In the pre-dawn darkness of July 1945, the scientists of the Manhattan Project watched their creation unleash a power that would forever change the world.
There were fears among the physicists that this chain reaction might not stop, which fortunately for the atmosphere proved unfounded. For the geopolitics that followed, however, it was deeply prescient. Today’s arms race is about two innovations that promise both great benefit and great peril.
Once he saw the power of what we had just unleashed, J. Robert Oppenheimer would come to regret handing humanity a force that, once started, could not be contained.
As we barrel into 2026, we are facing our own Oppenheimer Moment in cybersecurity, and as the rule of the day is “if we don’t build it, they will,” the analogy fits better than ever.
With the kinks being worked out for real-world Agentic AI, and everyone chomping at the bit for functional AI Agents to do everything for them, including attackers, I predict that over the next couple of years, the twin catalysts of scaled artificial intelligence and the looming threat of quantum computing are about to trigger a chain reaction of risk that will redefine our entire landscape.
The critical question heading into 2026 should no longer be “Are we compliant?” or “Are we patched?”, it should be:
“Are our security architectures, budgets, and playbooks designed for the world that was, or the one that is about to be?”
The Twin Fuses of the New Threat Landscape
The chain reaction is being driven by two powerful, converging forces. Each is a world-changing development on its own; both are part of a global geopolitical race condition, and together, their interaction creates a compounding effect on risk that is far greater than the sum of its parts.
The fact that this race condition is between the largest and wealthiest superpowers in the world only makes the stakes higher, and those charged with trying to ensure safety and alignment have been sounding the alarm for years.
The AI Acceleration Engine: Internal Chaos Meets External Warfare
Despite its flaws, AI is unquestionably a powerful force for the acceleration of business and scientific innovation as well as operational and systemic risk. We are quickly reaching the point where humans in the loop are no longer sustainable, and we’re literally running out of benchmarks.
Everyone wants an army of AI agents running 24/7 doing complicated stuff that makes money. Everyone includes criminals and malicious state actors, and they don’t have to deal with regulators and the CFO.
Forward-looking companies are preparing for these “machine customers” via AI Agent Optimization (AIAO). However, this creates a new attack surface with profound blind spots and expanded risks. Security teams must secure not just human-facing websites, but complex machine-to-machine interactions.
Adversaries are now really using AI to attack at scale. AI orchestration of attacker toolkits, automated reverse engineering of CVEs, hyper-personalized social engineering attacks, and ‘vibe hacking’ campaigns are just the beginning. Criminals and malicious state actors are also using AI agents to crawl, use, manipulate, exploit, extort, and steal data across our interconnected application ecosystem.
This AI-driven explosion in data creation and transaction is generating and moving a treasure trove of sensitive information. And this makes the second fuse—the one capable of breaking the very cryptographic locks on that treasure chest—even more critical.
The Quantum Countdown Clock: “Harvest Now, Decrypt Later” is Now
For years, the quantum threat felt like a distant, abstract problem. That time is over. “Harvest Now, Decrypt Later” (HNDL) risks (capturing your data now to decrypt later) makes Post-Quantum Cryptography (PQC) a clear and present danger to any data with a long shelf life, such as intellectual property, financial records, health data, and state secrets. Data being exfiltrated from your networks today is a quantum problem.
Here in the U.S., the first set of PQC standards were finalized over a year ago (FIPS 203, 204, and 205), and the era of “wait and see” should be over, but very few organizations are moving, convinced that ‘quantum is a 2035 thing’. Many either aren’t thinking about it and won’t move until forced to by government or customer mandates. This is a grave mistake.
If Your Plan is Hoping Quantum Advancements Will be Slow, You’re Going to Have a Bad Time
For CIOs, CTOs, and CISOs, 2026 must be the year PQC moves from a theoretical concern to an active program with a budget. The migration is a years-long journey and is going to require a great deal of testing, documentation, legacy system upgrades, and a LOT of vendor and supply chain management.
The Common Denominator: Budgeting for Architectural Resilience
These twin threats are not separate problems, solvable with point solutions. They are symptoms of a historical focus on perimeter-based, “bolt-on” security instead of building foundational visibility and agility into our enterprise architectures.
As we plan for 2026, we must pivot away from fighting symptoms and toward investing in three core, foundational capabilities that address this root cause. This is the shift to budgeting for agility and resilience.
- Radical Visibility. I said for 20 years as a CISO “Guys, all I want to see, is everything”. This is the common thread connecting the need to secure AIAO interfaces with the mandate to execute a PQC migration. You simply must know what your “stuff” is! 2026 budgets must prioritize a real-time inventory of all critical assets: every API endpoint, every data flow fueling an AI model, and the entire cryptographic stack. Foundational visibility needs to be non-negotiable.
- Engineered Agility. Our systems are too brittle, and recent cascading supply chain breaches and the PQC challenge is the proof. We must fund re-architecting critical applications to enable crypto-agility and ideally, centralization of cryptographic management so future upgrades will be faster and easier than the first time. This same principle applies to AI governance; invest in your ability to adapt, which is now the primary determinant of enterprise survival.
- Autonomous Defense. Human-speed defense is obsolete. Adversaries are using AI to automate attacks at a scale and velocity that no SecOps team can handle manually. It won’t get better next year. To channel my inner Texan, the only way to fight a bad guy with AI is to be a good guy with AI. Machine-speed attacks require machine-speed defense.
The Mandate for 2026
The stage is set. The chain reaction has begun. The technologies that will define the next decade of cyber risk are here or imminent, and their convergence is creating a perfect storm.
If this moment feels like the eye of the storm, it’s because it is. The 2026 budget cycle is our last, best chance to pivot before that storm makes landfall.
Defenders must move beyond a reactive, compliance-based posture and use our resources to build a resilient, agile, and autonomously defended enterprise.
We have had our Oppenheimer moment; the question now is whether we will be the architects of a more secure future or simply the custodians sweeping up the fallout.
