What will happen in 2026? Our predictions for the year in AI, privacy, cybersecurity, and governance

Hi there,  

Welcome to FILED Newsletter, your round-up of the latest news and views at the intersection of data privacy, data security, and governance.  

This month:

• Notorious BreachForums hacking site hit by ‘doomsday’ leak of 324,000 criminal users

• 2026 will be the year identity defines cyber defense

• Your cybersecurity strategy is your AI strategy

But first, as always, let’s start 2026 with some informed predictions for the new year.

If you only read one thing: What’s ahead of us in 2026?

Happy new year and welcome back to another edition of FILED for 2026. When last we were in your inbox, we were reviewing our attempts to predict 2025, alternately patting ourselves on the back and cursing our lack of foresight. As the shame and triumph of those predictions faded over the holiday break, we of course decided it was time to do the same for 2026. So without further ado, here are three predictions for 2026:

1. AI becomes boring, and the AI governance gap gets smaller

In 2026, AI will move from thought leadership buzzword to an ordinary part of the business world. Leaders will stop reverse-engineering a strategy from a viral LinkedIn post.

This maturation comes with a silver lining. Gartner forecasts that 40% of enterprise applications will feature task-specific AI agents embedding AI capabilities into the tools your teams use. These aren't flashy chatbots to impress investors— they're specialized agents that automate contract review, surface compliance risks, or intelligently route customer inquiries.  

But here’s the catch: a recent survey found that just 43% of organizations have an AI governance policy, with a quarter still in the process of implementing one. That's a dangerous lag. As AI becomes operationalized, the window for establishing guardrails is closing fast. Expect this gap to narrow considerably in 2026. Forrester believes that 60% of Fortune 100 companies will appoint a head of AI governance to navigate the patchwork of legislation worldwide. Companies like Sony, Bank of America, and UBS have already done so.

The organizations that thrive won't be those with the flashiest AI demos. They'll be the ones who built the governance foundations while everyone else was still focusing on the technology.

2. A convergence of data management, cybersecurity, and AI governance  

For years, these three disciplines have operated in parallel—different teams, different priorities, occasional tension over resources and access. In 2026, those silos will crumble out of sheer necessity.

In 2026, the enterprises that succeed will be those that recognize that cybersecurity and AI governance both rest on a shared foundation: data management. You cannot secure what you don't understand. You cannot govern AI systems trained on data you haven't properly classified, retained, or protected.  

Organizations that have invested in robust data management practices will find themselves with a compounding advantage. They can trust their data, ensuring resilience against attacks while moving faster with AI. The same data discovery, classification, and lifecycle management practices that protect organizations from breaches also enable their teams to innovate with AI confidently.

Companies still treating these as separate challenges will find themselves perpetually behind—playing catch-up on security, scrambling to govern AI, and lacking the data foundations to do either effectively.

3. AI-enabled hacks become common – with everyday tech

In 2026, AI-enabled attacks will shift from theoretical threat to everyday occurrence. We're not talking about futuristic, autonomous AI weapons— but attackers using the same widely available AI tools that marketing teams use to write copy, just pointed in a more malicious direction.

Expect to see social engineering attacks that are indistinguishable from legitimate communications. AI will help attackers scan for vulnerabilities at scale, craft perfectly targeted spear-phishing campaigns, and adapt their tactics in real-time based on target responses.

The defensive response will need to be equally AI-powered. Traditional security training that teaches employees to spot typos and grammatical errors in phishing emails will become obsolete when AI can generate flawless prose in dozens of languages. Organizations will need to implement verification protocols that assume all digital communications could be fraudulent until proven otherwise.

Data hygiene becomes a security issue in new ways. The more disorganized your data estate, the harder it becomes to identify when something is out of place. When attackers can use AI to blend in perfectly, anomaly detection becomes your first line of defense—and that requires knowing what "normal" looks like in your data environment.

These predictions share a common thread: 2026 will reward organizations that have invested in the fundamentals. Not the shiny new tools, not the buzzword-compliant strategies, but the unglamorous work of understanding, organizing, and governing your data.

The good news? It's not too late to start. The organizations making headlines for AI innovation or weathering sophisticated attacks aren't necessarily starting from a better position—they're just taking data governance seriously.

We'll revisit these predictions in twelve months to see how spectacularly right or wrong we were. In the meantime, we'd love to hear your own predictions for 2026. What trends are you watching? What keeps you up at night?

🕵️ Privacy & governance

Meta fixed a flaw in its Instagram service that allowed third parties to generate password reset emails, but denied the problem led to theft of users’ personal information.

China released draft rules to regulate how personal data is collected and used by internet apps, aiming to boost user privacy and transparency.

Businesses could find it easier to argue that information they handle is not subject to EU data protection law under legislative proposals that could be endorsed during 2026.

🔐 Security

🔓Breaches

Texas-based gas station operator Gulshan Management Services disclosed a significant data breach that compromised the personal information of more than 377,000 customers.

North Korean threat group Kimsuky is targeting non-government organizations (NGOs), think tanks, academics, and other foreign policy experts with QR Code (quishing) attacks.

Notorious BreachForums hacking site hit by ‘doomsday’ leak of 324,000 criminal users.

🧑⚖️Legal cases & breach fallout

2026 will be the year identity defines cyber defense.

New research from Trellix detailed that CrazyHunter ransomware has emerged as a serious and escalating threat, with six Taiwan healthcare victims, underscoring the growing sophistication of modern cybercriminal operations.

🤖 AI governance

Why South Korea is vying to be first to regulate AI

How do I know I’m in control of my AI and data?

Open AI's ChatGPT Health announcement has raised privacy, security, and governance concerns.

The latest from RecordPoint  

📖 Read

We just announced two big hires for our leadership team: Dean Gonsowski (ex Gimmal, Active Navigation) as our new CRO, and Craig Taylor (ex OneTrust and VMware) as our new Director of Partners. Read the full release for the full story.

Your cybersecurity strategy is your AI strategy.

RecordPoint now provides its platform to about 80% of Victorian government departments, as the state public sector prepares for wider use of artificial intelligence in service delivery.

‍

That's all from us for FILED in January, see you next month for more news and views in the world of AI, privacy, governance and cybersecurity!