Thales: 2026 Will See Renewed Focus on Cybersecurity Fundamentals, AI Urgency
Calling for Renewed Committment to Foundational Security Practices as Need to Balance AI Ambition with Operational Excellence Is Becoming More Critical

Thales, the leading global technology and security provider, cautions that despite the hype surrounding Artificial Intelligence (AI) and quantum driving billions in new spending, the most severe breaches in 2025 so far were caused by fundamental failures such as poor credentials, continued use of legacy security software, and misconfiguration. This aligns with the 2025 Thales Data Threat Report, which highlights that many organisations are accelerating AI adoption before strengthening their core security and technology foundations, leaving them exposed during transformation.
These systemic failures are prevalent because, as the 2025 Thales Data Threat Report rightly points out, some organisations are simply not waiting to get their security or technology houses in order before departing on their AI journey, as the urgency to move into transformation is superseding improvements to organisational readiness.
As we look toward 2026, Thales stresses that addressing emerging threats does not replace the need for foundational cyber hygiene. Companies that neglect Zero Trust, operational resilience, and basic access controls in the rush to embrace AI will ultimately increase their risk surface.
Below are key 2026 predictions from Thales security leaders in APJ:
Trend 1: Cyber Risk Becomes a Mandatory Board Governance Metric
– By Andy Zollo, Senior Vice President of Application and Data Security, APJ at Thales
Boards will quantify and govern cyber risk, transforming security from a technology cost into a fundamental business duty.
Cyber risk is now seen as a top strategic priority by 60% of business and tech leaders globally. This executive focus, driven by geopolitical instability and new regulatory rules, means Boards can no longer treat security as just an IT compliance exercise. They need clear, financial metrics on the true risk exposure.
By 2026, CISOs’ primary function will shift from managing technical defences to quantifying financial risk. Boards will demand Cyber Risk Quantification (CRQ) to measure the potential monetary impact of security gaps. This new mandate ensures foundational security programmes like Zero Trust and data discovery are adequately funded and monitored, as executives are held personally accountable for maintaining basic cyber hygiene.
This change provides security leaders with the necessary budget and executive support, effectively turning security investment into a measurable enabler of business stability and competitive advantage.
Trend 2: Organisations Will Prioritise Operational Resilience Over Prevention
– By Daniel Toh, Chief Solutions Architect, APJ at Thales
Systemic cloud outages and cascading dependencies will mandate a fundamental shift from prevention to mandatory operational resilience.
The risk of failure in cloud architecture is paramount. When incidents occur, they are rarely complex zero-days; rather, they are caused by internal, foundational failures. Recent industry analysis shows that 44% of all cloud security incidents are traced back to misconfigurations in Identity and Access Management (IAM). This highlights that the most effective way to compromise the cloud is through poor access control, and a clear customer failure in the Shared Responsibility Model.
In 2026, organisations will prioritise resilience over total prevention, accepting that vendors will fail. This mandates a return to the foundational principles of crisis preparedness. CISOs will enforce the Zero Trust principle of least-privilege vendor access and aggressively implement multi-region/multi-cloud redundancy for critical data stores. The mandate will be to design for failure by continuously testing response plans and ensuring controlled access (IAM) limits the downtime incurred due to compromise or outages.
This strategic return to resilience fundamentals minimises the business impact of unavoidable third-party failures, protects data from systemic vendor risk, and ensures continuity of critical business functions.
The AI race will only intensify next year, but organisations cannot escape weak security foundations. Companies that balance transformation with discipline, prioritising operational resilience to mitigate cyber risk, will be the ones to reap the benefits responsibly without exposing themselves to avoidable failures.



