In our Cybersecurity in 2026: A Strategic Road Map for US Businesses report, Forvis Mazars examined the cybersecurity challenges and opportunities facing U.S. enterprises across several industries. The analysis focused on artificial intelligence (AI) integration, regulatory compliance frameworks, and workforce development as strategic business priorities for the future.
These facets are uniquely impactful in the technology space, as the AI boom continues and an increasingly nuanced cybersecurity landscape evolves. For tech industry professionals and leaders working through strategic imperatives for next year, here are five key areas to consider for ongoing cybersecurity protection and digital transformation.
1. The Shadow AI Challenge for U.S. Tech Enterprises
According to Microsoft, “shadow AI” presents a significant challenge for organizations as it involves employees utilizing AI tools without proper organizational oversight.1 Although AI tools may save workers time on manual tasks, unauthorized use of this technology can also open companies up to several vulnerabilities (such as data, legal, third-party, reputational, and unpredictability risks).
Fortunately, there are several frameworks for U.S. companies to utilize that balance innovation with security. These risk mitigation and practical governance strategies include principles such as:
- A Policy-First Approach: This establishes clear acceptable use policies at an organization before deploying AI tools to employees. This sets expectations for the workforce and indicates the feasible, permissible options available to them.
- Approved Tool Lists: Companies can provide vetted AI solutions that align with and meet specific organizational standards.
- Data Classification Integration: This helps to ensure that AI policies at a company align with existing data fields already in use.
- Monitoring & Enforcement: Companies can use technical controls to detect and manage any unauthorized AI usage within their organizations and have procedures in place to manage any lack of adherence.
Tech companies may revisit their strategic initiatives and integrate the above principles for mitigating shadow AI risks.
2. AI in Security Operation Centers (SOCs)
The role of AI has expanded far beyond simple task automation. It can now serve as a powerful tool for augmenting human-led analysis and decision making, and help to enhance early threat detection and accelerate incident response significantly.
The tech industry can benefit from such use cases and apply AI to several key defensive applications, including:
- Threat Detection: AI systems process billions of security events daily, identifying patterns that human analysts may miss due to error or speed. In addition, AI can be used to automatically consolidate and analyze newly detected threats and make necessary checks to help ensure that the network is protected against them.2
- Incident Response: Automated response systems and AI move at lightning speed to automatically gather and aggregate data, as well as alert security analysts and professionals to potential threats.
- Vulnerability Management: AI-powered code scanning identifies security issues in real time during development cycles and uses the same large language models (LLMs) that cyber attackers manipulate to their advantage.
AI-powered security tools work in tandem with human oversight, not as their replacement. A best-fit SOC model utilizes AI to handle repetitive, high-volume tasks while simultaneously preserving human control over critical decisions and direction. This balanced approach combines the speed and efficiency of automation with the insight and experience of human reasoning, creating a scalable, resilient security posture.
3. Regulatory Compliance
U.S. tech businesses face a complex web of federal and state data protection requirements that make extensive data governance essential for both security and compliance. The following are a few critical federal requirements that govern data privacy and security:
- Gramm-Leach-Bliley Act (GLBA): This requires fintech organizations to protect customer financial information by explaining their information-sharing practices to customers and safeguarding sensitive data.
- Health Insurance Portability and Accountability Act of 1996 (HIPAA): This legislation establishes federal standards for health tech organizations to protect sensitive health information from disclosure (without a patient’s consent) and safeguard patient health information (PHI).
- Sarbanes-Oxley Act of 2002 (SOX): This applies to all companies publicly traded in the U.S. and protects investors by improving the accuracy and reliability of corporate disclosures. It also upholds that public companies must maintain data integrity for financial reporting and strengthens controls over reporting processes.
- Cybersecurity Maturity Model Certification (CMMC): This is a contract requirement designed to enforce the protection of sensitive unclassified information shared by the U.S. Department of Defense (DoD) with its contractors and subcontractors. It allows for increased assurance that contractors and subcontractors comply with the regulations and protect federal contract information (FCI) and controlled unclassified information (CUI).
In addition to these mandates, at least 20 states in the U.S. have specific data privacy laws applicable to their jurisdictions. Due to differing regulations, companies should be cognizant of additional compliance requirements based on the state laws in which they operate.
4. Cybersecurity in the Supply Chain
Tech companies should be aware that cybersecurity maturity is a critical factor for business development and securing partnership opportunities, especially when it comes to their supply chain. Businesses looking to stay ahead of the curve (and their competitors) can focus on these best practices:
- Federal Contract Requirements: Government contracts now routinely include substantial cybersecurity rules that eliminate vendors with inadequate security postures from consideration. Adhering to these requirements can make or break a deal.
- Private Sector Initiatives: Leading organizations are implementing continuous monitoring of vendor security postures, real-time threat intelligence sharing with critical suppliers, joint incident response planning with key partners, and security performance metrics in their vendor contracts.
5. Practical Workforce Development Strategies
Finally, there are two approaches that tech companies can adopt to strengthen their cybersecurity capabilities.
- Shared Services: U.S. companies, particularly those in private equity (PE) and merger scenarios, are increasingly adopting shared services models and automation to strengthen their cybersecurity competencies. Examples of this include PE and venture capital (VC) firms providing cybersecurity support to portfolio companies, industry consortiums sharing specialized knowledge, and regional shared services being utilized for midmarket firms.
- Augmenting Human Knowledge: Similar to the AI in SOCs section of this article, U.S. companies are applying automation to amplify their existing team’s capabilities. This frees workers from manual, monotonous processes and gives them more time to focus on strategic work. In addition, integrated security tools can reduce context-switching and help improve efficiency for organizations.
Next Steps for Tech Companies: Plan a Resilient Cybersecurity Strategy for 2026
Cybersecurity is quickly becoming a strategic investment for organizations instead of a necessary expense. With this in mind, tech companies can develop their strategic goals by leveraging shadow AI and risk mitigation, as well as AI-powered security tools and practical workforce development approaches, to strengthen their cybersecurity capabilities.
In addition, tech industry professionals should stay up to date on federal and state regulatory guidance and cybersecurity best practices related to supply chains in order to remain compliant and competitive.
Forvis Mazars is here to help you remain ahead of the curve. Whether you’re expanding your in-house capabilities or exploring third-party partnerships, our IT risk and compliance services can help you design a cybersecurity strategy that fits your U.S. business needs. For more information, please reach out to a professional at Forvis Mazars.