As organisations sprint toward AI adoption, Gartner is urging Chief Information Security Officers (CISOs) to recalibrate how they lead security, identity and innovation—arguing that AI is accelerating both opportunity and disruption.
CISOs must look past hype
“These priorities will help keep CISOs on track amid the seemingly daily stream of breaking cybersecurity product news,” said Leigh McMullen, distinguished VP analyst and Gartner fellow.
He added that in the hands of skilled threat actors, “current technology is already good enough”—regardless of whether tools are “mostly marketing” or truly groundbreaking.
Gartner set out three strategic focus areas intended to help security leaders navigate an environment of rapid product churn and emerging threats.
1) Modernise identity as foundational infrastructure
Gartner argues that the rise of AI agents, automated workloads and machine-to-machine interactions is overwhelming identity and access management (IAM) programmes designed primarily for human users and static roles.
As machine identities multiply, Gartner highlights a growing risk from weak machine identity hygiene and insufficient context-aware access policies. The firm also predicts that 25% of breaches will vector through agent-based attack surfaces by 2028 due to poor machine identities and lack of context-aware policy controls.
2) Redefine cybersecurity success around resilience
Rather than framing security as the ability to prevent incidents outright, Gartner says organisations must define success in terms of resilience—limiting impact, maintaining critical operations and recovering quickly.
The rationale: cyberattacks are becoming “normalised” and increasingly treated as inevitable; attempts to prove prevention alone are both unrealistic and unprovable.
3) Lower the barriers to innovation
Gartner also calls for safer, faster experimentation—arguing security teams already innovate through incident-response improvisation, integrations and workflow refinements, even if organisations do not label it as “innovation”.
The firm predicts that by 2028, organisations using AI effectively in security operations centres (SOCs) will reduce human-touch incidents by 30%, shifting analysts toward “supervisor” roles.
Gartner’s message is blunt: threat actors do not need perfect technology; they need effective paths to scale. The implication is that CISOs should build organisational advantage through foundational capability rather than chasing novelty.
“CISOs can offset this by accelerating their own AI journey and turning these AI threats into just another improvement on a chain of indefinite improvement. The same technology that’s enabling script kiddies to super-scale will enable us to super scale right alongside them, and CISOs have more resources.” Leigh McMullen
