By Matthieu Trivier, Area Vice President of Pre-Sales, EMEA, Semperis
There is something striking about how certainties collapsed in 2025. For many reasons, organisations believed they could shield themselves from cyber crises by stacking protective measures: building ever-higher walls, multiplying locks, and outsourcing their security responsibilities to the cloud. Yet, in 2025, attacks still increased by 14%, and 67% of companies were affected. The truth eventually became unavoidable: cyber intrusion was no longer a threat but an inevitability. And the question is no longer whether the company will be attacked, but how many times it will be able to get back on its feet.
What trends will shape 2026? Without a doubt, the year will be shaped by a growing awareness born of crisis. CISOs no longer sleep. Executive teams are discovering that cloud contracts guarantee server availability, but not the restoration of their data. Employees circumvent the costly, locally deployed AI systems meant to boost productivity, unknowingly creating unsupervised vulnerabilities.
Cybersecurity is no longer a matter of technology, but an exercise in collective clarity, one shaped by four major trends that cut straight to the core of the protection model.
1. Hybrid by design, fragile by default: when attacks thrive on ambiguity
The cloud was supposed to simplify everything. But ten years after the great migration began, the reality is more complex. Costs have skyrocketed, promises of flexibility collided with contractual rigidity, and above all, organisations discovered, often too late, that cloud providers are responsible only for their infrastructure, not for the data that flows through it.
The result: a discreet yet unmistakable move back on-prem. Even Microsoft, after years of near-silence on Active Directory, is reintroducing major updates in Windows Server 2025. The message is clear: on-prem will not disappear. It will coexist with the cloud, in a forced marriage whose terms no one fully controls.
This hybrid architecture is attackers’ favourite playground. Why? Because it creates grey zones: poorly monitored bridges between the old world and the new. In 2024, for the first time, cyberattacks targeted the cloud more than traditional infrastructures. That shift says everything: attackers are no longer looking for the back door; they are exploiting architectural confusion. And within that confusion, identity is the common thread running through every breach.
2. Machine identity: mapping the unknown
Mention identity to a CISO and watch their expression change. For a long time, securing identity meant managing user accounts – names, surnames, passwords. But today, human identities represent only a small portion of the identifiers in circulation. Over 70% of identities within an organisation are “non-human” (NHI): machine accounts, automated scripts, connected devices, cloud services. They proliferate without management policies, often without visibility. How can you define a perimeter or assign permissions to something you cannot see?
3. AI and shadow IT: more of everything
And then there is AI. It was meant to revolutionise productivity. It did. But it also opened a breach no one anticipated: Shadow AI. These generative tools are used by employees outside of IT oversight — 70% of them, according to CompassMap — to save time, without realising they are exposing sensitive data. The CISO cannot block these tools without paralysing operations. All they can do is watch, powerless, waiting for the incident.
Meanwhile, attackers’ AI is advancing rapidly as well. Ransomware-as-a-Service is becoming more professionalised: some malicious code now rewrites itself automatically to evade detection. Attacks increased by more than 700% in 2024, with a further 126% rise in the first quarter of 2025. As a result, small businesses, without valid backups, often have no choice but to pay. Or to shut down. Identity is their Achilles’ heel, and a single poorly managed account is enough to bring down an entire ecosystem.
4. The CISO: an exhausted Cassandra
In Greek mythology, Cassandra could foresee catastrophe, but no one believed her. In many ways, the CISO’s role is not far from that. There is a particular solitude to the job: warning without being heard, writing crisis plans no one wants to read, knowing that when the incident occurs, they will be asked why they did not see it coming. This double bind – blocking risky activity during the day while being held responsible afterwards – creates psychological strain that organisations still underestimate. CISO burnout is no longer an exception; it is the baseline. According to Bitsight, 63% of CISOs have experienced or witnessed burnout within their team in the past 12 months.
And this raises a strategic question: how can a company claim to be resilient if its security leader is not?
The problem is also methodological: traditional indicators, RTO (recovery time objective) and RPO (recovery point objective), no longer mean anything. They are calculated from annual tests detached from operational reality. How long does it actually take to restart? Not in theory, but in the chaos of a crisis – with teams under pressure and systems partially compromised? No one truly knows, because no one truly tests it. The era of “ticking the box” for NIS2 compliance is over. New KPIs must be defined, involving the business and the board in quarterly crisis exercises that simulate real-world conditions.
Identity governance, or decline
2026 will be a year of reckoning. The companies that endure will not be the most technologically equipped, but the most clear-eyed. Those who understand that cybersecurity is not measured in firewalls but in the ability to recover.
Identity management is no longer a technical issue delegated to IT teams, but an act of governance involving executive leadership, boards of directors and the entire organisation. If the cloud is a castle and on-prem its keep, identity is the key. Poorly guarded, it opens everything. Properly governed, it protects everything.
Resilience is not a budget line. It is a competitive advantage. And in 2026, it may be the only one that truly matters. Because in the end, the question is not whether you will be attacked, but whether you will still be standing afterwards.
