Is 2026 the year of identity? Just follow the money

If we should follow the money to understand business stories, then one trend in cybersecurity over the past year is impossible to ignore: identity has become the central point of the industry.

More than half a dozen major cybersecurity acquisitions in 2025 and the start of this year, representing up to US$40 billion in combined value, centred on identity. The details of each deal’s rationale varied, but the direction was unmistakable: in every case, privileged access, identity governance, identity threat detection or continuous authorisation were in play.

What these moments show is that the security market has begun reorganising around the reality that identity — whether human or machine — is now one of the most critical surfaces to protect. AI is reshaping the enterprise, and defending identity is fast becoming the way we defend everything else.

Attacks are converging

Over the past year, threat actors started to move away from perimeter-based intrusion and towards credential abuse and lateral movement. The growth of agentic AI — autonomous tools that act, decide and request access at scale — is accelerating the trend.

This convergence is playing out on several fronts:

• Attacks increasingly start with compromised credentials and not malware. Valid identities, used by the wrong actor, are becoming the preferred entry point.
• Machine identities are proliferating, especially in AI. Many of these are unmanaged or over-permissioned, creating invisible risk at scale.
• Deepfakes and synthetic personas are lowering the cost and raising the credibility of impersonation, eroding traditional trust signals.
• AI agents and non-human workloads require dynamic, just-in-time access to do their jobs, meaning static role-based controls are no longer sufficient or safe.
   

All of this makes identity the new cyber battleground.

Not the only issue, but the defining one

There are still plenty of other priorities that deserve attention. Secure architecture, strong detection and response, and software supply chain integrity remain essential. Identity alone cannot solve misconfiguration, business logic flaws or insecure data exposure.

But it’s identity that increasingly determines how bad a breach gets. It’s identity that links together cloud, SaaS and AI environments. It’s identity that underwrites trust — between systems, people and machines — in an environment where automation is accelerating and traditional perimeters are blurring.

As the balance of risk shifts, identity has moved from a backend function to a boardroom discussion: a strategic challenge for the entire company.

Where next?

In 2026 we’ll see identity security take on new weight: technically, economically and geopolitically.

Cyber insurance markets are already adapting, with 97% of organisations in recent research by Delinea reporting that identity-related controls influence their cyber insurance premiums or coverage terms. Regulatory attention is growing, particularly around AI governance, machine access and automated decision-making.

Identity and privilege control are being tied to critical infrastructure resilience, especially in sectors like energy, transport and finance. It’s a shift with wide implications, and one that is only just getting started.

So while identity isn’t everything, it may well be the area that shapes how organisations secure their operations, govern AI and recover when something goes wrong. In this sense, 2026 won’t just be the year of identity. It’ll be the year when identity becomes the lens through which cybersecurity is redefined.

*Chris Kelly is President of Go-To-Market at Delinea.

Image credit: iStock.com/da-kuk