KPMG’s 2026 cybersecurity report names non-human identities as one of eight load-bearing risks for the year, drawn from interviews with more than 20 KPMG cyber leaders and senior executives at Google, Microsoft, Palo Alto Networks, the AI-and-network-security vendor, and ServiceNow, the workflow automation platform. The argument the cybersecurity report lands hardest for CISOs: AI agents, service accounts, and machine credentials now outnumber human users inside most enterprises, and the identity-governance practices built for humans do not survive that ratio. The other seven considerations cycle around the same problem of scale, from post-quantum cryptography migration to IT/OT hyperconnectivity.
- Non-human identities now outnumber humans in most enterprise environments, demanding lifecycle governance for service accounts, AI agents, and machine credentials.
- Autonomous security agents are moving into the security operations center (SOC), compliance workflows, and identity management, shifting workforce skills toward agent oversight.
- Post-quantum cryptography (PQC) migration is now an explicit regulatory program in multiple jurisdictions; finance and defense face existential pressure to act.
- Supply-chain attack surface keeps expanding into AI and IoT, pushing third-party risk management toward continuous monitoring instead of annual review.
- The CISO mandate has broadened to cover physical-cyber convergence, AI safety, and board-level resilience reporting.
What the KPMG 2026 cybersecurity report puts on the CISO desk
The full report, available as a downloadable PDF on the KPMG site, is organized around eight considerations: preparing the cyber workforce for autonomous security; navigating geopolitics, resilience, and compliance; safeguarding AI systems; managing non-human identities; enabling trusted IT/OT hyperconnectivity; transitioning to post-quantum cryptography; protecting the supply chain through detection and response; and broadening the role and influence of the CISO. KPMG pulls together insights from a global panel that includes its own cyber partners plus named senior executives at Google, Microsoft, Palo Alto Networks, and ServiceNow, supplemented by findings from KPMG global and regional surveys.
The thread tying the eight together is operational scale. Hyperconnected IT and operational technology environments now demand dynamic mesh architecture and clear ownership across cyber-physical boundaries, where industrial sensors and IoT endpoints are no longer side concerns. Supply chains carry AI components and embedded devices that change risk weekly, an expansion CSI’s reporting on supply chain security has tracked through the past year. And the report calls out post-quantum cryptography migration as a multi-year program that finance and defense sectors cannot defer. Each consideration is presented as a 2026 priority a CISO should personally own.
Why non-human identities are the load-bearing axis of the eight
The non-human identity finding is the one that reframes how every other consideration plays out. AI agents, service accounts, and machine credentials already outnumber human users inside most enterprise environments, and the gap widens every time a platform team automates another workflow. Identity governance practices built around human onboarding, periodic access review, and quarterly attestation do not survive that ratio. Service-account sprawl is the precise mechanism by which AI safeguards fail, supply-chain compromises propagate, and SOC analysts lose their ability to distinguish a legitimate automation from a stolen one.
KPMG argues organizations must rethink identity governance to cover the full lifecycle of both human and machine actors. That sounds like a policy statement; in practice it means inventory, provisioning workflow, attestation, and decommissioning capability for every service account and agent on equal footing with human accounts. The eight considerations name AI security, supply-chain detection, and SOC autonomy as separate concerns, but each rests on whether the identity layer can name what is acting and on whose behalf, the same dependency reflected across the broader cyber resilience agenda. Without that, AI safety reduces to model-level promises that cannot be enforced operationally, and autonomous security tools end up making decisions about identities they cannot trace.
How CISOs should sequence the 2026 considerations into action
The report’s authors present eight priorities; sequencing matters because identity governance is the prerequisite for the rest. Treat the items below as the order in which the cybersecurity report’s findings actually unlock each other.
Inventory non-human identities before scaling autonomous security. Every AI agent, service account, and machine credential needs a registered owner, a documented purpose, and a defined lifecycle endpoint. Without this baseline, the autonomous-SOC and AI-safety initiatives KPMG describes are operating on identities the security team cannot account for.
Build a post-quantum cryptography (PQC) migration program with a named timeline this quarter. KPMG flags PQC as existential for finance and defense, with national regulatory deadlines already arriving. The work is multi-year, so the planning artifact, in particular a cryptographic inventory and a migration roadmap, needs a 2026 commitment even when execution stretches longer.
Extend supply-chain monitoring beyond annual third-party reviews. Continuous monitoring of supplier infrastructure, AI components, and embedded device firmware is the only model that keeps pace with how supply chains actually change. Treat third-party risk management as an operational telemetry feed, not a compliance artifact.
Reframe the CISO role into the board-level resilience charter the report describes. The expanded scope, covering physical-cyber convergence, AI safety, and enterprise resilience, is what makes the other seven considerations executable. Hand the identity-governance program, the PQC migration plan, and the supply-chain monitoring telemetry to a CISO whose mandate covers all three, or expect them to fragment across functional owners. The non-human identity problem the cybersecurity report puts at the center of 2026 only gets solved when one accountable executive owns the lifecycle.
Join our LinkedIn group Information Security Community!
