Artificial intelligence, post-quantum cryptography and the proliferation of non-human digital identities are driving a fundamental shift in enterprise cybersecurity risk, according to a new report by KPMG International. The Cybersecurity Considerations 2026 report - drawing on insights from more than 20 KPMG cyber experts and senior leaders from Google, Microsoft, Palo Alto Networks, and ServiceNow - identifies eight priority areas demanding urgent attention from enterprise security leaders.

The report arrives as organisations grapple with an attack surface expanded by AI-driven automation, geopolitical instability, and increasingly complex regulatory obligations across multiple jurisdictions.

Non-human identities - including AI agents, service accounts, machine credentials and automated workloads - now outnumber human users by a significant margin. According to research cited in the report, machine identities outnumber humans by more than 80 to 1. Traditional identity and access management (IAM) controls cannot keep pace with the scale and autonomy of these entities.

The report warns that many organisations lack a clear inventory of non-human agents and cannot distinguish between human identities, machine identities, and AI agents. Some agents are being created by other agents, then deleted quickly, leaving little or no trace.

"Tomorrow's identity and access management must evolve beyond static controls into an intelligent, adaptive ecosystem - where real-time decisions and automated policy orchestration appropriately govern and manage the scale of both human and non-human identities," said Juan Manuel Zarzuelo Diaz, Global Digital Identity Leader, KPMG Spain

The report notes that 61 per cent of US companies are not yet comfortable with autonomous agents and will require human-in-the-loop oversight, citing KPMG's AI Quarterly Pulse Survey (Q3 2025). A separate finding reported that 59 per cent of companies experienced a data breach caused by a third party in the past 12 months.

The report also highlights a looming workforce challenge. As agentic AI takes on an increasing share of intelligence-driven security tasks - including in the security operations centre (SOC), compliance, and identity management - security teams must acquire new skills to oversee, validate and govern autonomous systems.

In KPMG's Global Tech Report 2026, 92 per cent of technology executives say managing AI agents will become an essential skill within the next five years.

"An analogy is the autopilot on a plane, which doesn't replace human pilots, but makes their job more effective and safe. By putting a whole bunch of automation workflows and safeguards and other complex systems around the human delivery, you can drive a much higher degree of efficacy than humans could ever possibly get to on their own," notes Chris Corde, Head of Product, Security Operations, Google

The report calls for organisations to establish cross-departmental governance committees to oversee AI adoption, embed security by design in agent deployment, and implement continuous monitoring including red-teaming exercises.

Safeguarding AI systems is identified as a strategic imperative, not merely a technical challenge. The report warns that over half (54 per cent) of respondents in a global study of nearly 50,000 people across 47 countries - conducted by KPMG and the University of Melbourne - say they are wary about trusting AI.

Post-quantum cryptography (PQC) migration is described as unavoidable, with the transition expected to span multiple years and requiring strategic planning across the entire IT estate. For sectors such as finance and defence, the report characterises the challenge as existential.

The US National Institute of Standards and Technology (NIST) has published PQC standardisation milestones extending into the coming decade. Australian attention was drawn to the issue when Reserve Bank of Australia Governor Michelle Bullock called for proactive collaboration throughout the financial sector in an October 2025 article in the Australian Financial Review.

The report urges organisations to conduct quantum risk assessments, build cryptographic inventories, and update procurement standards to require vendor compliance with quantum-safe requirements.

Supply chain risk has escalated to the top of the agenda, with the KPMG 2025 CEO Outlook identifying supply chain resilience as the number one factor driving companies' short-term decisions. The report says regulatory and compliance risk has grown in importance for 45 per cent of organisations, driven by legislation such as the Australian Security of Critical Infrastructure Act (SOCI), the European Union's NIS2 Directive, and the Digital Operational Resilience Act (DORA).

Traditional third-party risk management (TPRM) approaches - typically point-in-time assessments - are described as no longer fit for purpose. The report advocates supply chain detection and response (SCDR), a continuous, AI-powered monitoring model that encompasses every party in the supplier ecosystem.

The report also covers IT/OT hyperconnectivity risks in infrastructure-intensive sectors, noting that data centres are now considered critical infrastructure. Obsolete legacy technology in operational environments was flagged as a particular concern.

The full report is available at kpmg.com/cyberconsiderations.