Every year, Google’s security teams release a forward-looking assessment of the threats they expect in the months ahead. The Cybersecurity Forecast 2026 is Google Cloud’s annual threat-intelligence report, built on frontline data from the Google Threat Intelligence Group, Mandiant, and Google Security Operations. It is built from what Google’s frontline teams are already seeing in live attacks.
This blog is a walkthrough of that report for the people who actually have to act on it. We will follow the same three themes Google uses, AI, cybercrime, and nation states, and keep coming back to one idea that quietly runs through the whole document. In 2026, the thing you are really defending is identity, and identity now includes software, not just people.
One line from the report deserves a headline of its own: your AI agents need their own identities. That is where we will begin.
Artificial Intelligence
Google’s lead prediction is straightforward: in 2026, AI becomes a routine part of how attackers operate rather than the exception. Adversaries are using AI to work faster and at a larger scale across the whole attack lifecycle: research, social engineering, malware, and increasingly, automation through AI agents. None of this requires a sci-fi breakthrough. It just lowers the cost and skill needed to run a good attack, which means more attacks from more people.
Prompt Injection
If there is one new AI threat to understand this year, make it prompt injection. The report flags it as a present danger, not a future one.
Here is the core problem in simple terms. A large language model reads its instructions and the data it is working on through the same channel. It cannot reliably tell the difference between “this is a command from my owner” and “this is text I am supposed to summarize.” So if an attacker hides an instruction inside data the model later reads, the model may quietly follow it. That is prompt injection, and it sits at the top of OWASP’s 2025 Top 10 for LLM Applications as LLM01.
Prompt injection comes in two forms. Direct injection is when a user types something like “ignore your previous instructions” straight into a chatbot. Indirect injection is sneakier: the malicious instruction lives inside a web page, a PDF, an email, or even the pixels of an image, and the model runs into it while doing a normal task. Picture an AI assistant that summarizes your inbox using a privileged account. A single malicious email could tell it to forward sensitive messages somewhere else, and it might just do it.
You cannot fully patch this away, because it abuses how the model works rather than a single bug.
The realistic defense is layered. Google describes model hardening plus system-level guardrails, including classifiers that filter malicious instructions out of untrusted data, and user confirmation for high-risk actions. OWASP adds the controls that matter most to engineers: separate and clearly label untrusted content, validate and sanitize model output, keep a human in the loop for sensitive operations, and tightly limit what the model is allowed to do. That last point connects to another OWASP risk, Excessive Agency (LLM06), and it leads straight into the most important architecture shift of the year.
Why Your AI Agents Need their Own Identities
An AI agent is software that does not just answer questions, it takes actions. It reads files, calls APIs, queries databases, and chains steps together to finish a task on its own. That is genuinely useful, and it is spreading fast. Gartner predicts that 40 percent of enterprise applications will include task-specific AI agents by the end of 2026, up from less than 5 percent in 2025.
Here is a question every security engineer should ask: when an agent calls your payroll system at 2 a.m., who exactly is making that request? In most organizations today the honest answer is often “a shared service account with a long-lived API key and broad standing access.” That is the gap. Google calls this the fix the AI Agent Paradigm Shift, and its central principle is treating each AI agent as a distinct digital actor with its own managed identity.
This is not a brand-new idea bolted onto AI. It is zero trust applied to non-human identities. NIST SP 800-207, the foundational zero trust document, already defines a “subject” to include applications and other non-human entities that request resources, and it insists that every request be authenticated and authorized on its own, with access granted per session under least privilege. An AI agent is exactly that kind of subject. The forecast describes the practical version of this as “agentic identity management,” built on a few clear principles:
- Least privilege by default. An agent gets only the narrow access its current task needs, nothing more.
- Just-in-time access. Permissions are temporary and task-specific, granted at the moment of use and then revoked, instead of standing access that never expires.
- A clear chain of delegation. You can always answer “this agent is acting on behalf of this user for this purpose,” and prove it.
- Continuous, context-aware evaluation. Trust is recalculated as conditions change, not granted once and forgotten.
Underneath these principles is infrastructure that PKI and platform engineers will recognize. Instead of static secrets, agents and workloads get short-lived, cryptographically verifiable identities: short-lived X.509 or JWT credentials, workload certificates, and mutual TLS between services so each side proves who it is on every call. Workload-identity frameworks such as SPIFFE and SPIRE issue a verifiable identity document to each workload, and certificates rotate automatically so a leaked credential is only useful for minutes, not months.
The reason this matters is speed. An agent can take hundreds of actions before a human notices anything, so wide, permanent permissions that were once “good enough with monitoring” are no longer safe. Granular, short-lived, verifiable identity is the control that keeps up.
When the Caller Sounds Exactly Like Your CFO
In 2026, the report anticipates that sophisticated threat actors like ShinyHunters (UNC6240) will accelerate their use of highly manipulative, AI-enabled social engineering, making it one of the most damaging trends of the year. The key to their success is simple: they often skip technical exploits entirely and go after people instead. Their weapon of choice in 2025 was voice phishing, also called vishing, and the report expects it to be supercharged with AI voice cloning that can convincingly imitate an executive or an IT staff member.
AI also makes the rest of the con cheaper: automated research on targets, polished phishing messages with no telltale typos, and personalized lures at scale. Because the attack targets human trust rather than your firewall, your firewall does not see it. The defense is process, not just technology. Build verification steps that do not rely on recognizing a voice, such as call-back procedures on known numbers and out-of-band approval for sensitive requests like password resets, payments, or MFA changes. A confident voice on the phone should never be enough to move money or reset access.
Shadow Agents: The Part Nobody Approved
Shadow IT has traditionally referred to employees using unsanctioned apps. By 2026, we expect the proliferation of capable, autonomous AI agents to escalate that into a sharper “shadow agent” problem. Employees will independently deploy these agents to get work done, with or without corporate approval, and those agents quietly connect to email, SaaS tools, and file stores. The result is invisible, uncontrolled data pipelines that can lead to data leaks, compliance violations, and intellectual property theft.
Banning agents is not a viable option, since it only pushes usage off the corporate network and eliminates visibility. The forward-looking strategy is to treat AI security and governance as a new discipline, built on a secure-by-design approach that integrates protection from the start. That means deploying controls to discover and inventory every agent, safely route and monitor all agent traffic, apply the same identity and access rules you would give a human or a vendor, and keep a full audit trail of which agent touched which data under which policy. The organizations that succeed will be the ones that enable AI innovation while keeping the whole environment auditable.
The Upside: A More Capable SOC
It is not all bad news. Defenders get to use the same technology. The report describes an “agentic security operations center (SOC)” where analysts stop drowning in raw alerts and start directing AI agents. An alert can arrive already enriched with a case summary, a decoded malicious script, and a mapping to known attacker techniques, so a responder validates and approves a containment action in minutes instead of hours. The point is to scale human judgment, not replace it. The analyst still owns the final call.
Cybercrime
If AI is the new tool, cybercrime is still the main event. Google names financially motivated crime the most disruptive global threat for 2026, and most of it comes back to the same theme: attackers abusing trust and identity to get in, then hitting the place where one breach does the most damage.
Ransomware and Extortion Stay on Top
The combination of ransomware, data theft, and multi-layered extortion remains the costliest category of cybercrime, and the damage spreads far beyond the first victim into suppliers, customers, and whole communities. The volume is rising too. Google reports that 2,302 victims appeared on data leak sites in the first quarter of 2025, the highest single-quarter count since it began tracking in 2020.
Two tactics stand out for engineers. First, attackers keep using vishing and other social engineering to get around multi-factor authentication (MFA), which is a reminder that MFA is necessary but not magic, especially the kinds that can be phished. Phishing-resistant methods bound to a device and a verified identity hold up far better than one-time codes. Second, criminals target managed file transfer software, the systems companies use to move files between partners, because compromising one of them can let an attacker steal data from hundreds of organizations at once. That is supply-chain leverage, and it rewards knowing exactly which third parties can reach your data.
Crime Moves On-Chain
As finance adopts cryptocurrencies, stablecoins, and tokenized assets, attackers follow the money onto public blockchains. The report expects continued high-value attacks on decentralized finance platforms and exchanges, plus supply-chain attacks paired with digital asset theft. More interesting for the long term, criminals may move parts of their own operations on-chain, using the blockchain itself for command-and-control and data exfiltration, which makes their infrastructure very hard to take down.
But this permanence cuts both ways. The same permanence that protects attacker infrastructure also records every move they make. Every funded wallet and deployed contract leaves a permanent, public record, which is a gift for attribution and lets investigators link campaigns years apart. For defenders building or holding crypto assets, the practical lesson is old-fashioned: the private keys that control those assets are the most important. Generate and store them in hardware that never exposes the raw key, enforce strong approval workflows for transactions, and treat key management as a first-class security program rather than an afterthought.
The Hypervisor Becomes the Prize
This is one of the most important technical warnings in the report, and it is easy to miss. As defenders hardened the systems inside virtual machines, attackers moved down a layer, to the virtualization fabric that hosts them.
That layer is now a critical blind spot. Hypervisors often run without endpoint detection and response (EDR). They are patched late. They ship with insecure default settings. Most teams watch the user endpoints and guest systems, not the underlying virtualization layer. Yet that layer hosts every enterprise application and ties into core identity services. A single compromise can hand an attacker control of the entire digital estate. In practice, that means bypassing the security tools inside the guests and mass-encrypting the virtual disks underneath. The speed is the danger.
Ransomware usually crawls across a network for days. A hypervisor attack can take down hundreds of systems in hours. The fixes are concrete. Monitor the fabric itself, not just the guests. Harden the default settings. Keep the management plane patched and segmented.
Factories and Pipelines: ICS and OT
For industrial control systems and operational technology, the main 2026 threat is also cybercrime. A clever twist: attackers do not always need to reach the factory floor itself. By hitting core business software such as enterprise resource planning (ERP) systems, they can cut off the data that production depends on. That halts operations and pressures victims into paying quickly, all without touching a single machine. Meanwhile, basic hygiene problems like insecure remote access keep letting ordinary Windows malware reach operational networks.
Google’s guidance maps cleanly to well-known controls. Segment the network so ransomware cannot pivot from the IT side into operations. Protect all remote access with multi-factor authentication and least privilege so stolen credentials do not open the door. And keep immutable, offline backups of both industrial configurations and critical business data, because recovery is what turns a disaster into an inconvenience.
Nation States
The third theme is government-backed activity. Four actors dominate, each with its own goals, but notice the common thread underneath them: stolen credentials, abused trust in third parties, and patient access. It is the identity story again, played at a geopolitical level.
Russia is expected to widen its focus from short-term wartime support in Ukraine toward longer-term strategic goals, including quietly building footholds in critical infrastructure abroad. Pro-Russian influence operations and hacktivist groups stay active against the West, with elections a recurring target. Operational technology is at real risk too. Norwegian intelligence attributed an April 2025 compromise of a hydroelectric dam to pro-Russian actors.
China is projected to run the highest volume of operations of any nation, with a growing emphasis on stealth. Its actors favor edge devices like routers and VPN appliances that usually lack endpoint detection, lean on zero-day vulnerabilities, and target third-party providers so that one trusted partner becomes a path into many downstream victims. The semiconductor sector is a particular focus, driven by competition and AI-related demand.
According to the report, Iran is expected to continue combining espionage, disruptive operations, hacktivism, and financially motivated activity, an overlap that makes attribution harder. The report also flags a continued risk of destructive wiper malware and heavy use of AI-generated content in influence campaigns.
North Korea will escalate their highly successful and lucrative operations against cryptocurrency organizations and users. The report attributes to its actors one of the largest cryptocurrency thefts on record, roughly 1.5 billion dollars in 2025. The report also points to continued use of techniques such as fraudulent hiring-assessment pages and deepfake videos aimed at high-value employees. A growing concern is its IT worker scheme, where operatives use legitimate employment to access data and funds from inside target organizations.
For defenders, the practical message is consistent across all four. Strong, phishing-resistant identity, tight control over third-party access, and good monitoring of edge and infrastructure devices are what blunt these campaigns, the same fundamentals that defend against the AI and cybercrime threats above. Knowing them is the easy part; the harder challenge is operationalizing them at scale, across every human, machine, and agent identity in your environment.
How Encryption Consulting Can Help
At Encryption Consulting, we offer comprehensive Encryption Advisory Services designed to enhance your organization’s data security posture. Our services help you identify and address encryption-related vulnerabilities, strengthen cryptographic protocols, and ensure full compliance with industry regulations and standards.
If you are wondering where and how to begin your post-quantum journey, Encryption Consulting is here to support you every step of the way.
Post Quantum Advisory Services
We begin with a Cryptographic Discovery and Inventory, scanning your entire environment to identify certificates, keys, algorithms, and protocols across endpoints, applications, APIs, and infrastructure, building the baseline you need before any migration can begin. From there, we conduct a PQC Assessment to evaluate your exposure to quantum threats, identify RSA and ECC-dependent systems, and deliver a prioritized report of vulnerable assets with risk severity ratings.
With that clarity, we develop a PQC Strategy and Roadmap: a phased migration plan aligned to your risk appetite, regulatory requirements, and long-term security goals, including cryptographic agility so your systems can adapt as standards evolve. We then support Vendor Evaluation and Pilot Testing, helping you select the right tools, run proof-of-concept tests, and validate interoperability before any full-scale rollout, before finally managing full implementation across your PKI, signing infrastructure, and TLS configurations with monitoring aligned to your long-term cryptographic health.
CBOM Secure
Encryption Consulting’s CBOM Secure gives a clear view of your cryptographic posture across environments. Instead of dealing with spreadsheets, manual OpenSSL outputs, or scattered configuration files, it shows which algorithms are in use, what needs to change for post-quantum security, and whether systems meet your security policy. It automates crypto inventories, checks TLS configurations, validates algorithms, and aligns policies so teams can move from discovery to action without guessing.
Conclusion
Google’s Cybersecurity Forecast 2026 is really one story told three ways. AI hands both attackers and defenders new speed and scale. Cybercrime keeps cashing in through ransomware, crypto theft, and attacks on the foundations like hypervisors and supply chains. Nation states pursue long-term goals by abusing trust and credentials. The thread tying them together is identity, and the quiet realization that in an agent-driven enterprise, identity belongs to software just as much as to people.
The good news is that the fundamentals still win. Treat every actor, human or machine, as a subject that must prove who it is and earn only the access it needs, for only as long as it needs it. Automate the certificates and keys that make that trust real. Keep your cryptography agile enough to evolve. For organizations facing long-term cryptographic risk, that also means beginning the migration to NIST’s finalized post-quantum cryptography standards (FIPS 203, 204, and 205) and aligning with CNSA 2.0 timelines. Do that, and the 2026 threat environment becomes something you can manage instead of something that manages you.
