New Delhi – Chief information security officers (CISOs) and global cybersecurity and risk leaders are expected to face heightened challenges in 2026 as artificial intelligence, quantum computing and government regulations reshape the security landscape, according to research firm Forrester.
In its annual report, Predictions 2026: Cybersecurity and Risk, Forrester outlined major developments likely to influence enterprise security, risk and privacy strategies over the next year. The report, authored by Paddy Harrington, Allie Mellen, Cody Scott, Erik Nost, Jeff Pollard and other analysts, warned that the growing adoption of autonomous AI systems, referred to as agentic AI, will increase the likelihood of public data breaches.
Since generative AI was launched in 2022, several incidents have affected the integrity or availability of sensitive data. Forrester forecasts that in 2026, systems using agentic AI to automate workflows could cause breaches if they operate without proper security controls. The report advises enterprises to implement frameworks that secure intent, control identity and access, and track data provenance. Without such measures, organisations may respond to failures by attributing blame to employees, even when incidents are the result of systemic issues, Forrester said.
Government intervention in telecom infrastructure
The report also predicts that at least five governments will impose restrictions or nationalise critical telecommunications infrastructure. Forrester cited the Salt Typhoon cyberespionage campaign, which compromised more than 600 organisations across 80 countries, as evidence of the vulnerability of commercial telecom networks.
Governments are taking steps to strengthen oversight. Australia has expanded reforms under its Security of Critical Infrastructure Act, Italy has restructured Telecom Italia’s network while planning satellite communications projects, and the United States has prohibited Chinese and Russian ownership of subsea cables.
Forrester emphasised that the growth of low-Earth orbit satellites and the increasing number of internet of things devices introduces new attack surfaces. CISOs are advised to enhance continuous monitoring of critical systems and implement real-time controls.
European Union to expand vulnerability management
Another prediction relates to the European Union establishing its own known exploited vulnerability database. The EU Vulnerability Database, launched in 2025, aggregates information from existing feeds such as the US-managed Common Vulnerabilities and Exposures list.
Forrester expects the EU to expand the database and improve its speed and coverage, surpassing the capabilities of the US Cybersecurity and Infrastructure Security Agency. Analysts said that unified EU regulations, including the Cyber Resilience Act and NIS2 directive, will allow for faster disclosure and coordination of vulnerabilities.
The report recommends that organisations review how vendors track and report known exploited vulnerabilities and adjust security processes accordingly.
Quantum computing and security spending
Forrester projects that quantum computing will significantly influence enterprise budgets. Commercial quantum machines are expected to become capable of breaking existing encryption within a decade. By 2026, companies are likely to allocate more than five per cent of their IT security budgets to quantum security measures.
The report highlights several areas of investment, including cryptographic migration planning, replacing legacy encryption libraries, monitoring vendor readiness, and piloting cryptographic agility tools. While sectors such as banking and critical infrastructure are most exposed, all enterprises will need to consider quantum security.
Mergers and acquisitions in cybersecurity
The report also highlighted industry consolidation, predicting that an ageing IT services provider will acquire a struggling cybersecurity firm in a bid to reposition itself as a security-focused enterprise.
Forrester warned that legacy infrastructure, talent attrition and platform misalignment could undermine the value of such mergers. Customers may experience service instability, while competitors with modern, cloud-native security platforms are expected to continue outpacing the merged entity.
Implications for Indian enterprises
While the Forrester report is global in scope, its findings are relevant for Indian organisations, which increasingly rely on digital infrastructure and cloud services. The adoption of AI in customer-facing workflows, combined with the expansion of IoT and satellite networks, introduces new risks that Indian enterprises must address.
Regulatory developments in Europe and the United States, including vulnerability disclosure requirements and restrictions on foreign telecom ownership, could affect multinational companies operating in India. Forrester recommended that CISOs implement frameworks for continuous monitoring, evaluate vendor readiness for emerging standards, and prioritise investments in both AI security and quantum-resilient encryption.
Strategic recommendations
Forrester advised organisations to take a proactive approach to emerging cybersecurity risks, particularly those arising from artificial intelligence. Companies should secure autonomous AI systems, monitor agent activity closely, and implement safeguards to prevent breaches or operational failures. Enterprises are also encouraged to strengthen monitoring and control of critical telecom and infrastructure networks to mitigate risks posed by cyberattacks and regulatory interventions.
The firm further recommended that organisations align with regional vulnerability disclosure practices and maintain oversight of vendor compliance. Security teams should increase investments in quantum security and plan for cryptographic migration to address future threats. In addition, Forrester cautioned enterprises to carefully assess risks associated with mergers and acquisitions, focusing on integration capability and service stability to avoid operational disruptions.
The report emphasised that by 2026, cybersecurity will not only be a technical challenge but also a strategic concern, influenced by geopolitics, regulation and rapid technological change.
