AI-driven threats to reshape digital identity & cyber risks by 2026
Deepfakes and emerging threats from AI are set to challenge the fundamentals of digital trust, according to security experts anticipating significant changes in cyber risk, identity management, and compliance by 2026.
AI deception
Generative AI is making it increasingly easy for individuals to create convincing audio and video deepfakes. As a result, traditional methods of identity verification that rely on visual or verbal cues are being called into question. Organisations are expected to turn to continuous, multi-layered approaches to access management, implementing real-time validation for every high-risk digital interaction. New verification technologies will likely become inseparable from the everyday tools used for communication and business transactions.
Software supply chain
The widespread integration of AI in software development is intensifying risks arising from third-party vendors. Experts believe the risk of a major company suffering significant disruption due to flawed AI-derived code embedded in the IT supply chain is increasing. Even organisations with robust internal cybersecurity strategies remain vulnerable if their suppliers are compromised. The enhanced complexity and increased pace of AI-generated software updates heighten the possibility of supply chain breaches, prompting concerns over the resilience of large enterprises to such risks.
AI-enabled attacks
Accessible AI tools are now available to a wide range of individuals, enabling even unskilled attackers to develop and launch increasingly sophisticated cyberattacks. As the difference between amateur and professional threat actors becomes less clear, organisations may see a continual threat environment, facing potential malicious activity throughout the year. This shift could force businesses to abandon traditional models of planning for sporadic cyber incidents, instead preparing for ongoing, AI-driven opportunism.
Quantum cryptography
There are expectations of a pivotal event-described as a 'wrecking ball moment'-that will accelerate enterprise adoption of post-quantum cryptography (PQC). Such an incident could stem from the exposure or exploitation of vulnerabilities in existing cryptographic methods, compelling a rapid shift to quantum-safe encryption. Organisations throughout the software supply chain may be required to manage detailed inventories of cryptographic components and demonstrate progress towards quantum-safe implementations.
Insider risk shifting
The year 2026 may also see a rise in insider threats initiated by individuals without technical backgrounds. As cost-of-living pressures continue in various regions, more employees may be tempted to assist criminal operations in exchange for financial rewards. The barriers to entry for creating or facilitating attacks have been lowered by user-friendly AI tools, making it possible for more insiders to play a part. Companies are likely to increase demands for in-person verification in hiring and conduct more work in physical office environments to mitigate these risks.
Board priorities
Cyber and compliance fatigue among security professionals is leading management boards to demand heightened visibility into the state of organisational security. Boards now expect teams not only to be aware of the location of data but also of its security posture. As AI becomes more embedded in core operations, robust monitoring and rapid threat detection are being prioritised to prevent or quickly contain breaches. This approach reflects an industry-wide recognition that attacks are inevitable and that success hinges on detection and swift response.
Digital identity trends
Experts predict that trust and privacy will drive digital identity schemes in the UK. There is a move away from centralised databases toward decentralised and user-controlled mobile credentials. Such solutions are already gaining traction internationally, allowing citizens to disclose only the information necessary for a transaction. Credential interoperability across sectors-such as banking, travel, and government-is seen as essential to avoiding the creation of fragmented, siloed systems.
"For digital identity to thrive in the UK, citizens must feel fully in control of their data. That means moving away from centralised databases and adopting decentralised, standards-based mobile credentials - models already proving successful in places like Queensland. When people can choose exactly what information to share, and only disclose the minimum required, adoption accelerates. Trust isn't a soft issue; it's the single biggest predictor of uptake," said John Cullen, Strategic Marketing Director for Digital Identity and Cybersecurity, Thales UK.
Document checks
Physical document-based checks are forecast to be replaced by cryptographically secure, revocable digital credentials. This would reduce fraud, cut unnecessary data exposure, and streamline onboarding across various high-value services, including employment and financial services.
Verification infrastructure
"Digital identity is only as strong as the systems verifying it. The UK will need secure, authenticated readers, mutual cryptographic signing and privacy-preserving revocation lists to ensure credentials remain valid. These safeguards, already being deployed in successful international schemes, are crucial for scaling digital identity into remote, regulated and high-assurance use cases," said Cullen.
IAM developments
Identity and access management (IAM) faces increased complexity as more systems and sign-on solutions are layered within enterprises. There is a push towards 'identity fabrics': interlinked frameworks connecting various IAM tools in a unified architecture. As cyber risk and regulatory pressure build, automated orchestration of security protocols is expected to replace manual integrations.
Biometric recovery
Biometric technologies are projected to play a greater role in recovering digital identities. This would enable users to regain access using biometric traits rather than passwords or device-bound credentials. The aim is to create a safer, device-independent form of identity recovery while ensuring privacy is maintained.
Online payments
Passkey authentication may redefine online shopping by removing complex security steps and minimising the need for passwords. This shift is expected to streamline purchases while reducing opportunities for fraud. Upcoming regulations are likely to increase accountability for companies that do not adopt these stronger methods.
Authorisation focus
Organisations will increasingly need to demonstrate control over not just user identities but also the permissions associated with each individual's actions within digital systems. This finer granularity in authorisation will become a new standard for building trust with customers, partners, and regulators.