person capable of exercising meaningful judgment across the entire ecosystem of identities and entitlements operating within a large enterprise.

The challenge is not whether organizations will adopt AI. Most already are. The challenge is whether governance models can evolve quickly enough to maintain trust, accountability, and control.

Lesson #3: Resilience Has Replaced Prevention as the Measure of Success

Perhaps the most important strategic shift discussed throughout the Summit was the growing recognition that resilience matters more than prevention.

For decades, cybersecurity programs have largely been evaluated based on their ability to stop attacks. The assumption was straightforward: if attackers gained access, security had failed.

That perspective is changing.

Across Gartner sessions, analysts repeatedly emphasized resilience, recovery, adaptability, and operational continuity. Similar themes emerged during both executive luncheons. Security leaders increasingly recognize that highly interconnected digital environments make perfect prevention unrealistic. Cloud services, supply chains, third-party platforms, remote workforces, AI ecosystems, and software dependencies have fundamentally changed the nature of enterprise risk.

Gary Barlet articulated this concept particularly well during our executive discussion on Zero Trust. Rather than asking whether an organization will be breached, he challenged participants to focus on what happens after compromise occurs. Can attackers move laterally? Can they reach critical assets? Can they disrupt operations? Can they create material business harm?

These questions represent a significant evolution in cybersecurity thinking.

The objective is no longer to prevent every incident. The objective is to ensure that inevitable incidents do not become existential business events.

This shift also aligns closely with Gartner’s broader discussions around cyber resilience and the concept of “cyber regret.” As security investments continue to grow, boards are becoming less interested in activity metrics and more interested in outcomes. They want to understand whether the organization can continue operating during a crisis, protect critical assets, recover quickly, and maintain stakeholder confidence.

In many respects, resilience is becoming the new language of cybersecurity leadership. It is also becoming the language that executive teams and boards understand most clearly.

Lesson #4: Trust Has Become Cybersecurity’s Hardest Problem

One of the most fascinating discussions of the week emerged during our healthcare executive luncheon. While the conversation initially focused on third-party risk management, it quickly evolved into something much broader.

The underlying issue was trust.

Organizations today rely on an extraordinary number of systems, vendors, platforms, service providers, cloud environments, AI models, software libraries, and supply chain partners that they do not directly control. As these dependencies increase, so does uncertainty.

Traditional assurance mechanisms are beginning to show their limitations. Certifications, questionnaires, assessments, and audit reports remain valuable, but many leaders no longer view them as sufficient evidence of security. Incidents involving trusted vendors have reinforced the reality that compliance does not necessarily equal resilience.

As a result, organizations are increasingly shifting from a model of assumed trust to a model of validated trust.

This evolution is visible in growing interest around Software Bills of Materials (SBOMs), AI Bills of Materials, continuous monitoring programs, supply chain transparency initiatives, and risk quantification efforts. Security leaders are no longer asking only whether visibility exists. They are asking how to operationalize that visibility and transform it into actionable decision-making.

Healthcare provides a particularly compelling example. Hospitals and healthcare systems often depend on medical devices, clinical systems, and operational technologies that cannot be upgraded or replaced easily. In those environments, leaders frequently rely on compensating controls, segmentation, monitoring, and governance rather than technological perfection.

Yet the broader lesson applies to every industry.

The defining cybersecurity challenge of the next decade may not be protecting systems we control. It may be establishing confidence in systems we do not.

Lesson #5: Adaptability Is Becoming the Ultimate Security Capability

The final lesson emerged from nearly every conversation, regardless of topic. As ever, The pace of change is accelerating. {I know, we ALWAYS say this!] 

Artificial intelligence is evolving at extraordinary speed. Regulatory expectations continue to expand. Threat actors constantly adjust tactics. Business models are changing. Technology architectures are becoming increasingly dynamic and interconnected.

In this environment, long-term certainty is becoming increasingly difficult to achieve.

Several Gartner analysts emphasized the importance of agility, continuous learning, adaptive planning, and organizational flexibility. Similar themes appeared in discussions regarding cybersecurity architecture, workforce development, AI adoption, risk management, and governance.

What became increasingly clear is that adaptability may become the most important capability a cybersecurity organization can develop.

Historically, many security programs were built around stability. Leaders established multi-year roadmaps, implemented long-term initiatives, and optimized around predictable operating environments.

Today’s environment is different.

Organizations must increasingly assume that conditions will change faster than plans can be updated. This requires a different mindset. Security leaders must become comfortable making decisions with incomplete information. Organizations must develop governance structures capable of adapting to changing circumstances. Teams must learn continuously rather than periodically. The future will not reward organizations simply for building stronger defenses. It will reward organizations that can learn, adapt, recover, and evolve faster than the risks surrounding them.

Final Thoughts

Reflecting on the week in National Harbor, I was struck by how frequently conversations returned to the same underlying themes despite covering very different subjects.

Artificial intelligence dominated the agenda. Discussions of non-human identities, agentic systems, Zero Trust, cyber resilience, post-quantum readiness, third-party risk, and board governance appeared throughout the event.

Yet beneath all of those conversations was a deeper reality.

• The future of cybersecurity is increasingly about leadership.
• It is about governance.
• It is about trust.
• It is about resilience.

And perhaps most importantly, it is about helping organizations navigate uncertainty.

The technologies will continue to evolve. New threats will emerge. Regulations will change. Business priorities will shift. The security leaders who thrive in that environment will not necessarily be those with the most tools or the largest budgets. They will be the leaders who can communicate risk effectively, build resilient organizations, establish trust where direct control is impossible, and help businesses adapt faster than the world around them changes.

If the Gartner Security & Risk Management Summit 2026 revealed anything, it is that the future CISO will not simply be responsible for cybersecurity. The future CISO will increasingly help define how organizations govern innovation, manage uncertainty, and build confidence in an increasingly complex digital world.