Tara Seals , Managing Editor, News , Dark Reading January 30, 2026 8 Min Read Source: Robert Evans via Alamy Stock Photo As the digital landscape continues to transform, the security challenges organizations face are naturally evolving as well. The new year brings a bit of consensus around what's shaping security teams' priorities in 2026, and, surprise, surprise, a focus on agentic AI risk leads the pack, according to the latest Dark Reading readership poll. The poll takes its cues from the final Reporter's Notebook videocast discussion of the year last month, in which cybersecurity experts Rob Wright from Dark Reading, David Jones from Cybersecurity Dive, and Alissa Irei from Tech Target Search Security break down a collated list of all the insights that people sent Dark Reading reporters in December regarding 2026 security operations predictions. We decided to poll readers on the top 4 (the ones most often cited by the experts that contacted the Dark Reading news team), and the results were enlightening: What's clear is that agentic AI is widely considered the next big target for cybercrime; and people don't have a lot of confidence that the lackluster password situation too many organizations are dealing with is going to change any time soon. Agentic AI & Autonomous Systems Become Primary Cyber Targets Nearly half (48%) of respondents believe agentic AI will represent the top attack vector for cybercriminals and nation-state threats by the end of 2026. It's a decent bet, given that agentic AI continues to gain ground at enterprises of all stripes. They're adopting it to streamline operations, to implement things like predictive maintenance and smart manufacturing, and to keep up competitively in realms like software development — amongst many, many other use cases. Amid the growing exuberance for the semi-autonomous (and highly permissioned) technology is a worry that headlong barreling to join the fray will come at the expense of prioritizing security. "It's good to see this one topping the charts," says Rik Turner, chief analyst for cybersecurity at Omdia. "The expanded attack surface deriving from the combination of agents' levels of access and autonomy is and should be a real concern. A particular worry here, in my humble opinion, is if we see a rush to adopt agentic that results in developers deploying insecure code. There's already talk of the need to discover what open source model context protocol (MCP) servers are being thrown into the mix by devs keen to deliver on projects by the deadline. This, combined with what seems to be the widespread (nay, wholesale) adoption of vibe coding in 2025 suggests there are a lot of people assembling entirely insecure and vulnerable infrastructure already." These concerns are exacerbated by the rise of open source AI agents and "shadow AI," which employees might be importing into work environments with no oversight from the security team. The poll's top finding is consistent with Omdia's internal Decision Maker Survey, which found that AI adoption is at the top of the list for corporate security concerns; and specifically, securing AI and agentic AI is top of mind for security teams wanting to support their company initiatives for growth. "AI raises the stakes for security because AI enables automation and scale, so we have attackers using AI to launcher wider scale attacks to find vulnerabilities," explains Melinda Marks, practice director for cybersecurity at Omdia. "At the same time, organizations are using AI to scale their productivity. We looked to technical innovations in the past to incrementally increase productivity, but now agentic AI and autonomous systems can scale productivity by five times or 10 times. But that also exponentially increases attack surfaces, including access points with non-human identities." All of that said, Geoffrey Mattson, CEO at SecureAuth, also believes the poll results reveal a critical blind spot in AI security thinking. "While everyone's worried about AI systems being attacked, the real vulnerability is what those AI agents can access once they're compromised," he stresses. “Traditional guardrails and prompt injection defenses are proving insufficient. That's why we're seeing authentication and access control, not AI safety features, emerge as the actual battleground for securing autonomous systems. "You can't LLM your way out of an LLM problem," he notes, referring to on-board AI-driven security. "The enterprise AI control plane needs to shift from trying to secure the models themselves to enforcing continuous authorization on every resource those agents touch." Nearly a third (29%) of Dark Reading respondents believe that deepfakes are well on their way to becoming the main way that cyberattackers target so-called "big fish" — the Fortune 500, CEOs and top execs, and governments. "Interesting, because deepfakes have been a concern that’s been talked about at least since ChatGPT first saw the light of day in November 2022, but they were a bit of a slow burner till last year," Turner notes. "There were a few horror stories earlier, of course, such as the infamous $25 million one in Hong Kong that involved a video call with the bogus CFO, but it seems like it took till 2025 for deepfakes to go mainstream. Presumably that's because there is so much AI slop now being produced that at least some of it rises to the level of truly convincing." And indeed, deepfakes have become run-of-the-mill tactics within the ongoing North Korea fake worker campaign , a state-sponsored effort designed to enrich the DPKR regime. And tools available online and being pioneered by researchers are increasingly sophisticated . At the same time, many enterprises aren't really investing in defenses against the tactic. Marks notes that the concern over deepfakes in Omdia's survey emphasized rapid response compared to prevention. "Practicing security fundamentals, such as gaining full visibility, implementing testing, setting policies and controls, are all helpful for prevention, but there is a general understanding that attacks can and will still occur, so rapid detection and response is crucial," she says. Boards Recognize Cyber-Risk as a Tier 1 Operational Priority Coming in with just 13% of the vote for 2026's “Most Likely to Succeed” prediction, the elevation of cyber-risk to a Tier 1 operational priority for boards performed better than Turner expected it to. "I'd like to think this is correct, but I have my doubts," he explains. "I wonder whether the existence of cyber-risk insurance : (a) helps focus their minds, (b) further muddies the water, or, indeed, (c) serves as a pseudo security blanket." Ironically given the poll results, the growth of agentic AI should have a halo effect on how cybersecurity risk is seen within enterprises, according to Amy Worley, leader of BRG's Privacy and Information Compliance practice group. "The more hopeful side of me wishes that this answer had won the poll, as I think boards under-rate the risk in the space significantly," she says. "Agentic AI is a critical security risk that is likely to move beyond passive or prompt-directed content into autonomous decision-making with the ability to operate across systems, often with elevated privileges. Because there are no humans monitoring AI agents, small errors, or malicious injections can balloon into large security events." The threat is real and imminent and "with it comes the opportunity for the board and executives to implement safety and security measures designed specifically to address agentic AI threats and vulnerabilities, which requires budget and foresight," she adds. Omdia’s Marks points out that even non-AI-related system outages and data loss from cyberattacks remain big operational concerns and likely should rise to the level of Board Fave, as it were. "This is why security leaders need to work closely with other teams to align on business goals and plans for technology adoption to ensure success and help support business growth," she says. Password Elimination & Passkey Adoption And finally, in the also-ran category, only 10% of the Dark Reading respondents think password elimination and passkey adoption are likely to become the norm this year. That’s not to say that password protections are off the radar screen for security teams, but the stronger forms of authentication are taking a backseat when it comes to investment and focus, says Adam Etherington, practice leader for cybersecurity at Omdia. "This seems like a big risk, as agentic systems are now nearly everywhere," he says, bringing the conversation full circle to agentic AI risk. "Major ISVs like SAP, Oracle, Salesforce, and ServiceNow all have agentic capability that leverages API connectors, MCP, and non-human identities (NHIs) to stitch together business solutions. IT and security are scrambling to keep pace with emerging threats from these vectors." Citing stats from the Omdia Decision Maker Survey, he says that chief information security officers (CISOs) are least concerned about email security, and staff training and awareness, with both categories getting the lowest marks for prioritization. Both are, of course, intimately tied to password policies and employee security hygiene. Still, there's positive movement afoot: " Passkeys have definitely gained huge momentum over the last couple of years, thanks in no small measure to the fact that some of tech’s Big Beasts, such as Microsoft and Google, have endorsed and embraced their use," Turner says, adding that he's nonetheless with the 90% who don’t see elimination becoming the norm, at least not in 2026. "Whether passwords are set for the dustbin of history à la phone boxes and telex machines, or in fact will retain hardy perennial status like vinyl records, remains to be seen," he notes. Read more about: CISO Corner About the Author Tara Seals Managing Editor, News, Dark Reading Tara Seals has 20+ years of experience as a journalist, a