Analysts Discuss Areas for CISOs to Continuously Learn Amid AI Hype at the Gartner Security & Risk Management Summit, June 1-3 in National Harbor, Maryland.
To stay ahead, security leaders should focus on three priorities: modernizing identity as foundational infrastructure, redefining cybersecurity success around resilience rather than prevention, and lowering the barriers to innovation so teams can safely experiment, scale automation, and apply AI where it delivers immediate, measurable value.
“These priorities will help keep CISOs on track amid the seemingly daily stream of breaking cybersecurity product news,” said Leigh McMullen, Distinguished VP Analyst and Gartner Fellow. “In the hands of skilled threat actors, current technology is already good enough. It doesn’t matter if it’s mostly marketing or truly groundbreaking technologies.”
“CISOs can offset this by accelerating their own AI journey and turning these AI threats into just another improvement on a chain of indefinite improvement,” said McMullen. “The same technology that’s enabling script kiddies to super-scale will enable us to super scale right alongside them, and CISOs have more resources.”
During the opening keynote of the Gartner Security & Risk Management Summit, taking place here through Wednesday, McMullen outlined three key areas for organizations as they rush to AI as an opportunity to modernize both human and machine identity.
![[Image Alt Text for SEO]](https://emt.gartnerweb.com/ngw/globalassets/en/newsroom/images/graphs/ussec26-mcmullen-2.png)
AI introduces a new architectural layer that relies on delegation, autonomy, and context rather than fixed permissions. Traditional role-based access controls and onboarding processes do not scale to environments filled with thousands or millions of machine identities operating continuously. As agent-based systems expand, weak machine identity hygiene and a lack of context-aware policies are becoming primary sources of risk.
Because of this, Gartner predicts that 25% of breaches will vector through agent-based attack surfaces due to poor machine identities and lack of context-aware policy controls by 2028.
“This pressure also presents a strategic opportunity,” said McMullen. “Rather than adding new tools to fragile stacks, organizations can use AI investment to accelerate IAM modernization. As customer, partner, and employee interactions become increasingly machine-mediated, strong identity and trust controls move from necessity to differentiator. Enterprises that can securely onboard and govern machine workloads faster gain real advantage in speed, integration, and trust.”
2: Normalization of Cyberattacks to Redefine How We Win
Cyberattacks have become a normalized feature of modern business rather than an exceptional failure. Markets, regulators, and customers increasingly treat incidents as inevitable, not necessarily as evidence of negligence. As AI-enabled attacks scale in speed and volume, attempts to frame success purely around prevention are becoming both unrealistic and unprovable. This normalization creates a critical opportunity to rethink how cybersecurity success is defined and communicated.
“Resilience, not prevention, is the strategy organizations can actually win,” said McMullen. “If the objective shifts to limiting impact, maintaining critical operations, and recovering quickly, then mitigation becomes functionally equivalent to prevention from a business outcome perspective. Unlike absolute security, resilience can be tested, practiced, measured, and improved over time.”
To operationalize this shift, organizations must define clear impact thresholds tied to mission-critical value chains. These thresholds establish what levels of disruption are acceptable and where recovery time truly matters, creating shared accountability between cybersecurity and the business.
3: Lowering the Bar for Innovation
Innovation in cybersecurity often feels inaccessible because it is framed as additional work layered on top of already overloaded teams. The reality is that innovation is already happening every day inside security, IT, and engineering organizations. Incident response improvisations, tool integrations, workarounds, and workflow refinements are all acts of innovation. The problem is not a lack of creativity or effort, but that this work is rarely named, measured, or protected as innovation.
As this continues, Gartner predicts that by 2028, organizations effectively deploying AI in security operations centers (SOCs) will reduce human-touch incidents by 30%, beginning the shift of the analyst role from “responder” to “supervisor.”
“Tasks such as building test environments, simulating attacks, generating detection logic, or rehearsing recovery scenarios no longer require large, specialized teams or long planning cycles,” said McMullen. “These activities can be embedded into normal operational work using AI-assisted software engineering and automation. When experiments are low-risk but tied to real systems and real outcomes, teams gain hands-on experience while producing artifacts the organization can actually reuse.”
To sustain this, leaders must explicitly protect time and create space for experimentation. Innovation should be framed as skill-building and resilience-building work, not discretionary side projects. Measuring what is learned and the scale achieved allows organizations to convert innovation into demonstrable business value, making it easier to justify continued investment.
