AI-driven social engineering is set to be one of the most significant cyber threats in 2026, a new ISACA report revealed.
The 2026 ISACA Tech Trends and Priorities report, published on October 20, 2025, found that this type of AI threat is seen as a major challenge by 63% of the 3000 IT and cybersecurity professionals surveyed.
This is the first time AI driven social engineering has topped the ISACA report’s findings, surpassing long-standing threats such as ransomware and extortion attacks (cited among the top threats for 2026 by 54% of respondents) and supply chain attacks (mentioned by 35% of those surveyed).
The report found that IT and cybersecurity professionals widely recognize AI as both bringing new opportunities they need to get onboard with as well as new threats they are not prepared to face.
A minority of organizations (13%) said they feel “very prepared” to manage generative AI risks, half said they feel “somewhat prepared” and 25% “not very prepared” for this task.
“Most IT and cybersecurity professionals are still developing governance, policies and training, leaving critical gaps,” the ISACA report reads.
A majority acknowledged the need to invest further in AI in the future, with two-thirds (62%) of respondents identifying AI and machine learning as top technology priorities for 2026.
US AI Regulatory Environment, A “Compliance Nightmare”
Regulations, especially AI safety and security regulations, are seen by many respondents as primarily helping them closing this preparedness gap, Karen Heslop, ISACA’s VP of content development, said during a press briefing at the ISACA Europe conference on October 16.
She emphasized that the EU is the one that “leads the way in technology compliance,” including in cybersecurity and AI security.
Heslop welcomed the EU’s AI Act in principle, saying it could bring AI compliance clarity for companies operating in the EU.
On the other hand, she described the situation in the US, where several individual states are working on AI safety and security laws in the absence of federal legislation, as “a compliance nightmare.”
“Say I’m a small company that operates across 12 US states. I could end up having 12 sets of laws to comply with in a single country. That’s very prohibitive,” she added.
Chris Dimitriadis, ISACA’s chief global strategy officer, noted that while the jury is still out on the impact of AI regulation, the EU AI Act can provide “a good test.”
“No regulation is perfect. Strict regulations may impact the economy. while the total lack of regulation may introduce risks that eventually will not help the adoption of AI because the customer trust may be impacted negatively,” he explained.
“Everybody’s waiting to see how this new EU AI act is going to perform in practice, because having a regulation is one thing, having it implemented is another and what a company does internally in order to protect its reputation and to ensure customer trust is yet another,” he added.
The ISACA survey found that 66% IT and cybersecurity professionals rate regulatory compliance as “very important,” and that 32% say regulatory complexity and global compliance risks will keep them up at night in 2026.
Need For a “Stronger Army” of Cyber Talents
Another major concern raised by ISACA survey’s respondents is the growing talent shortage, with only 18% considering they have a strong talent pipeline.
Dimitriadis spoke of the need to “create a stronger army” to defend digital ecosystems, increased resilience and help countries to adapt to innovative technologies in a safer manner.
However, many IT and cybersecurity professionals seem to see this objective as a tall order. While 39% said they will be hiring for more digital trust roles in 2026 than they did in 2025, 44% anticipate difficulty filling them with qualified candidates.
ISACA’s Recommendations to Prepare for 2026
The ISACA report concluded with five key takeaways from the pulse poll findings that inform how organizations can prepare for the coming year:
- Establish robust AI governance and risk frameworks
- Accelerate workforce upskilling and talent pipeline development and invest in continuous learning, certifications and internal mobility
- Modernize legacy systems and infrastructure to reduce vulnerabilities and improve agility
- Strengthen cyber resilience and business continuity planning by developing and regularly testing incident response plans, ransomware recovery strategies and cross-functional crisis management protocols
- Prepare for regulatory complexity and international compliance requirements, by monitoring regulatory changes, engaging with expert communities and investing in compliance tools and frameworks
The 2026 ISACA Tech Trends and Priorities report is the result of a survey conducted between August 22 to 4 September 4, 2025 with 2966 ISACA members and non-member certification holders in digital trust fields such as cybersecurity, IT audit, governance, risk and compliance.
Read now: Closing the Cybersecurity Skills Gap: A New Perspective on Career Paths
About The Author
