No one has a crystal ball when it comes to cybersecurity. But each year, Gartner shares a set of predictions that—while not guaranteed to come true—offer a snapshot of what’s keeping enterprise security leaders up at night. These forecasts blend input from Gartner’s global client base with the informed perspectives of their analysts. At the 2025 Gartner Security & Risk Management Conference, Director Analyst Craig Porter delivered a thought-provoking look at the trends and threats likely to shape the next five years. His predictions offer more than speculation—they serve as a lens into the evolving priorities of the cybersecurity landscape.

Here’s a deeper look at each of his core predictions—and why they matter now.

1. Geopolitics Will Drive Security Strategy by 2029

Porter emphasized that geopolitical disruption isn’t just a background risk—it’s becoming a direct influence on security planning. From regional conflicts to evolving regulations like the EU Cyber Resilience Act and U.S. federal guidance, companies are navigating a patchwork of sovereignty, data localization, and compliance challenges.

Yet, despite recognizing these risks, most security leaders have not embedded geopolitical scenario planning into their core continuity models. The result is a gap between awareness and readiness. Porter’s advice? Use structured scenario planning, revisit data localization strategies, and ensure security programs can adapt to cross-border regulatory flux.

2. Quantum Computing Will Break Today’s Encryption

By 2029, conventional asymmetric cryptography—used in everything from SSL certificates to email encryption—may no longer be secure. Porter warns that advances in quantum computing could render current encryption models obsolete, and the window to act is closing fast.

He introduced the idea of “cryptographic debt,” urging security teams to inventory cryptographic assets now and begin transitioning to post-quantum cryptography (PQC). This isn’t simply a technical upgrade—it’s a foundational shift in how trust and security are maintained across digital systems.

3. The Internet of Humans Will Be Exploited

This prediction stretched the boundaries of traditional cybersecurity. Porter described the rise of the “Internet of Humans”—a future where medical implants, neural interfaces, and bio-integrated devices become routine. He predicted that by 2029, at least one ransomware attack will be launched against such a device, with a ransom paid to save a human life.

These systems, once limited to clinical settings, are becoming consumer products—raising new questions about patching, firmware integrity, data ownership, and physical safety. Security and risk leaders must prepare for blended risks that span digital and biological domains. Regulatory frameworks and insurance underwriting may need to evolve to address this new class of threats.

4. AI and Automation Will Erode Human Security Skills

Porter raised a concern often overlooked in AI hype: the atrophy of human expertise. As AI tools handle more triage, analysis, and decision-making in the Security Operations Center (SOC), foundational investigative skills are fading.

By 2030, Gartner predicts that 75% of SOC teams will experience skill erosion. If AI services fail—whether due to misconfiguration, adversarial attacks, or outages—teams may lack the knowledge to respond manually. Porter recommends building continuity plans that prioritize human-led processes, maintaining analyst training programs, and requiring AI explainability from vendors.

5. Data Deletion Will Become a Privacy Strategy

The notion that organizations will “delete most personal data by 2029” might sound radical, but Porter’s logic is sound. With quantum-powered decryption on the horizon, even encrypted data becomes a long-term liability. Retaining unnecessary personal data poses not just storage costs, but existential breach risks.

Organizations need to shift from a compliance-only mindset to one that treats data minimization as a strategic defense. This includes aligning retention policies with actual risk exposure, auditing cryptographic readiness, and designing deletion processes that are transparent and enforceable.

6. Third-Party Risk Management Will Prioritize Resilience

Outsourcing does not equal offloading responsibility. As organizations rely on complex vendor ecosystems, Porter notes that prevention and compliance checks are no longer enough. Instead, third-party risk programs will shift toward resilience—assuming that partners will be compromised and planning accordingly.

Expect more organizations to implement compensating controls, indirect monitoring (such as threat intelligence and security ratings), and pre-negotiated access protocols for breach response. The market is also moving toward convergence: tools that combine ratings, workflow automation, and intelligence feeds into a single platform.

7. AI-Powered Attacks Will Target Cyber-Physical Systems

Cyber-physical systems (CPS)—including manufacturing lines, utility grids, and connected devices—are becoming prime targets for AI-augmented threat actors. Porter shared examples of malware campaigns where technical schematics were stolen and fed into generative models to design precision attacks.

Security for CPS must move beyond asset discovery to embrace behavioral analysis, segmentation, and real-time anomaly detection. Organizations will need tailored threat models and AI-aware controls for systems where downtime could mean safety or operational failures.

8. Many Will Abandon Zero Trust—But Not Because It’s Wrong

Zero Trust remains an essential security framework—but Porter predicts that by 2028, 30% of organizations will abandon it due to poor scoping, unclear value, and implementation fatigue. The problem is not the model—it’s in how it’s often executed.

Zero Trust must be applied incrementally, focusing first on identity, access control, and segmentation. Organizations should measure outcomes against strategic goals, not just tool checklists. Porter also emphasized embedding secure defaults into daily workflows—making security intuitive rather than burdensome.

Stay tuned for more insights from the Gartner conference, and see our website for more details on PointGuard’s forward-looking capabilities to protect AI systems from emerging threats, including:

• AI Discovery: Automatically identify and inventory all AI assets—models, pipelines, APIs—across your environment.
• Security Posture Management: Continuously assess AI systems for misconfigurations, access risks, and supply chain exposure.
• Model Red Teaming: Simulate adversarial attacks—like prompt injection, data leakage, and jailbreaks—to test and strengthen model resilience.
• Runtime Protection: Monitor and defend deployed models against real-time threats and misuse, without disrupting operations.

As Gartner’s predictions make clear, AI isn’t just changing how we defend—it’s changing what we must defend. PointGuard AI is here to make sure your AI deployments stay discoverable, secure, and resilient—no matter how fast the landscape evolves.