Navigating the AI security era: Key trends for software leaders in 2026

What’s the one AppSec norm that you expect to be disrupted in 2026—and what should engineering and security leaders do to stay ahead of it?

“The traditional approach to vulnerability management and security testing will certainly be disrupted, primarily driven by the increasing adoption of AI in cybersecurity. The old software world is gone, giving way to a new set of truths defined by AI. AI will significantly alter how organizations identify and mitigate vulnerabilities, becoming both a tool for attackers and defenders. Threat actors will leverage AI to automate and scale attacks, while defenders will use AI to enhance detection and response capabilities.

“Organizations will need to invest in AI-driven vulnerability scanning and predictive analytics to stay ahead of emerging threats. AI-powered security tools will enable security teams to analyze vast amounts of data, identify patterns, and predict potential threats before they materialize.

“The role of AI in AppSec will be transformative, and organizations that fail to adapt risk being left behind. As AI continues to evolve, it's essential for security leaders to prioritize AI-driven security measures and invest in the necessary skills and technologies to stay ahead of the threats.”

What regulatory or geopolitical shift do you believe will most impact open source software usage, software supply chain security, or AppSec practices in 2026?

“One regulatory shift expected to significantly impact open source software usage and software supply chain security is the continued rollout and enforcement of cybersecurity regulations and standards, particularly those related to AI and supply chain security.

“The European Union's push for greater sovereignty over its digital resources and services, as well as the implementation of acts like the EU AI Act, will likely have far-reaching implications for organizations operating within or with the EU. Moreover, recent cybersecurity executive orders in the U.S. have targeted quantum computing, AI, and supply chain security, indicating a growing regulatory focus on these areas.

“The increasing adoption of AI in cybersecurity will be a double-edged sword, bringing both enhanced defensive capabilities and new attack vectors. Organizations will need to navigate these changes while ensuring compliance with evolving standards like NIST SP 800-218.

“To stay ahead, engineering and security leaders should prioritize AI-driven security measures, enhance software supply chain security practices, and invest in the necessary skills and technologies to address emerging threats. By doing so, organizations can build more resilient security posture and improve their ability to detect and respond to emerging threats.”

What emerging technology (beyond GenAI) do you believe will gain real traction in secure software development or supply chain integrity next year?

“Agentic AI, which involves autonomous systems capable of complex decision-making and adaptation, is expected to transform various industries. In secure software development, agentic AI can enhance security by autonomously detecting and responding to threats in real time.

“With the advent of quantum computing, the need for quantum-resistant cryptography is becoming increasingly critical. Organizations must begin transitioning to cryptographic systems that can withstand quantum attacks. This involves identifying and classifying high-value, long-term sensitive data and evaluating vendor quantum-resistance. Post-quantum cryptography (PQC) is emerging as a critical technology to safeguard data infrastructure. The European Union has already initiated a coordinated effort for Member States to transition to PQC by 2030, highlighting its importance. Organizations should begin transitioning to PQC standards, auditing their cryptographic assets, and investing in future-proof security frameworks.

“Edge AI (processing data locally on devices) will enhance real-time decision-making and reduce latency. Neuromorphic computing, inspired by the human brain, will further advance edge AI capabilities, making devices more efficient and adaptive.”

What were some of the most common challenges you saw with customers in 2025 related to secure development?

“I observed that customers in 2025 continued to grapple with several key challenges related to secure development. The evolving threat landscape, driven by advancements in AI and Generative AI, has significantly impacted secure development practices.

“One of the primary concerns is the increasing sophistication of AI-enabled attacks, making it essential for development teams to integrate robust security measures into their workflows.

“Additionally, securing AI systems across their life cycle is another critical challenge. This involves not only developing AI software securely but also protecting AI models and large language models from vulnerabilities such as data poisoning and prompt injection attacks. Traditional security measures, including monitoring, logging, and intrusion detection, are also crucial in managing AI systems.

“Supply chain attacks remain a significant threat. The compromise of software components, whether open source or commercial, can have far-reaching consequences. Organizations must prioritize managing and monitoring software supply chain risks, including the use of Software Bills of Materials and rigorous patch management.

“The proliferation of regulatory requirements around cybersecurity adds another layer of complexity. Organizations must navigate a fragmented landscape of regional and global compliance requirements, making it challenging to maintain compliance and ensure the security of their development processes.”

What talent or workforce trend do you expect to define competitive advantage in AppSec or secure software engineering in 2026?

“I anticipate that the talent or workforce trend that will define competitive advantage in AppSec or secure software engineering in 2026 is the ability to effectively leverage AI and machine learning security capabilities. The increasing sophistication of AI-enabled attacks and the growing importance of securing AI systems will require organizations to invest in talent with expertise in AI governance, AI security, and machine learning.

“Professionals who can develop and implement AI models and algorithms, as well as secure AI systems, will be in high demand. As cloud usage continues to grow, expertise in cloud security will become increasingly important. Knowledge of Zero-Trust implementation will be crucial in protecting against identity-based attacks.”

What’s one risk area in the software development life cycle that leaders are underestimating heading into 2026, and what’s your advice for mitigating it?

“The security risks associated with AI systems. While organizations are rapidly adopting AI technologies, many are not adequately addressing the unique security challenges these systems present. AI models can be vulnerable to attacks such as data poisoning, model inversion, and evasion attacks. The complexity of AI models can make it difficult to understand their decision-making processes, making it challenging to identify potential security risks. Additionally, AI systems require specialized testing and validation to ensure they are functioning as intended and are secure.

“To mitigate these risks, leaders should establish clear policies and guidelines for the development and deployment of AI systems, including requirements for security testing and validation. Leverage tools and technologies specifically designed to secure AI systems, such as those that provide model explainability and vulnerability detection. Invest in training and reskilling programs to develop the necessary expertise to secure AI systems.”

How do you expect AI agents or autonomous systems to reshape secure coding, vulnerability management, and developer workflows in the next year?

“When it comes to secure coding, AI-powered tools will become more prevalent in code review processes, helping to identify potential security vulnerabilities earlier in the development life cycle. AI-driven systems will be able to suggest and even implement fixes for common security issues, reducing the burden on developers.

“In terms of vulnerability management, AI agents will analyze codebases and predict potential vulnerabilities, enabling proactive measures to mitigate risks. Autonomous systems will streamline patch management by identifying, testing, and deploying patches more efficiently.

“For development workflows, AI will integrate into development environments to provide real-time feedback, suggestions, and automations, enhancing developer productivity and security. AI will facilitate the shift-left approach by embedding security checks and balances earlier in the development process.”

What’s one bold move you think more companies should make in 2026 to strengthen their application security posture, even if it feels uncomfortable or disruptive?

“Adopt a comprehensive, AI-native application security testing (AST) strategy that integrates with their existing DevSecOps pipelines. This involves leveraging tools to identify vulnerabilities, predict threat vectors, and automate remediation efforts. Utilize tools that employ AI to detect complex vulnerabilities and predict potential threats. Integrate AST tools with existing development and security pipelines to ensure continuous feedback. Implement automated remediation processes to address identified vulnerabilities, reducing the risk window.”