Looking Back & Forward: A Bouillabaisse of Cyber Evolution TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTechTarget and Informa Tech’s Digital Business Combine.Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Dark Reading Resource LibraryBlack Hat NewsOmdia CybersecurityAdvertiseNewsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsVulnerabilities & ThreatsMicrosoft Exchange Zero-Day Under Attack, No Patch AvailableMicrosoft Exchange Zero-Day Under Attack, No Patch AvailablebyRob WrightMay 18, 20263 Min ReadApplication Security'Claw Chain' Vulnerabilities Threaten OpenClaw Deployments'Claw Chain' Vulnerabilities Threaten OpenClaw DeploymentsbyJai VijayanMay 18, 20265 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificLatin AmericaSee AllThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsResource LibraryNewslettersPodcastsReportsVideosWebinarsWhite Papers Partner PerspectivesDark Reading Resource LibraryCybersecurity OperationsCyber RiskIdentity & Access Management SecurityICS/OT SecurityNewsSince 2006, Dark Reading has been at the forefront of covering cybersecurity, providing deep insights and analysis beyond the headlines. All those major news events? We were there. Shifts in technology trends? We wrote about them. Enjoy this special anniversary coverage celebrating where we've been and what's next.Looking Back, Looking Forward: Digesting a Dynamic Bouillabaisse of Cyber EvolutionDark Reading editors reflect on two decades of dramatic change — from perimeter defense to assume-breach strategies — and warn that while AI, cloud, and COVID-19 have transformed the threat landscape, organizations are still failing at fundamental security hygiene that could stop sophisticated attacks in their tracks.Dark Reading Editorial TeamMay 19, 2026Source: Dark ReadingCybersecurity has always been a dynamic space, with industry innovation keeping pace with frontier tech developments — the brightest minds in the sector are known for noodling on everything from securing the move to the cloud to locking down agentic AI. At the same time, widespread adoption of cyber fundamentals by ordinary enterprises, like ensuring strong authentication, network segmentation, and patching known vulnerabilities in a timely fashion, remains elusive — even as they rush headlong into adopting autonomous agents. It's a hearty stew to pick through, and this special 20th anniversary edition of Reporters' Notebook breaks down two decades of cybersecurity evolution: where we've been, big inflection points (COVID-19 and ChatGPT, anyone?), and where we're going. Dark Reading's editor-in-chief Kelly Jackson Higgins and co-founder Terry Sweeney, who were there from the beginning, join the discussion with Dark Reading managing editors Tara Seals and Fahmida Rashid, who are helping to architect DR's next chapter.Related:20 Leaders Who Built the CISO Era: 2 Decades of ChangeThere's plenty to talk about: our editors cover the dramatic expansion of the attack surface driven by cloud computing, Internet of Things (IoT) devices, remote work, APIs, software-as-a-service (SaaS) applications, and AI systems with non-human identities (NHIs). How the pandemic drove a sudden shift to remote work that effectively eliminated controlled corporate network environments, and stress-tested cloud infrastructure at unprecedented scale. The fundamental philosophical shift from prevention to resilience, abandoning "unhackable" marketing claims so en vogue 10 years ago. And how concepts like least privilege and asset inventory — discussed for 20 years — remain underutilized; they're just now exponentially more complex with AI agents, machine identities, and ephemeral APIs in the mix that are frequently over-privileged. And they also look towards the next two decades, and how organizations need to ensure the basics aren't lost amid the "irrational exuberance" surrounding AI and other emerging technologies.Learn more in the video, and also check out our Reporters' Notebook full series, available here, which is designed to bring together insights and coverage from across Informa TechTarget's network of cybersecurity sister sites. And, click here for all of our DR20 content, which will be rolling out across the month of May. Keep checking back for new items! Kelly Jackson Higgins, Tara Seals, Fahmida Rashid & Terry Sweeney: Full Video TranscriptRelated:Name That Toon: Mark of (Security) ProgressThis transcript has been edited for clarity and length using Informa TechTarget's internal AI assistant. For the full experience, please watch the video.Dark Reading’s Tara Seals: Hi, everybody. Welcome to this special edition of Reporters Notebook. I'm Tara Seals, Managing Editor for News at Dark Reading, and we are celebrating 20 years, two whole decades of coverage of the cybersecurity industry. So, we're bringing together two people who have been here from the beginning, and then Fahmida and I, who are sort of the new-ish guard, not new, but new-ish. And we're going to talk about where we've been and where we are going. I would like everybody to introduce themselves. Kelly, would you like to start?Dark Reading’s Kelly Jackson Higgins: Kelly Jackson Higgins, Editor-in-Chief at Dark Reading. I came along in June of 2006. I was hired by this guy over here, Terry Sweeney. I'll hand it to you, Terry.Dark Reading’s Terry Sweeney: Thanks, Kelly. Terry Sweeney, I'm a contributing editor and was involved in the early days of Dark Reading. It's kind of astonishing to be here 20 years later. Here we are. Fahmida, I'll hand it off to you.Dark Reading’s Fahmida Rashid: Hi, I'm Fahmida Rashid. I'm the Managing Editor of Technology and Features here at Dark Reading. I came on board in 2022, but I believe my freelance relationship with Dark Reading started in 2010, 2011. So, it's kind of cool now that I've crossed into full time, seeing what Dark Reading is all about.Related:20 Years in Cyber: Dark Reading Marks Milestone With Month of Special CoverageDR’s Tara Seals: Yeah, well, thank you all of you for joining today. And I think a good place to start is just talking about what's the biggest headline from the last 20 years? It's gotta be the giant expansion of the attack surface, right? We have cloud computing, we've got IoT, we have the remote work infrastructure, APIs, SaaS applications, supply chain stuff, all coming to the forefront. We've got developers going willy-nilly with low-code stuff that is populating new identities throughout the enterprise. And then of course we have AI systems and other non-human identities related to that.  o, you know, what's your broad take on this explosion that we've seen? When you take a look at it from start to finish and the vast evolution from the basic perimeter-based, on-prem corporate network, or even the multi-location enterprise that was connected by a LAN, let's say, or a WAN. You know, this is vastly different and everything, everything has changed. So just a hot take from the top, Kelly. What do you think?DR’s Kelly Jackson Higgins: Yeah, so it makes me think about the early days when it was all about firewalls, endpoint security, the wired systems, right? Everything was local, all networks, virtual networks, everything was on-prem. And so those were the kinds of stories you're writing about. Those were the products that were out there, right?  Everything was very much focused on the user's workstation, the client workstation, the servers, that infrastructure. I think when it all exploded was during the pandemic when we'd been talking about this move to the cloud for so long and we were seeing bits and pieces of it and portions of it, but everyone was nervous about taking everything to the cloud. But when you started sending people home to work from their home, their home Wi-Fi networks, sometimes with their own machines, you can't control the users anymore. They're not on a hardwired corporate network — I would say that was when the cloud explosion started in my mind. And then we saw all the problems with people, organizations going too quickly to the cloud. We saw all kinds of cloud vulnerabilities being exposed suddenly that no one had known about. To me, that was really the game change, the pandemic. I think that's when we shifted from this mindset of, we have a network here at our company, to the network is just a blur.DR’s Tara Seals: Yeah. We kind of had a little Jurassic Park moment, right? Like all of a sudden the electricity went out, the fences came down. Nobody's really sure where the T-Rex is. So yeah, I mean, it was definitely a sea change for sure. Terry, what are your thoughts on that? From your perspective, was it the pandemic? Did it start before that? Were there, you know, other aspects to it?DR’s Terry Sweeney: Well, just to tag on to what Kelly was saying, the focus was originally around firewalls and servers, in order to guard against denial-of-service attacks that were crippling networks back in the early days. I'm also thinking rather nostalgically about alphanumeric passwords, just numbers and letters that do not use special characters. I can actually hear my virtual rocking chair creaking on the porch as I think back on that now. Anyway, it's obviously shifted a lot. From where I sit, I feel like the movement to cloud and the rush to get there preceded the pandemic with Azure, AWS, Google Cloud Services, all of it. And shockingly, it felt like security was almost an afterthought. I don't know if it was a problem about who was going to own security ultimately between enterprises or the cloud service providers (CSPs). But we then moved into the virtualized environments, containers and Kubernetes and all of it, and now we've landed in AI's world, right? And we're just contributors to large language models (LLMs), I think. I can see the natural progression. What's worrying there is it feels like our ability to foresee or to effectively manage the risks of this enlarged attack surface has eroded substantially. Fahmida, what do you think?DR’s Fahmida Rashid: I agree with you, Terry, and I feel like the cloud and all of that preceded the pandemic lockdown, but I see the lockdown as when we stress-tested the cloud. We have a lot of companies that were cloud native, you know, Netflix kind of pioneered the entire, "we rely heavily on SaaS." DR’s Terry Sweeney: That's a good point.DR’s Fahmida Rashid: So, a lot of companies, the legacy dinosaurs, were like, I don't know if it's safe. And then you have all these nimble startups (who are not startups anymore), who were like, yeah, we're all in on cloud. But I think 2020 was when we stress tested the Internet. Can the Internet handle every single person trying to do Zoom or Teams or WebEx? Can the Internet handle suddenly multiple people in one house trying to access multiple things? Can all these applications support all the stuff we normally relied on at work for corporate applications? So, 2020 was just this massive stress test, maybe we failed, maybe we passed, but it's a good thing. I think we were doing all the various migrations to cloud. Oh, we're gonna have some applications already in the cloud before 2020, because otherwise that would have been a really bad year.DR’s Tara Seals: Well, and I think if you look at that too,  it goes hand in hand with the evolution in the industry mindset from a vendor perspective and how they were selling their wares, marketing their "unhackable" claims. Obviously that's something that might be appropriate if you're talking about a Dell laptop, let's say that's air gapped or something, but even that obviously is defeatable as we know now. So now we're in this distributed era where nothing is uhackable.DR’s Fahmida Rashid: I don't think we've seen the press releases as much. Like before, it was like almost every other day terms like "unhackable," "hack-proof," "we dare you," "bulletproof."DR’s Tara Seals: "Bulletproof," "titanium," armored car analogies, all kinds of things. So, yes, and now we've definitely moved into a post-pandemic, harm-reduction view on things. So, it's more about containment and it's more about making sure that you're set up for not if it happens, but when it happens. Make sure that you've got network segmentation, and zero-trust was really hot there for a little while. Though now that's considered a little bit passe as we're moving on to the next thing, which is the identity-based perimeter. So everything has moved really rapidly, in the past five years, and even in the 15 years leading up to that. There's a lot of dynamism in terms of how we thought about defense, right?DR’s Kelly Jackson Higgins: Yeah, I feel like back then it was around 2012, I think, is when I really started noticing the conversation shifting from you have to defend and keep them out. don't let them in, this is how we stop it at the gate, that whole marketing credo that we heard and companies talking about how they're going to do that. Then it became, it was a matter of when you'll get hit, and now it's about how you have already been infiltrated. I was walking the show floor that year at RSA and I happened to stumble upon this startup at the time that was doing work for the Department of Defense, and they were showcasing an appliance that basically would keep an eye out and track what was going on inside the network, and spy on the attackers. So the mission wasn't really to stop the attackers from getting in, but to basically observe what they were doing, gather intel, and eventually contain the damage. I ended up talking to people at the show and there was this whole quiet admission among some of the security experts who had been saying we can stop the bad guys, basically saying we really can't if there's this determined attacker. We know today they're going to get in. In most cases, they already have. It's really a matter of how you mitigate the damage, how you protect the most valuable data, what you do to respond. So, I think that was a big turning point in industry to me. And we started just seeing the marketing shift too, you stopped hearing "unhackable." If you did say that, people made fun of you and tried to go after you, saying "we'll make an example of you." We saw a couple of cases like that.DR’s Fahmida Rashid: Yes. Exactly.DR’s Terry Sweeney: Sure, sure. Well, the messaging totally shifted then to mitigation, like risk reduction. Like, we're not preventing stuff anymore. We're not making things airtight of more secure than Fort Knox. Like, as you said, those claims were really almost a red cape in front of black-hat hackers to go after these targets.DR’s Fahmida Rashid: And I think it's not even containment because now you hear the word "resilience." Even if you're under attack, are you able to stay up and running? Even if you're under attack, how fast can you recover? So, it's such a dramatic change. Kelly, when you were talking about the attackers at the gate, I immediately remembered the castle and the moat. You don't hear that imagery anymore. And then we went to containment like, okay, let's limit the damage. And now it's just like, yeah, you're going to get attacked. Just make sure you can survive that. The messaging is just dramatic.DR’s Kelly Jackson Higgins: Yeah, it's really different.DR’s Tara Seals: Well, and I think too, we don't have attackers that are just using malware, let's say, or zero days or whatnot. I mean, now it's just a question of finding some sort of hole in the trusted access barrier, right? Which is pretty easy to do when you've got this explosion of different types of identities all over the different attack surfaces as well. Again, you've got the IoT, you've got people working from home, you have cloud-based logins, and then you just layer in agentic and autonomous AI and it just gets a little bit crazy. So where do you go from there? Particularly as we start to scale up a little bit in terms of the tempo, the operational tempo of all of the things that are happening on the threat landscape. You assume breach, assume that things are going to happen. And then where do you go from there? What's the next wrinkle, I guess? Maybe we shift the conversation towards looking forward a little bit, Fahmida?DR’s Fahmida Rashid: Tara, I know when you were saying how the attackers are not all using zero days. When we were all working on that 20 big news events, the one thing I was struck with was that social engineering was considered this sophisticated attack, right? Take the SecurID incident, that was a phishing link that somebody sent, and the computer got compromised, and then RSA basically lost control of the securID token. So social engineering used to be considered sophisticated. Where do we go from here? We keep saying it we need to go back. We're still, 20 years later, terrible at asset inventory. We're terrible at basic things, and you would think after all of these technologies, all of these new cloud, IoT, biometric, et cetera, we would be better. But yeah, it's still the same thing: let's go back to the basics.DR’s Kelly Jackson Higgins: Well, and to piggyback off that, least privilege. We talked about that 20 years ago, and we're still talking about it, but in a different way now, because the identities are not just the user on the PC. You have AI agents, you have machine identities and you have these sort of ephemeral identities that pop up, the API stuff. So we have never really gotten our arms around what a user or an account can do or should be allowed to do.DR’s Fahmida Rashid: Yeah.DR’s Kelly Jackson Higgins: And tracking that now is even harder, right? You keep hearing about automated responses to what a credential or user identity is doing, so we know if it's something that's not the norm and we can stop it right there. But it's still not working, because a lot of times, the identities are overprivileged. And that's happening with AI agents right now too, right? They're over privileging them. So, it's the same problem we've always had, on steroids now.DR’s Terry Sweeney: Talking to folks at RSAC about this topic just a few months ago, it's concerning that there doesn't seem to be any sort of industry-wide effort to standardize these so-called non-human identities, these bots, these agents, the underpinnings of this next wave of agentic AI. As an observer, it's really concerning, Kelly, to your point. Like we should know better by this point that a coordinated plan is required here to lock down these pieces of software that are basically crawling the Internet. Are they secure? Well, they seem to be secure enough right now, but can hackers find a way to get in and change missions or change the identity or other parameters that are contained in that free-floating piece of software? This is stuff that should be keeping the industry up at night. Are you guys hearing anything about even informal agreements among big industry players to define non-human identities (NHIs) in a smart or secure way?DR’s Fahmida Rashid: I would say from a tech perspective, most of the conversations I hear are from the startups. They're like, hey, this is how we're going to manage NHIs. But I am definitely looking for what Active Directory or LDAP are doing. Are the big identity brokers that we all use — nobody can give up their Active Directory or LDAP or single sign-on. Those need to do NHIs, those need to do agentic AI. So, I feel like the conversation is still amongst the smaller startups. The bigger providers are still, I think, trying to get their armed around it.DR’s Tara Seals: I think there's definitely a lot of chatter in terms of people being concerned about letting AI agents loose autonomously on their infrastructure and being overprivileged and having access to all of these different things, customer records and whatnot. And for example, if you wanted to do predictive maintenance in a factory, then that agent is going to have to have access to all kinds of privileged information that potentially is dangerous in the wrong hands. So that's just one example of how they're deploying these autonomous use cases. I think that there is definitely discussion in the security industry, but I'm more concerned about the fact that businesses themselves, organizations themselves, do not seem to adequately grasp how dangerous this can be despite awareness attempts. I think it might take something catastrophic before they wake up and say, hey, you know what? All the productivity gains are great. It's great for our bottom line, which it is, and obviously money dictates everything. But eventually, they will have to see this as the risk that it is. And I just don't think that they're doing that right now, not from what I've seen anyway.DR’s Kelly Jackson Higgins: It kind of goes back to your commentary about oftentimes security is an afterthought. And I think that happens when there's a new technology that everyone gets excited about, like AI. You know, we saw that from the get-go too with some of the gen AI stuff. I think we're definitely doing better now because we're learning things, but there's still a lot that's not been addressed yet.DR’s Fahmida Rashid: I think we need more examples of companies having AI agents delete their production databases before they realize, hey, yeah, we don't want to lose our production database. Let's make sure our agent can't do that.DR’s Tara Seals: That's a really good point. Physician heal thyself, right? So we are kind of at our time. It's been a short but very interesting and meaty discussion. Any final thoughts from any of you? Terry? Let's start with you.DR’s Terry Sweeney: It's not directly a security issue, but one of the things that's bugging me is, especially with LLMs, the way that the big AI companies have willfully just gone out added copyrighted works and works that they're otherwise unauthorized to use, to analyze and to make part of their LLMs. Not to put the spotlight on Anthropic, but it feels like the fines that they've paid, I think Google has also been hit with some fines as well, they're treating this as the cost of doing business. A $10 million fine, a $50 million fine, it's a drop in the bucket when you're spending $200 billion a year in 2026 on AI and LLM development. Again, it's not directly a security issue, but it does impact the integrity of these LLMs, which seem to have plenty of integrity problems already.DR’s Kelly Jackson Higgins: Yeah, I would say the one thing about the industry right now is it's on the same theme of rushing to adopt something. But I also see that AI is a big marketing ploy to right now. The concern I have is that there are a lot of really smart people in this industry actually creating some really important products, important services, and they're struggling with being pushed hard to make this AI more, make this AI-based when they know they have the right people and expertise to do it themselves and have these humans in the loop who actually really know this stuff and can do the work. So, I hope there will be a balance. I think we're going to probably have some missteps along the way. Like you said, some incidents will happen and that's kind of how we'll learn, I think, how to balance what's great about AI and the automation part of it, with tapping into the smart people out in this industry who are doing the real work. So, my hope is that we can balance that well.DR’s Fahmida Rashid: I was just going to add, security is always a pendulum. We go from one extreme to the other. And I was really worried that we're going to suddenly see a world where it's all AI all the time. And I'm actually really happy and surprised that we see course correcting already that it's not all AI, but companies are beginning to realize that they can continue doing what they're good at, but just integrate AI. So, AI becomes a part of what they're doing. You know, there's still all of that, "AI is going to take care of everything" on one side and, "AI is terrible. We never want to use AI" on the other side. But people are beginning to realize, hey, we have this really good process already if we use AI to automate, if we use AI to speed up. And I just hope we stay on that, where AI is a part of what we're already doing, as opposed to only AI.DR’s Tara Seals: I'm going to say that we still need basic cyber hygiene and we still haven't fixed the most fundamental things. For example, recently we did a story on a vibe coded piece of malware. And the thing is, it wasn't effective with its target. It was "sophisticated" and all of these other things, but it didn't actually get to where it was going because of the network segmentation that the target had in place and because they had strong passwords and because they had multifactor and all of these things. It was thwarted by the basic low hanging fruit of cyber defense. So I think, you know, if there's anything to take into the next two decades of cybersecurity defense and block-and-tackle strategizing, it's got to be the fact that you've got to get the basics and the fundamentals down first and then you can worry about all the other stuff. But that can't get lost in the mix when we're talking about the irrational exuberance that we're seeing right now with AI and some other things.All right guys, thank you very much for your time again. I'm  SealTaras, Managing Editor at Dark Reading, and I will pass it over to all of you to say goodbye, starting with Fahmida.DR’s Fahmida Rashid: Thank you so much for joining us.DR’s Terry Sweeney This is Terry Sweeney. Thanks for joining us. This has been fun.DR’s Kelly Jackson Higgins: This is Kelly Jackson-Higgins, great conversation with some smart people that I like working with. Thanks for joining us today.DR’s Tara Seals: Thanks everybody. Thank you for watching.About the AuthorDark Reading Editorial TeamThe Dark Reading Editorial Team consists of Kelly Jackson Higgins, Fahmida Y Rashid, Tara Seals, Rob Wright, Becky Bracken, Alex Culafi, Arielle Waldman, and Kristina Beek. Among us, we have over 99 years of experience covering cybersecurity. That's pretty striking considering the industry hasn't even been around that long. See more from Dark Reading Editorial TeamWant more Dark Reading stories in your Google search results?Add Us NowMore InsightsIndustry ReportsHow Organizations Are Managing Incident ResponseHow Enterprises Are Developing Secure ApplicationsInside RSAC 2026: security leaders reveal the risks redefining your defense strategyHow Enterprises Are Harnessing Emerging Technologies in CybersecurityDitch the Data Center: Understanding Flexible Cloud Infrastructure Security ManagementAccess More ResearchWebinarsHow Security Teams should apply Threat Intelligence into their DefensesYour Guide to Securing AI Adoption in Your OrganizationWhat is the Right Role for Identity Threat Detection and Response (ITDR) in Your Organization?The New Attack Surface: How Attackers Are Exploiting OAuth to Own Your Cloud WorkspacePrompt Injection Is Just the Start: Securing LLMs in AI SystemsMore WebinarsDiscover MoreBlack HatOmdiaWorking With UsAbout UsAdvertiseReprintsJoin UsNewsletter Sign-UpFollow UsCopyright © 2026 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.Home|Cookie Policy|Privacy|Terms of UseYour Privacy Choices

The evolution of cybersecurity over the past two decades has been marked by dramatic shifts, moving from traditional perimeter defense strategies to assume-breach methodologies. The authors reflected on how the landscape has been fundamentally altered by technological advancements such as cloud computing, the proliferation of Internet of Things (IoT) devices, remote work infrastructure, APIs, Software-as-a-Service applications, and the emergence of artificial intelligence systems with non-human identities. This expansion has created a vastly larger attack surface, forcing an evolution in defensive thinking.

The initial focus of security was centered on securing on-premises corporate networks using firewalls and endpoint security, a mindset predicated on keeping threats out at the gate. However, the shift towards the cloud explosion, which was catalyzed by the pandemic forcing widespread remote work, led to a fundamental change in perspective. As employees worked from uncontrolled home networks, the network concept itself became fluid, prompting a shift from securing a fixed network to managing a distributed environment. This experience served as a significant inflection point, moving the industry away from idealized notions of being "unhackable" and toward prioritizing resilience—focusing on how organizations can contain damage and rapidly recover rather than striving for complete prevention.

Despite this philosophical shift towards resilience, the discussion highlighted that organizations frequently fail to maintain fundamental security hygiene. Concepts such as least privilege and asset inventory, which were discussed previously, remain underutilized and increasingly complex when dealing with modern agents, machine identities, and ephemeral APIs. The core challenge remains ensuring that basic security principles, like timely patching, robust authentication, and network segmentation, are not lost amidst the rapid adoption of emerging technologies.

Looking forward, the focus must shift to managing risks within this expanded and dynamic environment. The evolution of defense strategy has moved from solely stopping intruders to observing and mitigating damage. This evolution is further complicated by the emergence of agentic AI, which introduces new dimensions to the identity and access management problem. Concerns are rising about the lack of standardization for managing non-human identities, such as bots and agents, and the risk associated with these entities being overprivileged with access to critical information. While there is ongoing discussion among the industry, particularly among startups, regarding the technical management of these non-human identities, there is a perceived gap in industry-wide consensus on how major identity brokers like Active Directory and LDAP should handle these entities.

Furthermore, the overall security posture depends heavily on addressing the foundational elements of defense. Even sophisticated attacks leverage social engineering, and the effectiveness of basic controls, such as network segmentation, strong passwords, and multi-factor authentication, remains critical in thwarting threats. The ultimate strategy for the next two decades in cybersecurity must prioritize establishing and enforcing these basic fundamentals first, before focusing on advanced controls. There is a recognized need for the industry to balance the excitement surrounding AI and automation with the sustained necessity of applying smart security practices, ensuring that the focus remains on mitigating risk through established controls rather than solely chasing the latest technological trend.