The regulatory landscape shifted in 2025 faster than most security programs could adapt. State privacy laws multiplied. CMMC enforcement moved from theoretical to contractual. AI tools appeared in workflows before governance frameworks existed to contain them. As we move into 2026, executives face a threat and compliance environment that demands different questions in the boardroom and different capabilities in the security program.
This isn't a predictions piece. I'm writing this from what I'm seeing now in engagements across healthcare, defense contractors, and regulated technology companies. The patterns are already visible. The question is whether your organization is positioned to respond.
AI-Driven Attacks Are No Longer Theoretical
We've spent two years talking about AI as a security risk. In 2026, the conversation ends and the measurement begins. Threat actors are using large language models to write more convincing phishing emails, generate polymorphic malware, and automate reconnaissance at scale. The sophistication gap between nation-state capabilities and commodity cybercrime tools is narrowing.
What concerns me more is the speed. An attacker can now iterate through social engineering approaches, test defenses, and adapt tactics in the time it used to take to launch a single campaign. Traditional security awareness training—the kind built on recognizing suspicious email patterns—struggles when those patterns change hourly.
The defensive response can't be more training. It has to be architectural. Organizations that still rely on email as an unauthenticated communication channel for sensitive requests are accepting risk that was manageable five years ago but isn't today. Multi-channel verification for financial transactions, separation of communication and execution pathways, and assume-breach architectures matter more in 2026 than another phishing simulation.
I'm also seeing boards ask better questions. Not "do we have AI security tools?" but "what attack vectors does AI enable that we weren't exposed to last year, and how have our controls adapted?" That's the right frame.
Regulatory Convergence Creates Compliance Leverage
For years, compliance programs treated each framework as a separate effort. HIPAA over here, CMMC over there, state privacy laws in another corner. That model is breaking down, and it's creating opportunity for organizations that recognize the shift.
The control requirements across modern frameworks are converging around common themes: data inventory, access controls, vendor management, incident response, evidence retention. A well-structured compliance program in 2026 builds a control foundation that satisfies multiple regimes simultaneously, then layers the framework-specific requirements on top.
This matters for resource allocation. I've watched companies staff separate teams for HIPAA, for NIST 800-171, for state privacy compliance. The inefficiency is staggering. The better approach maps common controls once, implements them to the highest standard required by any applicable framework, and manages the delta as exceptions rather than building parallel programs.
The State Privacy Law Inflection Point
In 2026, we're past the point where you can ignore state privacy laws if you're not a California company. Seventeen states now have comprehensive privacy statutes. The compliance threshold isn't whether you have California customers—it's whether you process personal data at scale in any consumer-facing capacity.
The pattern I see in organizations getting this right: they're not implementing seventeen separate programs. They're identifying the most restrictive requirements across all applicable laws, building to that standard, and documenting where specific state rules require additional controls. It's the same approach that worked for GDPR compliance, applied domestically.
What's not working: treating privacy as a legal problem rather than an operational one. Privacy compliance in 2026 requires data governance infrastructure, not just updated terms of service. If your organization can't produce a data inventory, map processing activities to legal basis, or operationalize deletion requests, you're not compliant in any meaningful sense regardless of what your privacy policy says.
Speaking on Cybersecurity Trends for Executive Audiences
Carl delivers keynotes on regulatory compliance, cybersecurity strategy, and emerging risk for boards, executive teams, and industry conferences. His presentations translate technical complexity into strategic clarity for decision-makers who need to act, not just understand.
Book Carl to Speak
Supply Chain Exposure Is Your Exposure
Third-party risk moved from compliance checkbox to board-level concern after SolarWinds, and it's staying there. In 2026, the question isn't whether to assess vendors—it's whether your assessment process actually reduces risk or just generates documentation.
I see two problems recurring across industries. First, questionnaires that ask the wrong questions. Vendor security assessments still focus heavily on whether controls exist rather than whether they're effective. A vendor can have an incident response plan and still take 90 days to notify you of a breach. The plan's existence doesn't protect you.
Second, annual assessment cycles that don't match the pace of risk. A vendor's security posture can deteriorate significantly between annual reviews. Organizations serious about third-party risk in 2026 are supplementing periodic assessments with continuous monitoring: tracking vendor breach disclosures, monitoring security posture ratings, requiring notification of material security changes.
AI Vendors Require Different Questions
The explosion of AI tooling introduced a vendor category most procurement and risk teams weren't prepared to evaluate. Traditional vendor questionnaires don't address the right risks. You need to understand training data provenance, model transparency, bias testing, data retention policies for inputs, and whether the vendor is using your data to improve their models.
For healthcare organizations, the question of whether AI vendors need to sign a business associate agreement creates genuine complexity. The answer depends on what data flows to the tool and how the vendor uses it. I've reviewed AI vendor contracts where the terms of service directly contradicted what the sales team promised about data handling. Due diligence matters more, not less, when the technology is new.
Defense contractors face similar challenges with ITAR and CUI restrictions. Many AI platforms use cloud infrastructure that doesn't meet the compliance requirements for controlled data. Using an AI coding assistant on a project involving ITAR technical data creates export control violations if the vendor's architecture doesn't provide adequate separation. These aren't theoretical risks—I'm seeing audit findings on exactly this issue.
The vCISO Model Meets Executive Security Demand
The market for fractional CISO services accelerated in 2025 and shows no signs of slowing. Organizations that don't have the budget, volume of work, or risk profile to justify a full-time security executive still need strategic security leadership. The gap between what a consultant provides and what a full-time executive delivers created space for the vCISO model.
What changed in the last year is executive recognition that cybersecurity is a leadership function, not just a technical one. Boards are asking for security updates. Contracts require specific security certifications. Cyber insurance underwriters want to talk to whoever owns the security program. Organizations realized that delegating security to IT without executive-level ownership creates blind spots that show up at the worst possible times.
The decision between vCISO and full-time CISO comes down to organizational maturity, risk profile, and resource availability. A company pursuing CMMC certification for the first time benefits from someone who has built assessment-ready programs before. A healthcare organization implementing its first comprehensive HIPAA compliance program needs leadership that understands both security controls and regulatory interpretation. In both cases, interim or fractional leadership can deliver better outcomes than promoting an IT manager who has never built a compliance program from scratch.
The value proposition is straightforward: you get experience that would take a full-time hire years to develop, applied to your specific context, without the overhead of a full-time executive salary. The limitation is capacity—a fractional CISO can provide strategy, program design, and oversight, but not 40 hours a week of execution. Organizations that succeed with the model understand that distinction going in.
Audit Readiness Separates Mature Programs from Paper Programs
I can tell you within the first hour of an engagement whether an organization has a compliance program or just compliance documentation. The difference shows up when someone asks for evidence. Mature programs produce requested evidence in minutes because the controls are operationalized and the evidence is systematically retained. Paper programs scramble to assemble evidence retroactively, and the gaps become obvious.
In 2026, the stakes for that distinction are higher. CMMC assessments don't accept "we do this but didn't document it." HIPAA audits expect evidence retention that demonstrates consistent implementation over time, not point-in-time compliance. State privacy laws require documentation of data processing activities and legal basis determinations before processing begins, not when the regulator asks.
Building for audit readiness means treating evidence generation as a byproduct of normal operations rather than a separate compliance activity. When access reviews happen quarterly and produce documented evidence each time, you have an audit trail. When they happen on demand before an assessment, you have a gap. The control might be the same, but the maturity level is different.
The pattern that works: automated evidence collection where possible, standardized documentation templates for manual activities, centralized evidence repositories with retention schedules tied to regulatory requirements. This isn't complicated, but it requires discipline and executive support for the time investment up front.
Regulatory and Cybersecurity Keynotes for Your Event
Carl speaks at industry conferences, board retreats, and association events on topics ranging from CMMC and HIPAA to AI governance and executive privacy. See all keynote speaking topics or reach out about your event.
Book Carl for Your EventCybersecurity Belongs in Business Conversations, Not Just IT Meetings
The organizations managing cybersecurity risk effectively in 2026 stopped treating it as an IT problem years ago. Security decisions affect revenue, contract eligibility, insurance costs, and regulatory liability. Those are business outcomes, and they require business-level visibility and decision-making.
I've written before about why cybersecurity belongs in the boardroom, and the trend is accelerating. Boards are asking for regular security updates, not just breach notifications. They're reviewing cyber insurance coverage as part of enterprise risk management. They're evaluating security maturity as part of M&A due diligence. In regulated industries, they're personally liable for certain compliance failures.
This creates pressure on CISOs—fractional or full-time—to translate technical risk into business language. Telling the board that you've implemented multi-factor authentication doesn't communicate risk reduction unless you explain what attack vectors it closes and what business impact those attacks could have had. The skill set required to be effective in the role is shifting from purely technical to hybrid technical-strategic.
The CEO's Role Matters More Than the CISO's
Here's what I tell executives: the CISO's effectiveness is capped by the authority and resources the organization provides. A strong CISO with no budget, no executive support, and no enforcement authority can't secure the organization. A mediocre CISO with engaged executive leadership, adequate resources, and cultural support for security can.
The CEO's role in cybersecurity is setting the tone that security is a business priority, ensuring the security function has the resources to operate effectively, and holding business units accountable for following security policies. When the CEO communicates that security requirements apply to everyone including executives, behavior changes. When security is framed as an IT problem that gets in the way of business objectives, you get shadow IT, policy circumvention, and preventable breaches.
The Defense Industrial Base Faces a Compliance Reckoning
CMMC moved from proposed rule to contract requirement in 2024, and 2026 is the year it hits the supply chain at scale. Prime contractors are flowing down cybersecurity requirements to subcontractors who have never had to demonstrate compliance at this level. Many smaller defense contractors are discovering that the informal security practices that were acceptable for years no longer satisfy contractual obligations.
The challenge isn't just achieving compliance—it's doing so in a way that doesn't price you out of defense work. CMMC compliance cost and timeline vary dramatically based on current security posture and organizational complexity. A small engineering firm with 15 employees and no existing compliance program faces a very different path than a 200-person manufacturer with an established IT infrastructure.
What I'm seeing succeed: early scoping to understand which CMMC level applies and what CUI actually exists in the environment, investment in foundational controls before attempting assessment, and realistic timelines that account for cultural change and process implementation, not just technical controls. What's not working: treating CMMC as a checklist exercise that can be completed in 90 days, or assuming certification is a one-time event rather than an ongoing compliance obligation.
Supply Chain Implications Beyond CMMC
The broader pattern is primes requiring supply chain security regardless of whether CMMC formally applies to a specific contract. The security expectations that CMMC codified are becoming table stakes for defense work. Small contractors without compliance programs are finding themselves excluded from bidding opportunities or facing pressure to achieve certification to remain eligible.
This creates a competitive advantage for companies that invested in compliance early. CMMC as revenue protection isn't a theoretical concept—it's the difference between keeping existing contracts and losing them to competitors who can demonstrate required security maturity. For companies entering the defense market, understanding DoD contractor cybersecurity requirements is a prerequisite for business development, not something to figure out after you win a contract.
AI Governance Is No Longer Optional
Organizations deployed AI tools throughout 2024 and 2025 faster than they built governance frameworks to manage them. That gap creates liability. We're seeing the first generation of regulatory guidance, litigation, and enforcement actions around AI use. The EU AI Act took effect with extraterritorial reach. State-level AI regulation is emerging. Sector-specific guidance is coming from healthcare regulators, financial services regulators, and others.
The pattern across frameworks: requirements for transparency, bias testing, human oversight, data governance, and documentation of AI system design and deployment decisions. Organizations without AI governance frameworks in place are operating in a compliance gap that's closing rapidly.
Building an effective AI governance framework starts with inventory. You can't govern what you don't know exists, and shadow AI is pervasive. Employees are using AI tools for everything from customer communication to code generation to clinical documentation. Some of those use cases create regulatory risk, competitive risk, or data exposure risk. Others are low-risk productivity gains. The governance framework needs to distinguish between them.
From there, the components are familiar to anyone who has built a data governance or IT governance program: classification of AI systems by risk level, approval workflows for high-risk deployments, standards for bias testing and monitoring, incident response procedures for AI failures, and documentation requirements that support audit and legal defensibility.
What's different from traditional technology governance: the pace of change. AI capabilities evolve monthly, not annually. A governance framework that requires six months of review before approving any AI tool will fail because business units will bypass it. The framework has to be risk-based and agile enough to keep pace with the technology while maintaining appropriate oversight.
What This Means for Executive Decision-Making
The cybersecurity trends for 2026 that matter at the executive level aren't about specific technologies or threat actor tactics. They're about structural shifts in the risk environment that require different organizational capabilities and different resource allocation.
AI changes both the attack surface and the defensive toolkit. Regulatory frameworks are converging in ways that reward integrated compliance programs and punish siloed approaches. Supply chain risk requires active management, not periodic questionnaires. Security leadership is a business function that needs to be staffed at the appropriate level for organizational risk and maturity. Audit readiness separates real programs from documentation exercises. And AI governance is moving from emerging practice to regulatory requirement.
The organizations that navigate this environment successfully in 2026 share common characteristics. They treat security as a business enabler rather than a cost center. They invest in foundational capabilities—data governance, vendor management, evidence retention—that support multiple compliance objectives simultaneously. They staff security leadership at a level appropriate to their risk profile, whether that's a full-time CISO or fractional CISO engagement. And they recognize that compliance is operational, not aspirational.
The question for executives isn't whether these trends will affect your organization. They will. The question is whether you're building the capabilities to respond before the gap becomes a crisis.