2026: The Year Agentic AI Becomes the Attack-Surface Poster Child
As the digital landscape continues to transform, security challenges evolve accordingly. A recent readership poll highlights agentic AI risk as the top concern for 2026, with 48% of respondents believing it will represent the primary attack vector for cybercriminals and nation-state threats by year's end. This finding underscores growing unease as enterprises rapidly adopt semi-autonomous AI systems without prioritizing security.
Rik Turner, chief analyst for cybersecurity at Omdia, notes, "The expanded attack surface deriving from the combination of agents' levels of access and autonomy is a real concern. A particular worry is if we see a rush to adopt agentic AI that results in developers deploying insecure code." The rise of open source AI agents and "shadow AI" exacerbates these risks, as employees may import tools without security oversight.
Melinda Marks of Omdia adds, "AI raises the stakes because attackers use it to scale attacks, while organizations use AI to scale productivity. But agentic AI also exponentially increases attack surfaces, including non-human identities." Geoffrey Mattson, CEO at SecureAuth, cautions that the real vulnerability lies in what compromised AI agents can access. "You can't LLM your way out of an LLM problem. The enterprise AI control plane needs to shift from securing models to enforcing continuous authorization on every resource agents touch," he says.
Deepfakes: Top Social Engineering Vector for Big Targets
Nearly a third (29%) of respondents believe deepfakes will become the main social engineering method targeting Fortune 500 companies, top executives, and governments. Turner observes that deepfakes have gone mainstream in 2025, partly due to an abundance of AI-generated content that has become increasingly convincing. Deepfakes are now routine in state-sponsored campaigns like North Korea's fake worker operations, yet many enterprises lack adequate defenses.
Marks emphasizes the importance of rapid detection and response over prevention: "Attacks can and will still occur, so rapid detection and response is crucial."
Boards Recognize Cyber-Risk as a Tier 1 Operational Priority
Only 13% of respondents selected this as the most likely trend for 2026. Turner expresses doubts, questioning whether cyber-risk insurance focuses board minds or serves as a false security blanket. Amy Worley of BRG argues that agentic AI growth should elevate cyber-risk perception: "Boards under-rate the risk significantly. Autonomous AI systems with elevated privileges can turn small errors into large security events." Omdia's Marks adds that even non-AI-related outages and data loss remain major operational concerns that should command board attention.
Password Elimination & Passkey Adoption
Only 10% of respondents think password elimination and widespread passkey adoption will become the norm in 2026. Adam Etherington of Omdia calls this a big risk, as agentic systems now use API connectors, MCP, and non-human identities. He notes that CISOs are least concerned about email security and staff training—areas intimately tied to password policies. Turner acknowledges passkey momentum from tech giants like Microsoft and Google but agrees with the 90% who don't see elimination happening this year. "Whether passwords are set for the dustbin of history or retain hardy perennial status remains to be seen," he concludes.
Source: Dark Reading News