2026 Operational Guide to Cybersecurity, AI Governance & Emerging Risks

When a new year begins, we all try to enter fortune-teller mode. Like the Oracle in “The Matrix,” we try to predict the next regulatory moves and get ahead of their operational impact, but I regret to confirm something you have surely already noticed: Very few times will we be able to anticipate all the moves and their real consequences on the board.

Because we are human, unpredictability is inevitable. Laws may be written, but anticipating how operators will actually respond is difficult. Additionally, for some time now we have been living with two factors that not only grew but are game-changers: cybersecurity and emerging technologies, particularly AI.

The clearest inflection point for this transition comes from the SEC’s 2026 examination priorities, which the commission published in November.

Why is this document important not only for public companies but also for the rest of the market, including small and medium-sized businesses? Because it not only signals which areas will face more examinations and sanctions but also highlights where the major market shifts are, at least the ones worth paying attention to.

And the rise in concerns about the impact of cybersecurity and AI has been so significant that it has displaced the industry’s dominant risk topic of the past five years, cryptocurrency.

This shift in priorities is significant and responds to the pattern that has dominated the past three years: massive data leaks and breaches, cyberattacks no longer exclusively aimed at financial systems and operational failures of technology providers with transversal impacts.

In this context, the following terms like AI washing, operational resilience and digital compliance gain more relevance.

Corporate AI adoption

AI is no longer just another employee resource. It began by drafting emails for us, but it has now become the foundation upon which corporate policies, SOPs and training programs are built. Today, AI cuts across all business processes: data management, decision-support for matters that affect governance and culture, vendor management, automations, reputation management and more.

One of the main risks identified lies in decision-making: The use of AI is gradually suppressing intuition, investigation and deep analysis. And the most severe risk is that AI, in trying to give us the answer we expect, can fabricate information.

This is one of the main reasons it affects governance.

Additionally, the use of AI to draft policies, SOPs and training materials is triggering legal obligations without the company realizing it. AI is shifting from being considered by the SEC an emerging fintech area just two years ago to a clear area of operational risk, linked to cybersecurity, disclosures and internal use for critical functions in 2026.

From one year to the next, AI becomes more relevant than greenwashing. AI washing “occurs when companies claim to be using artificial intelligence (AI) technology to enhance their services but, in fact, are not.” Behind this concept lie real compliance risks: false and misleading statements, operational risk (including contractual exposure), governance risk, exposure to sanctions and loss of reputation.

Cybersecurity

How to Reassure Stakeholders When Facts Are Still Unknown During Cyber Incidents

by Jena Valdetero, Wouter van Wengen, Jonah Pitkowsky, Lily Williams and Jamie Singer

December 22, 2025

Scenario planning and coordination between legal and communications experts allows organizations to build adaptable messaging

Read moreDetails

Data privacy

Following the SEC’s regulations and the most relevant ISO standards, data privacy has become a foundational element of compliance. It has turned into Compliance 101, reflected in the dozens of new state laws coming into force in 2026.

We now speak of a fragmented system in which companies must operate across multiple layers:

• US: 15+ state laws, all different
• Sectors: HIPAA, GLBA, COPPA, FERPA, PCI, marketing
• Cross-border: GDPR and UK GDPR
• Platforms: new requirements from Meta, Google, Shopify, Apple

And one of the main challenges for organizations is that they will have to manage privacy as if they were regulated companies, even though they are not.

Cybersecurity and third-party risk

Under the applicable regulations, the traditional obligated entities required to comply with cybersecurity were operators of essential services like energy, transportation, water supply, healthcare, banking and financial market infrastructures, as well as digital infrastructures.

This is no longer the case.

In recent years, several “non-critical” companies, including retail businesses like Mango or El Corte Inglés in Europe, have suffered cybersecurity attacks. Attacks are more sophisticated, and anyone can carry them out, and because anyone can carry them out, the target is no longer only major players like banks but any company with a vulnerable system.

The rise of ransomware attacks and vulnerabilities across supplier networks pushed agencies like the FTC, SEC, HHS and CISA to raise requirements.

2026 will consolidate this trend, and examples include:

•  Stripe will require stronger KYC/AML and security controls to keep accounts active.
• AWS and Google Cloud will require minimum safeguards before certain services can be deployed.
• Marketplaces will reject sellers who cannot demonstrate minimum security controls.

Technology providers face a double challenge: They are being required to do more, and at the same time, they must demand more from their clients. Behind this dynamic lies a profound shift in how we understand risk. Technology providers are no longer simply supports of the business; they are now part of the compliance system.

Vendor risk becomes inherent risk. This is why providers are under greater pressure and why they must transfer part of that pressure to their customers. This gives rise to extended governance, where participants audit each other and progressively raise requirements, because anyone can trigger a material incident.

In this context, the concept of digital compliance gains strength: “We define digital compliance as the adherence to laws, regulations, and guidelines related to data protection, data security, and other digital responsibility issues. This encompasses mandatory legal requirements as well as basic voluntary measures adopted by companies to ensure responsible digital practices.”

Industry updates impacting SMBs and mid-market companies

Small and mid-sized businesses will face regulations that previously applied only to large corporations. The most relevant areas will include:

• Cybersecurity requirements
• Data processing obligations
• Increased oversight in e-commerce and digital services
• Governance expectations and basic reporting duties

The trend is clear: There will be no differential treatment based on company size when businesses handle data, technology or global vendors. To give a simplified example, a small e-commerce business will need to comply with four layers simultaneously just to use cookies: state regulation (depending on where it sells); platform requirements (Shopify/Meta); sector-specific rules (if selling health, nutrition, etc.)’ and marketing regulation (FTC, dark patterns).

Related regulatory trends

The rise of generative AI has accelerated the creation of regulatory frameworks in both the US and EU.

The obligations under the EU AI Act will enter their implementation phase according to risk categories. In the US, more federal guidance and new sector-specific rules (employment, financial, healthcare) are expected.

Regarding cybersecurity, in addition to the SEC’s stricter criteria, the FTC has also established new mandatory cybersecurity standards in recent years for non-bank financial institutions.

In Europe, the CRA (Cyber Resilience Act) will apply starting in 2027, while the Digital Operational Resilience Act (DORA) has been in force since January 2025, establishing mandatory technical controls, governance requirements and direct responsibilities for technology providers.

Baseline requirements

The natural strategic ally of compliance used to be the legal department. Now, it appears that IT will also take on that role. The IT team needs a deeper understanding of compliance risks, and the compliance function needs a stronger grasp of technology and AI. Culture and leadership must be aligned so that both areas work together rather than block each other.

Baseline recommended actions:

• Create an internal registry of all AI use cases (operations, marketing, HR, risk, customer service).
• Review clauses with AI providers: liability, audit rights, data and model rights.
• Update SOPs for data handling, retention and preservation.
• Review contracts with technology vendors to include audit rights, impact assessments and early-notification obligations.
• Document internal governance: roles, metrics, review cycles.
• Treat vendor risk as inherent risk.

Special recommendations for SMBs:

• Keep a simple record of risk management.
• Provide basic training for the team.
• Formalize a straightforward incident response plan.
• Verify the minimum security requirements of each provider.

Ultimately, 2026 demands a different posture from compliance teams: less reactive, more integrated and fully aligned with technology. The companies that adapt early by understanding their real risks, tightening their governance and strengthening their relationship with IT will operate with greater clarity and resilience. For SMBs, the path is not complexity but consistency: simple systems, minimum controls and a culture that understands that digital risk is now business risk, not an IT issue.