Here’s some 2026 industry predictions from Karl Bagci, Head of Information Security at email signature management software provider, Exclaimer for your review.
1. The major 2026 security shift most organizations aren’t prepared for
The biggest unacknowledged shift heading into 2026 is that the authentication layer is no longer the perimeter. Attackers aren’t breaking in, they’re logging in. Session hijacking, token theft, infostealer malware harvesting credentials at scale. Most organizations still treat successful authentication as proof of legitimacy. In 2026, that assumption will cost them. Continuous verification throughout a session, not just at login, is where we need to be and almost nobody’s there yet.
2. Where the shared responsibility model will fail next
The next fault line in the already strained shared-responsibility model will arise from AI features embedded in SaaS. Every vendor is bolting on AI capabilities, often using third-party models and often processing customer data in ways that aren’t transparent. The shared responsibility model assumes clear boundaries. AI blurs them completely. When your CRM’s AI assistant summarizes confidential deal notes and that data trains a model or leaks across tenants, whose responsibility is that? The contracts will say yours. The reality is you had no visibility or control.
3. How attacker behavior will escalate in 2026
The next evolution in attacker strategy will be AI-powered social engineering at scale. Today’s business email compromise (BEC) is still largely manual. Tomorrow’s is automated and personalized. AI scrapes LinkedIn, correlates with breached data, and generates contextually relevant messages for thousands of targets at once. Each one referencing real projects, real colleagues, real details. Attack quality goes up. Volume goes up. Current defenses are calibrated for neither.
4. Why compliance will have to extend beyond email
A major compliance shift is coming for regulated industries as regulators begin questioning why email is compliant, but other business channels are not. Organizations spent years building email retention, disclaimers, legal holds, and audit trails, then moved half their communication to Teams and Slack with none of that infrastructure. Financial services, legal, and healthcare all have strict requirements around communication records. The regulatory expectation is forming and extending compliance controls across all digital communication channels is no longer optional. I believe enforcement will follow.
LastPass Smacked Down In The UK For Being Pwned
Posted in Commentary with tags LastPass, UK on December 12, 2025 by itnerdThe UK ICO has fined LastPass £1.2 million following a 2022 breach that exposed personal data and encrypted password vaults belonging to up to 1.6 million UK users. Regulators found the incident stemmed from a chain of failures, beginning with the compromise of an employee’s personal device and escalating through reused credentials, third-party software vulnerabilities, and stolen cloud access keys. While LastPass’ zero-knowledge encryption remained intact, attackers were able to exfiltrate encrypted vaults and sensitive metadata, highlighting how human and personal-device risks can undermine even well-designed security architectures. The ruling reinforces regulators’ growing focus on executive access, remote work exposure, and the need to secure the human attack surface.
If you want to know more, this will help: UK fines LastPass over 2022 data breach impacting 1.6 million users
Chris Pierson, CEO, BlackCloak had this to say:
“This case is a clear reminder that today’s most damaging breaches often begin far outside traditional enterprise controls. Attackers did not defeat encryption or zero-knowledge architecture head-on; they targeted a trusted individual, exploited a personal device, and patiently chained together small gaps until they reached high-value access. For executives and privileged users, personal and professional digital lives are inseparable, and adversaries know it. Controls within the enterprise remain critical, but they must be paired with the continuous protection of personal devices, privacy enhancements, and home network protection. Organizations that fail to secure the digital attack surface for key persons and executives in their personal lives are effectively leaving the back door open to attacks.”
The LastPass incidents (as they’ve been pwned multiple times) illustrate how important it is for organizations to close the holes that lead to this sort of thing happening. And if organizations won’t do this by default, then they need to be punished until they get the message.
1 Comment »