Predicts 2026: Evolving Threats and AI Adoption Transform Infrastructure Security

3 December 2025 - ID G00841012 - 13 min read
By Deepak Mishra, Franz Hinner,  and 1 more
The evolving threat landscape and inevitable agentic AI adoption require infrastructure security transformation. To avoid spiralling costs and critical governance failures, cybersecurity leaders must streamline existing controls and close new security gaps by deploying emerging AI security platforms.

Overview


Key Findings

  • Agentic AI is accelerating a shift where autonomous agents will soon handle repeatable tasks traditionally managed by knowledge workers. This shift exposes new attack surfaces and bypasses today’s security architectures.
  • Security teams relying on fragmented best-of-breed controls will quickly lose unified visibility and automation across discovery, access, posture, and data protection. Integrated, context-rich platforms require investments to avoid blind spots and delayed responses.
  • Agentic AI introduces advanced threats that exploit traditional endpoints, increasing the risk of privilege escalation, persistence, lateral movement, and targeted attacks, such as ransomware.

Recommendations

  • Initiate pilot deployments of agentic AI security tools at any stage of AI adoption. Prioritize solutions that provide visibility into third-party AI usage and enforce acceptable use policies. As AI initiatives expand, invest in application security to safeguard custom-built AI models, proactively identify vulnerabilities, and strengthen defenses against evolving threats.
  • Consolidate fragmented security controls by deploying integrated platforms that offer shared context across discovery, access, posture, and data protection. Start by rationalizing overlapping tools and aligning procurement with use-case-driven architecture to reduce blind spots and accelerate response.
  • Integrate workspace immutable secure endpoint (WISE) into your cybersecurity strategy by enforcing immutable baselines on AI-enabled endpoints, especially those with autonomous decision-making capabilities. Prioritize high-risk domains like IT automation and developer environments to block exploit persistence, cut remediation costs, and meet insurer and regulatory AI governance requirements.

Strategic Planning Assumptions


By 2028, supplemental agentic AI security products will be implemented for visibility and control as end-user security interactions bypass incumbent security platforms.
By 2029, organizations that integrate endpoint security tools, management processes, and operations teams will reduce incident response times by at least 40%.
By 2030, one-third of enterprises scaling agentic AI will replace legacy endpoints with immutable workspaces, cutting ransomware incidents by 70%.

Analysis


What You Need to Know

This research dissects how the rise of agentic AI will alter the rules for maintaining infrastructure security that current security tools cannot address. At the same time, companies are strengthening their defences by using workspaces that can’t be tampered with, making it much harder for attackers to break in or cause damage. Together, these trends are reshaping the future of cybersecurity. Agentic AI will bypass current control patterns, expose new threat vectors, and force organizations to rethink infrastructure security. Siloed approaches, even those successful against ransomware and lateral movement attacks today, lose effectiveness in the future as attackers pivot to find gaps in defenses. This research covers the intersection of agentic AI, workspace immutability, and cybersecurity tool consolidation, with actionable advice for organizations to address emerging opportunities and threats.

Strategic Planning Assumptions

Strategic Planning Assumption: By 2028, supplemental agentic AI security products will be implemented for visibility and control as end-user security interactions bypass incumbent security platforms.
Analysis by: John Watts
Key Findings:
  • Agentic AI transformation is still on the horizon: Gartner predicts that, by 2028, at least one-third of business decisions will be made semiautonomously or autonomously with the help of AI agents, up from less than 1% today (see Predicts 2025: AI and the Future of Work).
  • Cybersecurity teams are not ready for autonomous AI agents: These agents will bring new, uncertain threat vectors, such as indirect prompt injection, and replace many end-user interactions over existing networks directly with the organization’s applications and data.
  • Secure access service edge (SASE) and workspace security implementations primarily focus on end-user risk: Many SASE and workspace security implementations today assume that the end user orchestrates and shares data from their endpoint with various applications and services, regardless of the network to which they are connected.
  • Protocols and transaction patterns are changing: Agentic AI uses different emerging protocols with weak security controls, such as the model context protocol (MCP) and Agent2Agent (A2A) protocol from back-end services rather than endpoints, as the primary method for interacting with an organization’s networks, applications, and data.
  • Now is the time to prepare: Agentic AI is at the Peak of Inflated Expectations in 2025 (see Hype Cycle for Artificial Intelligence, 2025), providing time for infrastructure security teams to prepare once the hype fades and real use cases emerge that demand enterprise-grade security.
Market Implications:
  • Digital transformation efforts and hybrid work are no longer the primary drivers for infrastructure security teams: Agentic transformation further shifts security away from the end user and perimeter to back-end services, replacing hybrid work and cloud adoption as the organizational drivers for workspace security and SASE platforms.
  • Data loss risk rises with AI agents and diminishes for end users: In the age of agentic AI, end users will primarily interact with an agent by sending a prompt asking an AI agent to complete an objective. Agents take data submitted and input from other data sources and then autonomously decide how to complete the objective. In this scenario, end users handle less-sensitive data directly, replaced by agents making autonomous decisions about what data is required to be accessed and deciding which other agents, applications, and services need that data, increasing the risk of AI agent data leakage.
  • Generative AI security is not sufficient: Infrastructure security teams focused on securing generative AI only with workspace security, SASE, and AI usage control products are missing the bigger picture of securing a broader set of AI usage with AI security platforms (see Use an AI Security Platform to Launch Your AI Security Strategy).
  • Transaction patterns will change: Fewer transactions will occur from the endpoint, migrating to a pattern where one transaction from the endpoint directs potentially hundreds of autonomous transactions by an agent that are not included in existing end-user activity and analytics dashboards.
  • Attackers will pivot to agents as attack vectors: Without addressing agentic AI with technical controls, organizations will face increased risk of malware and data loss from attackers pivoting to take advantage of specific agentic AI attack vectors over relatively secure end users and endpoints (see How to Secure Custom-Built AI Agents).
  • Incidents and data loss will rise: Infrastructure security leaders who fail to prepare for the next major shift in how the organization operates will find they no longer have the visibility they fought so hard to gain nor the controls they believe are required to prevent attacks and stop sensitive data loss.
Recommendations
  • Invest in point solutions: Find emerging best-in-class agentic AI security offerings to address emerging agentic AI security threats to ensure that transactions remain within the visibility and control of the organization. AI agent threats and security capabilities are rapidly evolving, requiring focused innovation from agile startups.
  • Reprioritize funding to align with declining software-as-a-service (SaaS) interactions: Shift funding from best-in-class end-user and SaaS security to commoditized capabilities, and budget for best-in-class agentic AI security. Align this shift with the organization’s push to scale AI agents beyond the pilot phase, reducing the number of human interactions with SaaS and private applications.
  • Anticipate rapid mergers and acquisitions by signing short-term contracts: The startup space for agentic AI security is well-funded but fractured and rapidly evolving. Sign short-term contracts and be prepared to pivot with a goal of long-term stability in 2028 as AI agents solidify and threat vectors and controls become well understood.
  • Loosely integrate visibility between startups and platforms: Start agentic AI security by integrating with enterprise AI agents to collect transactions and share them with data sources that include end-user activity.
  • Separate data loss prevention policies from end-user controls: Implement separate data loss prevention policies and remediations that handle unique agentic AI requirements, such as enforcing sandbox execution environments and relying on intent-based policies, rather than regular expressions to prevent data loss.
Related Research:
Strategic Planning Assumption: By 2029, organizations that integrate endpoint security tools, management processes, and operations teams will reduce incident response times by at least 40%.
Analysis by: Franz S. Hinner
Key Findings:
  • Siloed endpoint and user experience management creates persistent blind spots: Organizations relying on fractured endpoint, device, and user solutions continue to suffer from fragmented visibility and delayed incident response due to the lack of common context, duplicate logging, and conflicting controls.
  • Unified architectures enable rapid, automated containment: Integration of endpoint security, management, and user experience frameworks offers a consistent telemetry pipeline, streamlining root-cause identification and accelerating automated containment workflows. This eliminates handoffs between disparate teams and tools, reducing the overall dwell time on malicious activity.
  • Forward-looking enterprises use consolidated platforms to fuse security insights with live user context: This enables faster detection, prioritization, and resolution of incidents while simultaneously advancing digital employee experience outcomes.
  • Point solutions are losing ground: The era of single-use endpoint protection, management, or user experience optimization is coming to an end as vendors consolidate capabilities into comprehensive platforms, displacing niche competitors unable to scale unified controls.
Market Implications:
  • Organizations embracing unification gain a measurable mean time to respond (MTTR) advantage: Those transitioning to unified frameworks will realize a dramatic improvement in incident detection, triage, and remediation speed compared with those with siloed approaches.
  • Prices of talent in security services will rise in proprietary platforms: The operators of siloed security services using application-specific technology will find it difficult to afford employees with niche skills and will be forced to pay premium wages. Alternatively, they can migrate to the unified user interfaces of widely used platforms that have operational training and certification pipelines in place.
  • Vendor consolidation disrupts procurement and renewal cycles, forcing tool rationalization: Buyers must anticipate aggressive bundling strategies by leading vendors, with legacy point products becoming obsolete or heavily discounted. As a result, technical teams must be prepared to fully retire and rationalize overlapping tools and point solutions.
  • Siloed organizations face increased breach risk: The organizations with siloed architecture, that is, when endpoint security, endpoint management, and digital experience platforms are not combined, face increased risks of breaches, longer periods of attacker dwells, and more costs from incidents.
  • The value of user context outweighs best-of-breed siloed technology: Unified endpoints drive a new class of “experience-aware” security controls, leveraging contextual insights for adaptive remediation, fine-grained device policy, and rapid rollback of malicious operations.
Recommendations:
  • Strongly prioritize endpoint platform unification, starting with security and management: Immediately launch cross-functional pilots that unify endpoint protection platform, unified endpoint management, and digital experience monitoring, targeting platform bundles from strategic vendors.
  • Mandate quantifiable reduction targets: Demand that security and incident response metrics include a unified MTTR, dwell time, and chart speed. Establish standardized incident response metrics at the start of each year (measured in mean time and count). Set appropriate targets for each metric, and reward security operations team members collectively through bonus incentives, where appropriate, for achieving those targets to incentivize maximizing the value of a unified platform.
  • Aggressively depreciate siloed point solutions: Set aggressive deadlines aligned with contract renewal dates to retire stand-alone endpoint security, management, and user experience products. Reallocate funding to platforms that deliver unified policy enforcement, integrated management workflows, cross-domain visibility, and automated remediation. Prioritize solutions with demonstrable interoperability across security, IT, and user experience domains.
  • Invest in automation and context enrichment: Accelerate the deployment of automated telemetry ingestion, root-cause analytics, and contextual alerting across consolidated stacks to maximize the speed and accuracy of responses.
  • Redefine roles for unified endpoint operations: Retrain or redeploy endpoint and user experience management specialists to focus on policy orchestration, automation tuning, and strategic vendor management.
Related Research:
Strategic Planning Assumption: By 2030, one-third of enterprises scaling agentic AI will replace legacy endpoints with immutable workspaces, cutting ransomware incidents by 70%.1
Analysis by: Franz S. Hinner
Key Findings:
  • Immutable workspaces neutralize persistent threats: WISE architectures eliminate certain endpoint exploits, ransomware, and privilege escalation attacks. By ensuring baseline reversion and forbidding unauthorized persistent changes, organizations can fundamentally shift endpoint security from reactive patching to preemptive immutability.
  • WISE models catalyze operational cost savings: Enterprises that implement immutable workspace design slash ongoing expenses for patch management, incident remediation, and device rebuilds, resulting in potential year-over-year reductions in total endpoint support and recovery costs of up to 30%.
  • Endpoint security strategy accelerates the transition toward prevention, as WISE environments enforce trusted states to reduce reliance on traditional endpoint detection and response workflows.
  • Material breaches accelerate the shift to a security-first culture: This drives organizations to prioritize WISE endpoints and strictly standardize approved hardware, software, and services — reducing risk and enhancing compliance.
  • WISE adoption will accelerate as regulatory bodies and cyber risk insurers increasingly mandate controls that require verifiable workspace immutability (see Gartner’s Top Strategic Predictions for 2026 and Beyond): These external pressures will compel organizations to reduce attack surfaces and operational risks, thereby redefining endpoint compliance standards for the next decade.
Near-Term Flag:
Early major enterprise deployments —
  • By the end of 2027, evidence of Fortune 500 deployments of WISE platforms, with vendor announcements spotlighting reduced ransomware risk and measurable IT support savings.
  • Industry peer groups begin sharing field-tested templates for baseline configurations and operational governance policies.
Market Implications:
  • Endpoint platform vendors must evolve to remain relevant: Organizations using a unified platform without WISE telemetry integration must invest in adding telemetry from point solutions or migrate to competing platforms that include WISE endpoints in their architecture.
  • Organizations depending on MSPs for endpoint security must review their service contracts: As they migrate to WISE endpoints, they must ensure they are not paying for endpoint monitoring, detection, and response services that are no longer needed.
  • End-user empowerment shifts in favor of stringent security: Enterprises deploying WISE tools must account for changes in end-user software deployment and management, which can create internal friction with end users to achieve the benefits of a more secure and cost-effective operating environment.
  • Insurance rates and regulatory compliance improve: Companies demonstrating verifiable workspace immutability secure reductions in cyberinsurance premiums and navigate new regulatory hurdles with greater ease than their peers, who retain traditional mutable endpoints.
  • The experience for device users radically transforms: With immutable, centrally governed endpoints, device users will experience faster troubleshooting and greater system stability, but may resent the loss of personalization and control over their workspaces.
Recommendations:
  • Initiate a rapid WISE pilot in parallel with mature endpoint management: Launch cross-departmental pilots of immutable workspace solutions to quantify risk reduction, incident savings, and employee experience impacts by 2027.
  • Aggressively renegotiate contracts with incumbent endpoint security vendors: Request strict immutability roadmaps and proof-of-value pilot support for workspace baseline locking. Use the lack of support for credible WISE migration strategies as a trigger to evaluate alternative providers and as leverage at renewal.
  • Pivot modernization funding to WISE conversion: Shift funding and staffing away from legacy endpoint remediation and signature-based detection, investing instead in preemptive workspace governance and WISE architecture deployment.
  • Anticipate and manage internal resistance and operational overhaul: The move to standardized WISE environments requires executive-led campaigns to address cultural change and greater action to standardize applications. Implement an application life cycle management system with exception-handling mechanisms to prevent job function failures and user resistance across business sectors.
  • Collaborate with insurers and regulators to turn workspace immutability into a compliance advantage: Proactively share audit-ready, immutable records to demonstrate risk reduction and negotiate lower premiums, while preparing for stricter global mandates.
Related Research:

A Look Back


In response to your requests, we are taking a look back at some key predictions from previous years. We have intentionally selected predictions from opposite ends of the scale — one where we were wholly or largely on target, as well as one we missed.
This report is too new to have on-target or missed predictions yet.

Evidence