KPMG says cybersecurity is now a core business enabler

KPMG’s new cyber playbook landed with a message that will matter far beyond the security team: machine accounts and AI agents now outnumber human users, and that changes who gets watched, trained and blamed when controls fail.

In Cybersecurity Considerations 2026, KPMG International said the threat landscape is being shaped by AI, geopolitics, regulatory pressure, supply-chain disruption, non-human identities, hyperconnectivity and the looming risk of quantum decryption. The report drew on input from more than 20 KPMG cyber leaders worldwide, plus senior leaders from Google, Microsoft, Palo Alto Networks and ServiceNow, and it organized the discussion around eight priorities for 2026.

The operational message is clear. KPMG said organizations need adaptive data, service and technical architectures, because data governance, classification and tagging have become core to resilience. For staff inside audit, advisory and cyber teams, that means more evidence handling, tighter controls over who can touch what data, and more pressure to document how AI is being used in client work without breaking compliance or trust.

KPMG also said autonomous security will take a larger role in security operations centers, compliance, risk management and identity management. That shift may speed monitoring and response, but it also raises a new management problem: human oversight still has to remain intact, or accountability becomes fuzzy when an agent makes the wrong call. In practice, that pushes managers to define who reviews automated decisions, how exceptions are escalated and which teams own the fallout when a machine account is compromised.

The report put non-human identity management at the center of that problem. KPMG said service accounts and machine credentials now outnumber human users, which turns identity governance into a lifecycle issue for both people and software. It also warned that point-in-time third-party risk reviews are no longer enough, favoring continuous, intelligence-led monitoring of supply chains. For KPMG practitioners working on transactions, regulatory readiness or vendor risk, that means cyber work is moving closer to the board agenda and farther from a narrow IT checklist.

KPMG said CISOs now have to work across the business and make the case for cyber investment in enterprise terms, not just security jargon. That framing mirrors a broader pressure already visible in the market, where 69% of executives say they are under regulatory strain and 57% are worried about geopolitical conflict. The long game is quantum: KPMG described post-quantum planning as something companies should begin structuring now, not after the decryption threat is obvious. For firms selling resilience, assurance and transformation, the message is hard to miss. Cybersecurity is no longer just about stopping breaches; it is becoming part of how KPMG clients prove they can operate, comply and grow at scale.