How will business security change in 2026? More importantly, what immediate factors should leaders be focusing on? Matt Hillary, SVP of Security and CISO at Drata, has explained to Digital Journal what he sees as top of mind for security and tech leaders heading into the new year.
Shadow AI must be confronted
Shadow AI is the unsanctioned use of any artificial intelligence (AI) tool or application by employees or end users without the formal approval or oversight of the information technology (IT) department.
On this subject, Hillary predicts: “In 2026, shadow AI won’t just be a nuisance. Expect more discovered and disclosed instances where shadow AI is traced back to trust-impacting incidents. Just as shadow IT reshaped the risk landscape a decade ago, employees today are already turning to unsanctioned AI tools, models, and agents to accelerate their work. This trend will only grow as pressure mounts to move faster, do more, and be more productive.”
As to the consequences: “The result will be sprawling risks: potential data leaks, noncompliance, privacy implications, security blind spots, unanticipated actions taken by AI agents ultimately attributed to the accountable human, and blurred lines of accountability when AI goes wrong.
Companies will need to fundamentally rethink their governance, visibility, and culture to stay ahead. Shadow AI is not a side issue. It’s the next frontier of enterprise chaos, and only those who prepare now will survive the reckoning, or else see these risks become reality.”
AI will write (and break) compliance programs
AI adoption in compliance and investigations is gaining traction, especially among larger and publicly listed companies. Yet can this go awry?
According to Hillary: “Next year we’ll see something wild: AI systems drafting, updating, and mapping entire control frameworks and risk registers – while other AIs are simultaneously probing those same frameworks and registers for weaknesses faster than any auditor ever could. The compliance battlefield is about to become AI vs. AI. The promise is efficiency: instant control mappings, auto-generated documentation, and real-time evidence and risk updates.”
The implications are huge: “The risk is existential: malicious models finding control gaps, manipulating policies, or fabricating deepfake attestations that look perfectly legitimate. The next wave of breaches won’t start with a human mistake – they’ll start with a machine misunderstanding.
The smart move? Build “AI assurance” into GRC programs now. That means validation, ‘explainability’, and synthetic data risk monitoring baked into every layer. If compliance is about trust, then AI assurance will be the new trust currency. Whoever masters it first will define the rules of the game.”
The CISO as the new “Chief Trust Officer”
A Chief Trust Officer helps the business fulfil its promises to customers and stakeholders on security, privacy, data, ethics, and environment and social governance matters by examining them through a trust-centric lens.
This role is set to become more important and more widely adopted, as Hillary observes: “In the coming year, the CISO will have officially outgrown the traditional “protector” role and stepped into something larger: the Chief Trust Officer of the enterprise.
Their job won’t stop at defending against threats or maintaining compliance – it will expand to proving trust as a measurable, revenue-driving asset. Forward-looking CISOs will sit shoulder-to-shoulder with CEOs, quantifying how their programs fuel growth, build credibility, and win deals. They’ll reshape the perception of security and GRC from a cost centre into a competitive differentiator.”
Consumers will also part drive the transformation: “In a market where customers demand transparency and regulators demand accountability, the CISO won’t just be a guardian of systems, they’ll be the architect of trust itself and the trust currency exchange, and that trust will become the most valuable currency a company can utilize. If you’re a CISO, start claiming that turf before others do. Trust is the evolution of security and GRC, not the replacement.”
