As the market this week reacts to recent volatility in public cybersecurity stocks, many commentators are anchoring confidence in a familiar thesis: agentic AI expands the attack surface and therefore guarantees long-term growth for security vendors. It is appealing in its simplicity. It echoes every prior technology cycle, more software, more surface area, more risk, therefore more security spend. History gives that argument credibility. Cloud, low-code and virtualisation all expanded exposure and strengthened major platforms.
I have written previously on agentic AI in ways that could suggest I fall neatly into that school of thought. In fact I believe reality is always more nuanced.
Yes, AI introduces new risks, autonomous agents triggering real-world actions, probabilistic decision paths and machine-speed change cycles. Agentic systems are not merely generating outputs; they act. They hold credentials, call APIs and initiate production change. This complicates security models built on deterministic assumptions. Security becomes more critical but that does not mean budgets grow without constraint.
History offers a clearer lens. Cloud did not diminish security’s importance, but it did drive consolidation, margin compression and a flight to platform scale. The same dynamics are likely again. AI also improves defensive efficiency, automating triage, accelerating detection and compressing response times. In many organisations the first effect will be reallocation, not expansion.
This is where an authority-led model of governance and trust becomes central. As systems become probabilistic, boards and regulators will demand defensible oversight clarity over who owns machine authority, how decisions are governed and where accountability sits. Confidence will not rest solely on tooling, but on credible, independent authority that can translate technical risk into board-level assurance.
Moreover, not all security vendors are structurally positioned to benefit. We are in the middle of vendor consolidation. Enterprises are fatigued by tool sprawl. They want fewer, integrated control planes not additional point solutions. That favours incumbents with regulatory credibility and those who control identity, telemetry and runtime enforcement across hybrid environments who can offer system-level governance over machine intent. That is a high bar, and a larger surface that does not guarantee more winners.
Enterprises, meanwhile, will not fully outsource risk. Regulators and boards still demand internal accountability. So while platform consolidation will continue, the model will likely be hybrid, internal governance paired with externally delivered assurance, and here I suspect we will see the rise of a new breed of trusted third parties and validation platforms.
The deeper question is not whether cybersecurity matters in an AI era. It clearly does. The question is who owns the authority layer (see my prior piece on this – From Buying Cyber Services to Buying Cyber Authority) of the agentic enterprise the control plane that governs machine decision-making safely and defensibly.
Cybersecurity’s future is larger but leaner and more consolidated. Growth will come unevenly demanding a recalibration of where real control, trust and value reside.
Posted on February 27, 2026
0