The old success metrics no longer survive contact with reality.
There is a particular kind of clarity that comes from walking out of three days of analyst sessions and realizing that the conference didn’t change your mind — it confirmed something you’d been reluctant to say out loud.
I was at the Gartner Security & Risk Management Summit in National Harbor this week. By the end of it, what struck me wasn’t any single session or data point. It was the cumulative weight of a profession reckoning honestly with the gap between how it has defined success for a decade and how success needs to be defined now.
The gap is real. And it is widening.
Prevention is the wrong objective
Leigh McMullen’s opening keynote set a tone that held for the rest of the conference.
The framing wasn’t subtle: organizations that measure security success by breach prevention have already lost the argument, because prevention at scale is no longer achievable. The target surface is too large, the adversary tooling too capable, the attack cadence too continuous.
The honest reframe — and McMullen made it plainly — is that resilience is the metric that survives contact with reality. If you can limit impact, maintain critical operations, and recover quickly, you have functionally achieved what prevention promised. The difference is that resilience is measurable and can be improved. Pure prevention is a bet that your defenses are better than whatever an attacker hasn’t tried yet.
I’ve heard versions of this argument for years. What made it land differently at Gartner SRM 2026 was who was saying it and where: a Gartner Fellow, in the opening keynote, at the largest security conference in North America. The profession is finally ready to organize strategy around something it can control.
The threat landscape has a new characteristic
John Watts presented the ThreatScape analysis for 2026-2027, and the framing worth keeping is the distinction between threats that are difficult and threats that are both difficult and structurally advantaged for the attacker.
Four fell into that second category: deepfake identity impersonation, software supply chain compromise, prompt injection against AI systems, and AI-enabled attack acceleration across all the above.
What they share is a common property: the attacker’s cost of execution has dropped faster than the defender’s cost of detection. Deepfakes that once required studio-grade equipment and technical skill now take minutes on commodity hardware. Supply chain attacks deliver reach that would previously have required compromising dozens of individual targets. Prompt injection turns enterprise AI deployments into insider threats without any insider involvement.
The attacker’s advantage here isn’t a function of the defender’s incompetence. It’s structural. Which is exactly why the resilience reframe matters — and why ‘we’ll prevent this’ is the wrong premise.
AI agents are the architectural problem nobody has solved
Dennis Xu’s session on agentic AI security was the one that stayed with me longest.
Not because the content was new — the vulnerabilities are documented, the risks are visible to anyone paying attention — but because the room’s response made something clear: CISOs are increasingly being asked to secure systems they didn’t design, didn’t approve, and in many cases didn’t know existed.
Every organization represented at that conference has AI agents on its roadmap. A significant number already have them running in production. These aren’t chatbots processing queries in a sandboxed interface. They are autonomous systems that initiate actions, access data repositories, call external APIs, and execute business logic — continuously, without a human in the loop for most steps.
The security challenge isn’t that the agents are malicious. It’s that they inherit risk at every integration point, and most organizations don’t have visibility into which integration points those are. Prompt injection exploits this. So does identity spoofing. So does any attacker who figures out that the fastest path to sensitive enterprise data isn’t through a human credential — it’s through an agent that already has one.
Gartner’s guidance on Model Context Protocol security reflected the maturity level of the problem: we are in early innings, the attack patterns are clear, and the defenses are not yet commensurate. That gap is where the next wave of incidents will originate.
Identity isn’t infrastructure anymore… it’s strategy.
McMullen’s three priorities for CISOs included modernizing identity as foundational infrastructure, but the framing understates the shift. Identity isn’t becoming foundational. It already is, and most organizations are running their AI strategy on an identity model designed for human users authenticating to static applications.
AI agents create identity problems that IAM vendors haven’t fully solved: machine actors that need access at scale, in real time, across systems spanning organizational boundaries, with variable privilege requirements depending on the task context. The traditional model of provision, authenticate, authorize breaks down when the actor is a fleet of agents that can be spun up by any developer with API access and a reasonable use case.
Getting identity right for agentic AI is not a 12-month project. Organizations that start now will have a structural advantage over those that treat it as a later problem. The conference made that sequence explicit.
Must-read security coverage
The data layer is the only enforcement point that doesn’t move
Here’s what I kept coming back to as the conference wound down: every session that touched agentic AI eventually arrived at the same unsatisfying conclusion. The model can be manipulated. The perimeter gets crossed by design — that’s what agents do. The identity layer is catching up, but it isn’t there yet.
What persists, regardless of which model an agent runs on or which API it calls, is the data itself. And the data layer — the enforcement point that sits between an agent and the content it’s trying to reach — is the one control that doesn’t depend on the agent behaving.
It doesn’t ask the model to police itself. It doesn’t rely on a system prompt the agent can be instructed to ignore. It enforces access decisions, purpose limitations, and audit logging at the moment of contact, independently.
This is not a novel idea in security. The principle of enforcing controls close to the asset you’re protecting is foundational. What’s novel is how many organizations have built their entire AI security posture on layers that sit above the data — model guardrails, perimeter controls, network segmentation — while leaving the data layer itself relatively unaddressed.
Gartner’s sessions didn’t use that exact framing, but the logic of every agentic AI security recommendation pointed in the same direction: get governance as close to the data as possible, because everything else is negotiable.
For security leaders, that’s an architectural conclusion, not just a product decision. The question isn’t whether to govern at the data layer. The question is how many incidents it takes to get there.
The competitive frame is the right one
The most durable takeaway from Gartner SRM wasn’t a vulnerability class or a framework recommendation. It was a shift in how security leaders began talking about their function.
The language of obligation — we must secure this, we are required to comply — was still present. But underneath it was something different: security leaders increasingly framing governance and resilience as competitive inputs rather than compliance burdens.
Organizations with mature resilience postures can absorb disruption and continue operating while competitors respond to incidents. Organizations with genuine AI governance visibility can scale agent deployments without the manual risk review overhead that slows everyone else down.
McMullen explicitly called out the compressed decision cycle. The next 18 months are the window in which the structural decisions get made — on identity, on AI governance, on what resilience actually means operationally. Organizations that make those decisions now won’t just be more secure. They’ll be faster.
That reframe is the one that will outlast this year’s conference. Security as competitive infrastructure. Governance as a speed advantage. Resilience is the metric that tells you whether you’re winning.
I left National Harbor more convinced of that argument than when I arrived.
That, at minimum, is a productive three days.
Also read: Verizon’s 2026 DBIR found vulnerability exploitation overtook credential abuse as the top initial access vector.
