Industry predictions for 2026: The year is set to ring in a raft of transformations, but which ones matter the most?

RAG will be especially critical for government and financial services, where data volumes are immense but toned to be shielded from the open internet. It enables organisations to unlock efficiency and insight from this sensitive data while maintaining its sovereignty. It will effectively operate as a mature search engine for enterprise data, moving beyond simple keyword matching to true semantic understanding, as demonstrated in recent research on retrieval-augmented methods.

Importantly, RAG is not limited to unstructured text. It can draw from databases, images, operational systems, and a wide range of enterprise content types. Organisations are no longer simply talking about these ideas – many are investing real capital to deliver these solutions. Across APAC, enterprise customers are actively exploring how to accelerate their adoption of RAG-powered systems and we expect that trend to continue in 2026.

David Hirst
Group Executive at Macquarie Data Centres

Just as the industrial revolution relied on factories and the dot-com boom relied on broadband, this AI era will depend on a new generation of digital infrastructure. These purpose-built AI and cloud data centres are now foundational enablers of national competitiveness.

Governments in Australia and across the APAC are starting to recognise this. But policy must keep pace with ambition. If countries want to play a leadership role in the global AI economy, we need planning pathways, investment environments and regulatory frameworks that enable delivery at speed. Speed wins.

The opportunity is clear: APAC AI spending is forecast to reach $175 Billion by 2028. But the risk of inaction is just as clear. Jobs, IP, and influence will go offshore for countries that don’t act decisively and over time industry will be less competitive on a global scale.

VIEW ALL

We believe 2026 is the tipping point. Countries that embrace AI infrastructure and invest in it as a strategic national asset will build lasting advantage as well as economic growth and resilience.

Martin Zugec
Technical Solutions Director at Bitdefender

While the industry worries about AI-orchestrated attacks, the real danger in 2026 is internal AI security debt. LLMs are adopted by less technical employees and companies continue rapidly deploying agentic AI (MCP). By granting read/write access to sensitive data to non-deterministic agents, there is a massive risk of accruing security debt that could persist for years.

Regarding offensive AI capabilities, 2026 will be a year of experimentation rather than industrialisation. We anticipate a handful of AI-orchestrated attacks, but these will be closer to field tests than standard operations. While intellectually fascinating for threat researchers, they likely represent a negligible risk for the broader business community compared to other threats.

Liat Hayun
Senior Vice President Research at Tenable

The 2025 hype that runtime detection is the only thing that matters and could replace posture or identity analysis will fade in 2026. Runtime-only tools miss most attack paths because identity abuse and misconfigurations occur long before anything reaches runtime. Runtime will remain important, but it won’t replace CNAPP or exposure management – it’ll be another data source inside a broader prevention-first approach.

Craig Nielsen
Vice President, Asia Pacific & Japan, at GitLab

AI has proven its value to security teams by reducing false-positive rates and streamlining security operations. Successful implementations often start with clearly defined, high-impact use cases. For example, log analysis that would overwhelm human analysts, network pattern recognition for novel threats, vulnerability prioritisation based on actual exploitability, and automated incident triage to reduce alert fatigue. These are a handful of areas where security teams have found success, but each organisation will need to identify their primary sources of friction caused by toil and then pursue holistic improvements.

Once a team has identified the correct use cases, the implementation approach will be just as important. Security’s priority should be documenting all institutional knowledge across their department. This is because AI agents need clear direction. Without company-specific context, they will only deliver technical debt. This documentation will also help to strengthen and standardise internal security processes.

Jeffrey Kok
Vice President, Solution Engineers, Asia Pacific & Japan, at CyberArk

Starting 15 March 2026, when TLS certificate validity is reduced from 398 days to 200 days, security teams will face an unrelenting cycle of renewals and machine-identity-based outages. While the intent behind this global policy change by Google, Microsoft and Apple is to enhance security, the unintended consequence of operational challenges will be widespread for organisations that still rely on manual tracking and spreadsheets.

A digital certificate is a type of machine identity. Forgotten or unmanaged certificates will inevitably expire, causing trust between connected machines to break down and taking critical systems – from airport baggage handling and payment terminals to industrial control systems – offline.

The frequency of expired certificate related outages will increase over time, affecting most businesses and governments worldwide. This “digital whack-a-mole” will expose the operational fragility of organisations that have not automated certificate management – and it’s no longer a question of if, but when.

Elia Zaitsev
CTO at CrowdStrike

In 2026, AI agents and non-human identities will explode across the enterprise, expanding exponentially and dwarfing human identities. Each agent will operate as a privileged super-human with OAuth tokens, API keys, and continuous access to previously siloed data sets, making them the most powerful and most dangerous entities in your environment.

Identity security built for humans won’t survive this shift. Security teams will need real-time visibility, instant containment, and the ability to trace every agent action back to the human who created it. When an AI agent wires money to the wrong account or leaks intellectual property, 'the AI did it" won't be an acceptable answer. This is the era where identity security means protecting entities that don't have a pulse.