By: Tushar Bansal – Chief Customer Officer
There is something uniquely valuable about Gartner Security & Risk Management Summit that you can’t replicate through surveys, analyst reports, or virtual meetings.
It is one of the few opportunities each year to sit down face-to-face with hundreds of CISOs, risk leaders, and security practitioners and hear, unfiltered, what is keeping them up at night.
At Gartner SRM 2026, our team had hundreds of conversations with security leaders from some of the world’s largest organizations. While every company is at a different stage of its security journey, the themes were remarkably consistent.
The conversations weren’t focused on future predictions or theoretical frameworks. They were focused on real operational challenges that security teams are facing today as AI adoption accelerates, vendor ecosystems become more complex, and expectations from boards and business leaders continue to rise.
Here are four themes that surfaced repeatedly throughout the week.
1. Everyone Has an AI. Few Have an AI Governance Strategy.
The most noticeable shift from a year ago is that organizations are no longer debating whether AI will become part of their business.
It already is.
Employees are using AI tools. Business units are experimenting with AI-powered workflows. Vendors are embedding AI capabilities into products at an unprecedented pace.
What many organizations are struggling with is governance.
Security leaders told us they are trying to answer fundamental questions:
- Where is AI being used across the organization?
- What data is being exposed to AI systems?
- Who has access to AI applications and models?
- How do we establish guardrails without slowing innovation?
The pressure to move quickly is coming from every direction. Governance programs are racing to keep pace.
The question has shifted from “Should we adopt AI?” to “How do we adopt AI safely at scale?”
2. CISOs Want AI-SPM. They Don’t Want Another Dashboard.
AI Security Posture Management (AI-SPM) generated tremendous interest throughout the event, but what stood out was the reason why.
Security leaders are not looking for another dashboard.
They already have dashboards.
What they want is the ability to operationalize AI governance and reduce risk.
Visibility is important, but visibility alone does not solve the problem. Organizations need context around AI usage, data exposure, access controls, third-party dependencies, and business impact. More importantly, they need actionable guidance on what to address first.
The strongest conversations we had around AI-SPM were not about discovery. They were about prioritization, governance, and risk reduction.
Organizations want to move from understanding AI risk to actively managing it.
3. TPRM Teams Are Drowning in Complexity.
Third-Party Risk Management has always been challenging.
AI is making it significantly harder.
Every vendor is becoming an AI vendor. Whether it’s collaboration platforms, customer support applications, development tools, or business software, AI capabilities are rapidly becoming embedded throughout the technology stack.
As a result, TPRM teams are being asked entirely new questions:
- How are vendors using AI?
- What data is shared with AI models?
- What controls exist around AI usage?
- How are vendors governing AI internally?
- What new risks are introduced through AI-powered services?
At the same time, many organizations are still relying on annual assessments, spreadsheets, and lengthy questionnaires.
The gap between the pace of technology adoption and the pace of risk assessment continues to widen.
Security leaders are increasingly looking for continuous monitoring, autonomous risk assessment, and more scalable approaches to TPRM.
4. The Most Common Question We Heard
Across conversations about AI-SPM, TPRM, and cyber risk management, one question surfaced repeatedly:
“How do I gain visibility without creating more work for my team?”
Security teams are under pressure to improve governance, increase visibility, and reduce risk while operating with finite resources.
The organizations making the most progress are not adding more manual processes. They are finding ways to automate discovery, prioritize what matters, and focus their teams on the risks that have the greatest business impact.
That mindset is becoming increasingly important as attack surfaces expand and AI adoption accelerates.
- 600+ vendors assessed
- 100% completion — zero extra headcount
Looking Ahead
The most valuable part of Gartner SRM wasn’t the presentations, booth traffic, or product demonstrations.
It was the opportunity to listen.
The conversations confirmed that security leaders are entering a new phase of cyber risk management — one where AI governance, AI security, and third-party risk are becoming deeply interconnected.
The challenge isn’t adopting new technology.
The challenge is maintaining visibility, governance, and control as technology evolves faster than ever before.
The organizations that succeed will be the ones that embrace innovation while building the processes, governance frameworks, and risk management capabilities needed to scale securely.
Missed Us at Gartner SRM?
Whether you’re evaluating AI Security Posture Management (AI-SPM), modernizing your Third-Party Risk Management program, or building an AI governance strategy, we’d love to continue the conversation.
