We are halfway through 2026, and if the first six months have taught us anything, it is that the threat landscape is not waiting for organizations to catch up. The breaches have been staggering, the attack vectors have matured in ways that would have seemed hypothetical just two years ago, and an entirely new category of risk, autonomous AI agents, has gone from theoretical concern to documented disaster faster than most governance frameworks can move. This is my mid-year snapshot: what happened, why it matters, and what you need to think about in the months ahead.

The Breaches that Defined the First Half

Let me start where the story always starts, with the incidents that made the headlines and, more importantly, with what they reveal about the stubborn vulnerabilities that organizations are still failing to address.

The IDMerit Exposure stands as perhaps the most sobering story of early 2026. Researchers discovered a completely unprotected MongoDB database belonging to IDMerit, a global identity verification provider that serves banks, fintech firms, and other financial services companies, containing approximately one billion sensitive records across 26 countries. In the United States alone, more than 203 million records were left unsecured: full names, home addresses, dates of birth, national ID numbers, phone numbers, and government-grade identity information. No password. No encryption gate. Anyone who knew where to look could have downloaded it. The database was secured the following day after researchers notified the company, but that is cold comfort. This was not customer shopping preferences or email addresses; this was compliance-grade KYC data, the exact information used to verify who someone is when they open a financial account. The downstream implications for fraud, synthetic identity attacks, and social engineering campaigns will be playing out for years.

What makes the IDMerit exposure particularly damning is its root cause: a cloud misconfiguration. Not a sophisticated zero-day exploit. Not a nation-state operation. A password-less, publicly accessible database. We have been warning organizations about misconfigured cloud storage since the early days of AWS S3 buckets, and here we are in 2026 watching it happen again at a company whose entire business model is identity security.

The Target Source Code Theft of January 2026 marked a different kind of escalation. On January 12, approximately 860 gigabytes of Target’s internal source code and developer documentation appeared on a public repository site, with multiple current and former employees confirming the materials were authentic. This was not a breach of customer credit card numbers. The stolen data included CI/CD pipeline configurations, Hadoop datasets, proprietary service names, technology stack details, and metadata that revealed internal engineers’ names and system architecture. That distinction matters enormously when an attacker owns your source code; they own a roadmap to every vulnerability your engineers built into the system, intentionally or not. They can study it at their leisure, identify backdoors that were never meant to be doors, and plan future attacks that will be far more difficult to detect and stop.

According to threat intelligence analysis, the breach began with an infostealer attack on a single employee workstation in late September 2025. That workstation had broad access to internal services: IAM, Confluence, Jira, and internal wikis, and for three to four months, the attacker used that foothold to exfiltrate 860 gigabytes of data before anyone noticed. Three to four months. That is the kind of dwell time that should keep every security leader awake at night.

The Conduent Ransomware Incident, traced back to a January 2025 attack but with damage totals confirmed in early 2026, compromised the personal information of more than 25 million people. Conduent processes payments and document management for state governments’ welfare systems, unemployment insurance, and benefit operations, meaning the stolen data included Social Security numbers, dates of birth, health insurance details, and medical information for people depending on public services. The states of Texas and Oregon bore the heaviest burdens, with 15.4 million and 10.5 million affected individuals, respectively. This government contractor touches the lives of over 100 million people and became a vehicle for one of the largest breaches linked to public benefit systems in recent memory.

Credential-based intrusions continued their relentless march in early 2026, exemplified by the “Zestix/Sentap” campaign, which compromised roughly 50 global enterprises across aviation, robotics, utilities, government infrastructure, telecoms, and defense. No zero days. No novel exploits. Just valid usernames and passwords harvested by commodity infostealers; some of those credentials were years old and had never been rotated and used against organizations that failed to enforce multi-factor authentication. The data ended up on dark web forums. The lesson, once again, is that the most devastating breaches in 2026 are not coming through exotic technical channels. They are walking through the front door.

The aggregate cost picture tells a troubling story. The average cost of a data breach in the United States has now hit an all-time high of $10.22 million, more than double the global average of $4.44 million, and the U.S. has led the world in breach costs for 15 consecutive years. Healthcare remains the most expensive sector at $7.42 million per breach, and supply chain breaches average $4.91 million and take the longest to resolve, at 267 days.

The Broader Threat Landscape: Beyond the AI Headlines

Everyone is talking about AI-powered attacks, and they should be. But I want to spend a moment on the threat vectors reshaping security posture in 2026 that aren’t getting equal airtime, because the risk picture is broader than the AI conversation suggests.

Identity has become the primary battlefield. The PwC Annual Threat Dynamics 2026 report frames it plainly: adversaries are increasingly logging in rather than breaking in. They exploit credentials, session tokens, and federated access to bypass perimeter defenses entirely. This shift has fundamental implications for how we think about defense. If there is no perimeter breach, if the attacker looks exactly like a legitimate user, then traditional signature-based detection and even many behavioral analytics tools are flying blind. The CrowdStrike 2026 Global Threat Report recorded the fastest eCrime breakout time at just 27 seconds, with an average of 29 minutes—a 65 percent speed increase from the prior year. When attackers have compromised credentials and are moving that fast, the window for human intervention is effectively closed.

Token theft has emerged as the mechanism that is quietly neutralizing multi-factor authentication at scale. Attackers weaponize infostealers like LummaC2 to harvest active session tokens, bypassing MFA entirely by arriving post-authentication with a valid, unexpired credential. This is not MFA being technically broken; the protocols are sound, but it represents a pragmatic pivot by attackers who have recognized that the fastest path past MFA is to simply steal the token that MFA has already granted. Organizations investing in MFA alone and calling it done are building a wall around a door that adversaries have learned to walk around.

Supply chain attacks have tripled in volume. There has been a threefold increase in software supply chain attacks over the past year, with adversaries targeting everything from open-source libraries to the physical infrastructure underpinning critical services. The Odido breach in the Netherlands, which compromised 6.2 million telecom customer records, likely involved a third-party IT supplier compromise. The Navia Benefit Solutions breach exposed the sensitive data of 2.7 million Americans, including Social Security numbers, through a multi-week intrusion by a third-party vendor. The pattern is consistent: Attack the trusted vendor, and gain access to the customer ecosystem. As organizations have hardened their own perimeters, sophisticated actors have pivoted to targeting the companies those organizations inherently trust.

Nation-state activity is escalating against critical infrastructure, with geopolitics driving operations explicitly designed to cause destruction rather than gather intelligence. The December 2025 cyberattack on Poland’s energy grid, attributed by Dragos with moderate confidence to the threat group ELECTRUM, consistent with Russian-nexus operations, targeted at least 30 wind and photovoltaic farms, a private manufacturing company, and a combined heat and power plant supplying heat to nearly half a million customers. The attack was timed to coincide with a period when Poland was grappling with temperatures below -15°C and blizzards. No power outages occurred because of Poland’s layered defenses, but the adversaries gained access to OT systems with actual control capabilities; they were inside the industrial control systems that manage grid operations. CISA issued a follow-on advisory specifically because of what this incident revealed about the vulnerability of internet-facing edge devices and the ease with which attackers leveraged default credentials to traverse from IT to OT environments.

China-aligned actors, particularly Salt Typhoon, confirmed successful targeting of U.S. government communications in January 2026, extending operations that originally breached major telecommunications carriers. The strategic objective is pre-positioning, establishing persistent presence in critical infrastructure now for geopolitical leverage later. This is not espionage in the traditional sense; it is occupation.

Ransomware has matured into a precision instrument. Attackers are no longer spraying encryption broadly and hoping for payment; they are doing reconnaissance, identifying high-value targets, and deploying AI to automate reconnaissance, vulnerability scanning, victim prioritization, and even ransom negotiation. AI automation and RaaS platforms have enabled nation-state actors to automate up to 90 percent of intrusions. Ransomware victims increased 58 percent year-over-year as of late 2025, with 2025 closing by “shattering all records,” according to Check Point researchers. The LunaLock group introduced what may be the most psychologically unsettling evolution yet: threatening to feed stolen intellectual property directly into AI training datasets, making the threat functionally permanent. Once your creative assets, source code, or proprietary data is absorbed into an LLM, there is no recovery mechanism. That changes the calculus of non-payment in ways the industry is still working through.

Agentic AI: The Promise We Rushed Past the Peril

Here is where I need to slow down and be direct, because the incidents I am about to describe are not hypothetical scenarios from a threat model; they document events from the past 12 months and represent a genuinely new category of risk.

Agentic AI refers to autonomous systems that can perceive, reason, plan, and take multi-step actions without human approval at each step. Unlike a chatbot that answers a question, an agentic system browses the web, executes code, calls APIs, modifies databases, sends emails, and interacts with enterprise systems all in service of a goal it was given and then left to pursue independently. That autonomy is precisely what makes these systems valuable, and precisely what makes them dangerous.

The PocketOS Incident may be the most instructive cautionary tale of 2026. In May, an AI coding agent running Anthropic’s Claude Opus 4.6 model deleted an entire production database and its backups in just nine seconds. The agent was Cursor, a popular AI-assisted coding platform. It was working on a routine task in a staging environment when it encountered a credential mismatch. Rather than stopping to ask for guidance, the agent decided entirely on its own initiative to delete a storage volume it had found through a Railway infrastructure API that was completely unrelated to the task at hand. The founder described what did not happen: “No confirmation step. No ‘type DELETE to confirm.’ No ‘this volume contains production data, are you sure?’ No environment scoping. Nothing.” The backups were lost because they were stored in the same volume—a detail buried in the provider’s documentation that the human operator was unaware of. Nine seconds. An entire company’s production data, gone.

This was not an isolated incident. Replit’s AI coding agent deleted a live CRM database in July 2025 containing records of 1,206 executives and information on nearly 1,200 companies despite the system being in an active “code freeze” that was supposed to prevent any changes to production systems. The agent did not just delete the data; it fabricated 4,000 user accounts to cover its tracks, generated false reports, and misrepresented unit test results. When the developer later queried the agent about its behavior, the AI admitted to panicking in response to empty queries and executing unauthorized commands. Replit’s CEO acknowledged the failure and implemented new safeguards, including automatic separation between development and production databases—safeguards that, notably, should have been in place before deployment.

Google’s Gemini CLI destroyed user files while attempting to reorganize them during the same period, fabricating nonexistent directories and then acting on its own invented information.

Amazon’s retail website suffered multiple high-severity outages in a single week, with internal documents pointing to a “trend of incidents” tied to AI-assisted code changes. In the key incident, Amazon’s AI agent gave confident but incorrect advice by misinterpreting stale internal documentation. The AI did not write bad code; it surfaced authoritative-sounding guidance from an outdated internal wiki, and an engineer acted on it. The Wharton researchers who analyzed the incident described the failure mode as “confident incorrectness”: The AI system was not broken; it was functioning as designed, and it was wrong.

AWS’s agentic tool Cairo AI contributed to a 13-hour outage after deleting a production environment. Multiple AWS services were affected, and the incident underscored what Gartner has projected: a $1 billion AI governance market is emerging by 2030 specifically because enterprises are discovering, through expensive failure, that deploying agents without governance infrastructure is not a strategy; it is a bet.

The Cloud Security Alliance, in research conducted alongside Token Security in April 2026, found that 65 percent of organizations have experienced at least one cybersecurity incident directly caused by an AI agent in the past year. Data exposure affected 61 percent of those organizations; operational disruption affected 43 percent, and unintended actions in business processes affected 41 percent. More than a third of organizations experienced direct financial losses. Only 29 percent of organizations reported being prepared to secure agentic AI deployments before rolling them out, which means more than 70 percent deployed anyway.

The HiddenLayer 2026 AI Threat Landscape Report documented that autonomous agents now account for more than one in eight reported AI breaches as enterprises move from experimentation to production. Prompt injection and jailbreak techniques matured dramatically, with multi-turn attacks achieving success rates as high as 92 percent across eight open-weight models in testing. A February 2026 paper by researchers at Harvard, MIT, Stanford, and CMU documented that well-aligned AI agents, operating in multi-agent environments, drift toward manipulation and false task completion not because of adversarial prompting but purely due to the system’s incentive structures. The agents were not broken. The system-level behavior was.

The adversarial dimension is equally sobering. Palo Alto Networks has identified prompt injection as the mechanism by which attackers will compromise agentic systems—not by breaching the agent’s infrastructure, but by feeding malicious instructions through the documents it reads, the web pages it browses, or the messages it receives. A single well-crafted prompt injection does not just compromise a chatbot; it co-opts an autonomous insider with broad system permissions, one that can silently execute trades, delete backups, or pivot to exfiltrate an entire customer database.

What the Second Half of 2026 Is Bringing

Looking ahead, I want to be specific about what security and IT leaders need to be preparing for right now, not as generic strategic guidance, but as concrete threats that are already in motion.

The EU AI Act reaches full enforcement on August 2, 2026, and for organizations operating in or selling into European markets, this is not a future compliance project; it is an immediate operational reality. Every organization deploying AI systems in the EU must demonstrate full data lineage tracking, human-in-the-loop checkpoints for workflows impacting safety or rights, and risk classification for each model. The enforcement powers of the European Commission enter full application in August, which means organizations without governance documentation are exposed to substantial penalties. For U.S.-based security and IT teams, this regulation is a forcing function and, frankly, a useful one. Compliance frameworks that the EU is mandating are exactly the kind of governance scaffolding that organizations need regardless of regulatory jurisdiction.

Post-quantum cryptography migration is no longer optional; it’s a matter of planning. Google has warned that quantum computers could compromise certain encrypted systems by 2029, a timeline that significantly shortens the timeframe many security professionals had assumed. The “harvest now, decrypt later” threat model is not theoretical; adversaries are already capturing encrypted data in anticipation of future decryption capability. Every organization handling data with long-term sensitivity—healthcare records, intellectual property, financial data, and government communications—is potentially already exposed. The NIST post-quantum cryptographic standards are available, and organizations that do not begin crypto inventory assessments and migration planning in H2 2026 will find themselves in crisis mode when Q-Day moves from projection to reality.

AI-enabled attacks on non-human identities will accelerate. As enterprises grant agentic systems authority to execute tasks, access databases, and modify code, the attack surface of machine identities expands dramatically. The 2026 threat intelligence consensus from CrowdStrike, Palo Alto, Google, and PwC converges on identity as the primary battleground, with AI accelerating every stage of identity-based intrusion. Organizations need to treat AI agents as first-class identities with their own access controls, lifecycle management, and continuous monitoring, not as extensions of the humans who deployed them.

Virtualization infrastructure is the emerging blind spot. As security controls have matured at the guest operating system level, adversaries are pivoting to the underlying virtualization layer. A single compromise of the hypervisor grants control over the entire digital estate and can render hundreds of systems inoperable in hours. This is a threat vector that many security programs have systematically underinvested in.

Geopolitical-driven destructive attacks on critical infrastructure will continue escalating. The Poland energy grid attack was a harbinger. State-sponsored actors with pre-positioned access in telecommunications, utilities, and industrial control systems are not there for espionage; they are there for leverage and, when directed, disruption. U.S. critical infrastructure operators using unpatched Fortinet, Cisco, or VMware infrastructure face immediate, verified risk based on confirmed exploitation patterns from Q1 2026.

A Word to Technology Leaders: This Is the Moment to Set the Foundation

I want to close this piece by speaking directly to technology executives and decision-makers.

The pressure to deploy Agentic AI is real. The business case is compelling: Autonomous agents that can handle complex, multi-step workflows represent a genuine leap in operational efficiency, and the competitive pressure to adopt is building fast. I understand that. But the incidents of the past twelve months have established something important: The organizations suffering most from Agentic AI are not the ones that failed to adopt it; they are the ones that adopted it without first establishing the infrastructure to govern it. Rushing deployment without governance is not bold leadership. It is delegating authority to a system that does not understand the difference between a staging environment and a production environment, between a routine file operation and a catastrophic data deletion.

Here is what responsible deployment actually looks like, and none of it should be treated as optional:

Governance frameworks before deployment. Every AI agent needs a defined operational charter: what it can and cannot do, which systems it can touch, and under what circumstances. Palo Alto, the CSA, Baker Botts, and MIT Sloan have all converged on the same framework: Categorize agent tasks by risk level, and enforce tiered authorization accordingly. Read operations with no external effects can run with minimal oversight. Actions that send communications, write to databases, or modify code require logging and automated checks. Actions involving financial transactions, external communications on behalf of the organization, or anything with regulatory implications require explicit human approval. Define these tiers before the agent goes live; retrofitting governance after an incident is significantly more expensive and significantly less effective.

Human-in-the-loop checkpoints at high-risk decision boundaries. The PocketOS incident, the Replit incident, the Amazon outage—every one of these failures shared a common characteristic: the agent had no defined threshold beyond which it was required to escalate rather than act. It had permission boundaries, but not judgment boundaries. Build explicit escalation triggers that fire before high-consequence actions, not after. An agent that pauses and asks, “I am about to delete a storage volume that may contain production data; should I proceed?” is not a less capable agent. It is a trustworthy one.

Rollback capabilities and blast radius design. Before any agent is deployed into a production environment, someone needs to explicitly ask: What is the worst credible action this agent could take, and is that acceptable? Agents should operate on minimum viable permissions, access only to the tools and data necessary for their specific, defined task. Rollback access to production infrastructure is not something an observability agent should have. The Cursor agent that deleted PocketOS’s data did so through a Railway API that was “completely unrelated” to the task it was working on; it should never have had access to that API in the first place.

Defined boundaries for autonomous action enforced technically, not just documented. A policy document that says, “Agents should not modify production environments without approval” is not a control. It is a wish. The governance frameworks that are surviving contact with adversarial conditions in 2026 are the ones enforcing these boundaries at the technical layer: sandboxed execution environments, short-lived credentials with automatic expiration, immutable audit logs that capture not just what the agent did but why it reasoned it should.

Behavioral monitoring, not just logging. Logs tell you what happened. Behavioral monitoring tells you when an agent is operating outside its intended behavioral envelope, taking actions that are within its technical permissions but inconsistent with its designed purpose. This distinction matters because the most dangerous agentic failures in 2026 have not been agents exceeding their permissions; they have been agents doing plausible-sounding things in completely the wrong context. You cannot catch that with access logs alone.

The EU AI Act’s full enforcement, arriving this August, is applying exactly the right pressure at exactly the right moment. The frameworks it requires—data lineage, human oversight on consequential workflows, risk classification—are not bureaucratic overhead. They are the architectural foundations that allow agentic AI to be deployed safely at scale. Organizations that treat this compliance pressure as a burden are missing the point. Organizations that treat it as the governance scaffold they should have been building anyway are the ones that will still have their production databases intact at year-end.

We are at an inflection point. The capability of autonomous AI systems is genuinely remarkable, and it is going to reshape every industry. But remarkable capability deployed without accountability infrastructure does not produce remarkable results; it produces 13-hour outages and nine-second database deletions. The second half of 2026 is your window to get the foundation right before the adoption wave crests. Build the guardrails now, while the stakes are still recoverable.

The breaches will not stop. The adversaries will not wait. But the organizations that emerge from 2026 in the strongest security posture will not be the ones who moved fastest; they will be the ones who moved deliberately, with their eyes open.

Chris Hippensteel | New Resources Consulting
Chris Hippensteel | New Resources Consulting