06 January 2026
As cybersecurity threats grow increasingly sophisticated, industry leaders anticipate that in 2026, identity security will become central to enterprise and government strategies worldwide. 
With AI-powered attacks—including machine agents, deepfake impersonations, and state-backed hacking—exposing the limitations of traditional perimeter defenses, organizations across Asia-Pacific and Europe are preparing to treat identity systems as critical infrastructure.
According to Geoff Schomburgk, Vice President for Asia Pacific and Japan at Yubico, “2026 will be the year identity becomes infrastructure. AI-driven phishing and deepfake impersonation are accelerating across APAC, with 85% of respondents recognizing that phishing attempts are becoming more sophisticated.” He emphasized that organizations will need to safeguard identity systems similarly to networks and data centers, deploying resilient, hardened components. Sectors such as finance, critical infrastructure, and government, which often operate legacy systems with fragmented access controls, are under particular scrutiny.
Schomburgk stressed that the focus must shift toward building phishing-resistant user authentication methods, like passkeys and hardware-backed credentials, to support multi-factor authentication (MFA), Zero Trust, and privileged access security. “The goal is to reduce credential theft by fostering a culture of trust that is dynamic and context-aware, rather than static,” he added. This approach involves continuously assessing device health, behavior, location, and risk factors, ensuring that human users and AI agents operate securely within a shared digital environment.
Industry experts also predict a paradigm shift from static perimeter models toward a “verified trust” approach, where trust is earned and validated in real time. Adam Preis, Director at Ping Identity, explained, “Next year, verified trust will replace the old perimeter mindset as the only sustainable way to secure AI-driven business. Every machine, process, and human will need a verifiable identity and time-sensitive permissions that adapt dynamically based on context.”
Preiss highlighted that AI agents capable of executing critical tasks—such as approving payments or managing accounts—must have their identities and permissions carefully managed, with the ability to revoke access swiftly if necessary. This evolving model aims to bolster resilience and enable safe collaboration between humans and intelligent systems, with zero standing privileges and just-in-time access becoming standard practices.
The rising emphasis on identity security comes amid increased government concerns over state-backed cyber threats targeting personal and administrative data. Recent investigations by the UK authorities into a suspected Chinese cyber intrusion underscore the ongoing risks. Nathan Webb, Principal Consultant at Acumen Cyber, noted, “Threat actors are increasingly targeting identity-related information, which can be exploited for fraud or used to craft convincing spear-phishing campaigns. Rapid response and a rigorous patching strategy are vital for minimizing damage.”
Webb warned that nation-state actors often deploy persistent, sophisticated attacks exploiting network vulnerabilities, making proactive vulnerability management essential. Industry professionals expect regulators and governments to scrutinize organizations’ identity and access management practices more closely, demanding ongoing investments in technology, skills, and operational controls. Ultimately, security experts emphasize that boards must recognize digital identity as an ongoing operational risk—on par with physical security and financial safeguards—requiring continuous attention and adaptation.
