Field Notes from Gartner SRM 2026: Four Threads I'm Still Thinking About

I just spent four days at National Harbor for Gartner Security & Risk Management Summit. Twenty-some sessions, a few dozen hallway conversations, attended our Elisity speaking session with a 15-hospital health system customer, and drank a lot of coffee. Here are four threads that kept surfacing across keynotes, analyst Outlooks, and conversations with security leaders from manufacturing, healthcare, and critical infrastructure.

Automation just flipped the defender’s business case

For years, conventional wisdom has held that attackers carry a better business case for attacking than defenders do for defending. The opening keynote, Seize the Moment, from Distinguished VP Analyst Leigh McMullen reframed this era as one of opportunities security leaders can grab: modernizing human and machine identity, turning every attack into a learning cycle, funding more innovation as you go. The thread I pulled out of it is that the defender’s business case has quietly flipped. With AI and automation maturing on both sides of the fight, defenders can finally invest in capabilities that scale disproportionately against a growing threat landscape. Every dollar going into automation today returns more value tomorrow, because the surface to defend keeps expanding while the marginal cost of an automated response keeps falling.

That’s a real shift in framing. Skilled threat actors are already running attack chains in minutes that used to take weeks, using off-the-shelf AI with all the published safeguards in place. Tomorrow gets harder, not easier. What changed at this summit, though, is that defenders now have access to better AI, more resources, and the ability to bring our own automation to the fight. This isn’t a doom story. We’re in an automation race we can actually win, as long as we treat automation as a strategic investment rather than a tactical add-on.

What that looks like in practice for security architects I’ve talked with: less manual policy creation, more identity-aware automation that keeps up with the pace of change in the environment itself.

Vulnerability exploitation just overtook credential abuse as the top initial access vector

This one landed hard in the room. Gartner’s 2026-2027 Threatscape session, presented by VP Analyst John Watts and paired with the latest Verizon Data Breach Investigations Report (DBIR), showed that vulnerability exploitation has now overtaken credential abuse as the leading way attackers get in. The DBIR put it at 31 percent of breaches, up from 20 percent a year earlier, a 55 percent year-over-year jump in this access vector. Credential abuse, the previous leader, dropped to 13 percent. Attackers don’t burn a single vulnerability and walk away anymore. They exploit one, immediately scan the internet for everything else that looks similar, and use that footprint as a launchpad for the next move.

Practical implications get uncomfortable fast. Patching cadence becomes a political problem more than a technical one. Most enterprises still patch on 30-day cycles because of an old battle scar where a patch took down somebody’s executive demo. DBIR data shows enterprises losing ground on this. Full remediation of CISA Known Exploited Vulnerabilities dropped to 26 percent this year from 38 percent the year before, and median time to patch climbed to 43 days, a week and a half longer than the prior year’s 32. Disruption risk from a patch now needs weighing against compromise risk from an exploit that takes the business down for days. That conversation belongs with the business, not buried inside the security team’s standup.

Cyber-physical and OT environments can’t simply inherit IT controls in this new reality. A false positive that blocks access in an IT environment is an inconvenience. That same false positive in a clinical or industrial environment can stop patient care or production. Multiple architects I spoke with had tried converging IT and OT controls and quietly backed that decision out. They’re using the same vendor in both environments, but keeping policy, management, and enforcement separate.

Visibility you can actually measure

Two CPS sessions hit the same nerve from different angles. Katell Thielemann’s CPS Security Outlook used a story about a newly hired CISO to frame how broken the headquarters-led approach is when applied to plant, clinic, and field environments. Grant Geyer, Claroty’s Chief Strategy Officer, followed up with a refreshingly honest account of how Claroty themselves had to learn the hard way that asset visibility isn’t a binary state, it’s a metric you have to define and improve over time. Both sessions landed the same takeaway: until you put a number on your visibility, you can’t tell whether what you’ve deployed is actually working.

Practical advice came out of those sessions worth restating. Find out what’s actually on your network. Find out who’s remoting into it. Find out what’s already sitting on the open internet without authentication. None of that is glamorous. All of it is foundational. Once a real visibility metric exists, the organization can’t unsee it, and the conversation about closing the gap finally starts.

Here is my own conclusion from sitting in both sessions, not theirs: this is where identity-first microsegmentation earns its keep. When the asset is unmanaged, the device is legacy, the protocol is proprietary, and the network looks nothing like the IT network the security team trained on, the identity is still knowable. Tying policy to identity rather than to network plumbing closes the gap that traditional segmentation can’t reach.

Picking strategic platforms over vendor sprawl

John Watts closed his session on Gartner’s four-pillar framework for evaluating strategic cybersecurity vendors with a framing that’s been hard to put down. Cybersecurity has roughly 4,000 vendors. Roughly ten of those now control about a third of total revenue and are growing faster than the market. That’s a paradox of choice problem CISOs are wrestling with right now. Evaluating a startup is one conversation. Evaluating a portfolio mega-vendor with twelve overlapping SKUs across four product families is a completely different conversation.

What I heard in the hallways matches what we see in Elisity’s customer base. Enterprises are tired of buying the same control four times under four different logos. They want their existing network infrastructure and their existing identity sources to do more work. They want fewer new agents, fewer new boxes, and less new architecture to defend. Vendor consolidation isn’t a hard-dollar savings exercise anymore. This is a complexity reduction exercise, and complexity reduction is exactly what frees the security team to do the work that actually matters.

Honest version of this story: no single mega-vendor covers every requirement well. The teams I admire pick two complementary strategic platforms, let those two cover the majority of the surface, then go deep on a small number of specialist platforms for the rest. That’s the model that scales, both architecturally and organizationally.

Closing thought

What connects all four of these threads for me is that the conversation has finally moved past whether identity-first, multi-vendor, automation-driven security is the right direction. We’re now arguing about how fast we can get there. Defenders who treat automation as a feature of their platforms, who can measure their visibility honestly, who can patch and contain without lighting their week on fire, and who can consolidate their architecture without consolidating their risk are the teams winning this race.

If you were at the Gartner Security and Risk Management Summit 2026 and want to compare notes, I’d love to hear what landed for you. Find me on LinkedIn.

Frequently asked questions

Did vulnerabilities overtake phishing or stolen credentials as the top initial access vector?

Credential abuse. According to the 2026 Verizon Data Breach Investigations Report, vulnerability exploitation became the top initial access vector at 31 percent of breaches, up from 20 percent the prior year, while credential abuse, the previous leader, fell from 22 percent to 13 percent. Phishing was not the displaced leader.

Who delivered the opening keynote at Gartner Security & Risk Management Summit 2026?

Distinguished VP Analyst Leigh McMullen delivered the opening keynote, Seize the Moment, which framed AI adoption as a chance to modernize human and machine identity and turn every attack into a continuous learning cycle.

Why can’t OT and cyber-physical environments inherit IT security controls?

Because the consequences of a false positive are not the same. Blocking access in an IT environment is an inconvenience, while the same block in a clinical or industrial environment can stop patient care or production. Many architects use the same vendor across IT and OT but keep policy, management, and enforcement separate.

What is identity-first microsegmentation and why does it help with unmanaged devices?

Identity-first microsegmentation ties access policy to the identity of a user or device rather than to network location or plumbing. That matters for unmanaged, legacy, or proprietary OT and IoT assets, because even when a device cannot run an agent and the network looks nothing like IT, its identity is still knowable and can drive policy.