Arctic Wolf: agentic AI to reshape SOCs & Zero Trust

Cyber security firm Arctic Wolf has forecast a year of rapid change in 2026, driven by agentic artificial intelligence, increased human-driven risk and a stricter interpretation of Zero Trust security models.

The company expects security operations centres, or SOCs, to undergo significant structural change. It links this shift to new forms of AI that act more independently from human operators.

Dan Schiappa, President, Technology & Services at Arctic Wolf, said agentic AI would be central to that shift.

"Agentic AI is widely considered the next frontier in cybersecurity for its ability to adapt, learn and execute actions on its own, absent of any human input or intervention. Despite its promise, the industry is far from seeing a fully autonomous Security Operations Centre (SOC).

"Instead, in 2026, we push for transformation of the SOC, not by automating how SOCs work, but by reinventing how SOCs work with an expert-based approach. We will see the growing use of agentic AI taking the lead with human aid, versus human leading with AI aid.

"This will radically transform how SOCs work by using experts to replace human expertise, but it will not completely replace human expertise. So having humans in the loop to provide human expertise, but also humans on the loop, so the human can provide oversight to actions taken by AI and help to further refine the domain specific fine-tuned models used in the agentic framework. While the growing availability of high-quality data will help further SOC automation, human-in-the-loop processes will remain critical," said Schiappa.

Agentic AI refers to systems that not only analyse data but also initiate actions. Security vendors expect wider use of such tools in incident detection and response.

Arctic Wolf forecasts that organisations will pair these systems with human oversight rather than remove human roles. It expects security experts to supervise AI output and adjust the models that guide automated decisions.

Human risk

The company also expects human behaviour to remain the dominant factor in many security incidents. It links this risk to complex technology environments and social engineering attacks.

Adam Marrè, CISO at Arctic Wolf, said recent studies still point to people as the core element in most breaches.

"Humans have always represented a significant risk in cybersecurity because of the complexity of the modern technology environment, and recent research shows that nearly 80% of breaches involve a human factor. Attackers know it's easier to trick a person through social engineering than defeat a complex security system and AI is making this process simpler.

"In 2026, organisations will put an end to outdated security practices. Tick-box training is out of step with modern threats; its ineffectiveness highlighted by the fact even security leaders are fooled by certain social engineering tactics. Instead, new engaging training methods will be combined with a fundamental shift in mindset. Building a culture of shared ownership, where all employees feel able to speak out about mistakes, will be essential as the first line of defence in combating social engineering attempts," said Marrè.

The comments reflect wider industry concern about phishing, deepfake content and AI-assisted scams. Many organisations are trialling interactive and scenario-based training for staff.

Zero Trust shift

Arctic Wolf expects Zero Trust thinking to expand beyond technical architecture in the next year. The model is based on continuous verification of users and devices instead of default trust.

Schiappa said boards and executives would increasingly view Zero Trust as a broader governance issue.

"In 2026, Zero Trust won't just be a security model, it will be a corporate lifestyle and a defining principle of digital leadership.

"The era of implicit trust will end with 2025. In its place will be a culture of continuous verification and intelligence authentication. Forward thinking organisations will recognise identity as the new perimeter and understand safeguarding it - as well as that of every vendor, partner and supplier they work with - is fundamental to reputation and growth," said Schiappa.

Many organisations are reviewing access management, multi-factor authentication and vendor risk as part of such programmes. These reviews often include supplier identity controls and contractual security requirements.

CISO pressure

High-profile incidents in 2025 have also had an impact on how security leaders expect the year ahead to unfold. Attacks on major consumer and industrial brands have raised questions over corporate resilience strategies.

Marrè said public breaches at well-known organisations had shifted the focus onto the performance of CISOs.

"2025's high-profile cyber-attacks on the likes of M&S and Jaguar Land Rover have put CISOs under a microscope. Growing awareness of the near-crippling operational, financial and reputational fallout of a successful hack is putting mounting pressure on CISOs.

"Concerningly, two-thirds of technology leaders admit to clicking malicious links, proving the issue isn't only outside of the IT department. In 2026, CISOs will need to ensure they are both empowering employees to be vigilant and report suspicious activity but also setting the standard with their own security. Embedding cyber hygiene into company culture will be necessary to prevent and minimise threats before they become headlines in 2026," said Marrè.

Security executives face growing scrutiny from regulators, customers and boards. Many organisations are reviewing incident reporting processes, internal accountability and resilience plans as they prepare for 2026.