Excite Cyber (ASX: EXT) Cyber Security Predictions for 2026 – AI Regulation, LLM Governance, Cyber Encompassed in Business Risk Registers, Demand for Digital Forensics, Bolstering Cyber Hygiene and Rise in Human Risk Management
The following trends and predictions are from the team of cyber security experts at Excite Cyber (ASX:EXT) as we head into 2026.
Among the key trends, Excite Cyber, CEO, Bryan Saba highlights new AI regulations, stronger governance over LLM development and predicts cyber risks will become encompassed in comprehensive enterprise-wide business risk registers and demand will surge for digital forensics training.
Excite Cyber also anticipates that Australia will see rapid adoption of international AI and cyber security standards and adopt a greater focus on basic cyber hygiene and human risk management.
Human Oversight Will Become a Critical Factor In LLM Governance
In 2026, Excite Cyber expects a surge in demand for cyber security strategies specifically tailored to AI-assisted software development. Organisations will increasingly adopt multi-layered protective measures including code validation layers to verify AI-generated code before deployment, access controls to limit the potential for misuse of AI tools and continuous monitoring to detect anomalies or malicious activity in real time.
As Australian businesses increasingly integrate large language models (LLMs) into software development, the need for robust cyber security measures has never been more urgent. While LLMs offer remarkable efficiencies, such as automating coding tasks, generating documentation, and even identifying bugs, they also introduce new attack surfaces that can be exploited by malicious actors.
“Without the right safeguards, LLMs can be manipulated to inject malware, propagate misinformation, or introduce vulnerabilities into otherwise legitimate applications. This represents a timely warning for the Australian market as we head towards 2026: AI-driven development can accelerate innovation, but it can also become a new attack vector if left unchecked,” warns Bryan.
Excite Cyber stresses human oversight will remain a critical factor in AI governance in 2026. “While LLMs can accelerate development, Australian organisations that combine AI capabilities with skilled cyber security professionals will be better positioned to mitigate risk, safeguard data, and maintain trust with clients and stakeholders,” he says.
Cyber Risk Registers Will Disappear and Be Encompassed In Enterprise-wide Business Risk Registers In 2026
Excite Cyber predicts that in 2026 we’re going to see a big shift in how Australian organisations approach cyber risk. Just a few years ago, many company risk registers were light on detail, sometimes barely populated. In 2026 organisations will encompass cyber risks in enterprise-wide comprehensive business risk registers and treat registers as living documents, not compliance exercises. The shift will be driven top down by boards – no longer will cyber risks be just the domain of technical teams.
“In 2026, an acceleration will happen in Australia with more organisations building detailed asset inventories, mapping how information flows through their business, and linking physical, administrative and technical security controls. The more assets a business has, the greater the potential risk, and boards and senior leaders are investing more in thorough due diligence.
“This means business risk registers will be expanded to capture real-world cyber security scenarios: what happens if a door system fails, if a laptop goes missing, or if remote access isn’t tightly managed. That level of thinking shows risk identification is maturing,” explains Bryan.
Demand Will Increase for Digital Forensics Experts and Upskilling
As Australia heads into 2026, Excite Cyber predicts demand for digital forensics skills will continue to surge. Organisations across both public and private sectors are already recognising that rapidly evolving cyber threats, ransomware, insider risk, and advanced persistent attacks, require staff with up-to-date technical knowledge and practical experience.
“The number of qualified cyber security and digital forensics professionals in Australia is well below market needs with a shortfall of about 30,000 professionals forecast for 2026. This is driving strong interest in training programs as people seek to upskill and enter the field to fill demand.
“Many practitioners have theoretical knowledge but limited hands-on experience with forensic tools, incident response processes, and compliance with frameworks such as ISO 27001 or the ACSC Essential Eight and are expected to increase their willingness to upskill and cross skill in this area,” Bryan explains.
Courses that replicate real-world investigations, from evidence collection to analysis and reporting, will increase in demand. Digital forensics training will become a core focus for Australian organisations seeking to strengthen their cyber resilience. Professionals will increasingly pursue upskilling pathways, while training providers will expand hands-on, scenario-based programs to meet both regulatory requirements and the operational realities of modern cyber investigations.
“Australia’s cyber workforce of the future will be defined not just by qualifications, but by practical capability to respond to complex threats in an increasingly connected environment in 2026 and beyond,” Bryan stresses.
Increasing AI Regulation In Australia
In 2026, Excite Cyber predicts more Australian organisations will voluntarily adopt ISO 42001 to ensure they are prepared for increasing AI regulation. With the Australian Government currently examining AI regulation frameworks, Australian organisations are rushing to integrate AI into products and services face heightened risks if they don’t follow recognised standards.
ISO 42001, the global standard for Artificial Intelligence Management Systems, offers a clear framework to manage AI responsibly, securely and transparently. By adding ISO 42001 to AI governance frameworks, forward-thinking organisations will ensure they are well prepared for future strengthening of AI regulation in 2026 and beyond.
The Australian Government has also published the Voluntary AI Safety Standard to help organisations develop and deploy AI systems safely and reliably.
“For Australian companies planning to trade internationally, where regulatory regimes are already impacting users of AI, demonstrating compliance against internationally recognised and voluntary standards will help assure global markets that they are responsible and ethical users of AI,” Bryan says.
Excite Cyber expects more Australian organisations will act in 2026 to stay compliant and build trust and resilience in an increasingly AI-powered economy. As more AI systems are built and deployed, it will become increasingly important for these systems to be built to a minimum acceptable standard to ensure the risk of biases are reduced and that information security is not compromised.
A Greater Focus On the Basic Cyber Hygiene
While zero-day exploits and so-called ‘sophisticated’ attacks make the headlines, Excite Cyber expects Australian businesses to embrace a ‘back to basics’ approach to cyber security in 2026. Data from the Australian Signals Directorate, Office of the Australian Information Commissioner and dozens of international studies highlights phishing attacks and compromised user accounts remain the most used and potent tool in the hands of cyber criminals.
“It might not sound cutting-edge, but more organisations will focus on the fundamentals: rolling out multi-factor authentication, encouraging the use of password managers to support stronger, unique passwords, and prioritising recovery tools such as backups. These steps remain some of the most effective ways to reduce everyday risks and to speed up recovery after an incident,” Bryan stresses.
Increased Focus On Human Risk Management (HRM)
Cyber security has firmly shifted from being viewed as a technical issue to being recognised as a core business risk, with boards and executives taking greater accountability. Yet despite this progress, the focus has remained heavily weighted toward technology controls. The three pillars of effective security are people, process and systems, but in practice, systems have dominated, processes follow, and people remain the weakest link.
In 2026, Excite Cyber predicts this imbalance will change with the rise of human risk security (HRM). HRM puts people at the centre of security by going beyond tick-box training and phishing simulations. Instead, it uses smart technology to support employees in real time, helping them make better security decisions in the flow of their daily work.
Excite Cyber says this evolution is already visible. HRM solutions powered by AI can analyse the intent of a message rather than surface-level clues like spelling errors or logos. In a finance team, HRM can prompt a staff member to confirm payment details by phone before processing an emailed request or alert a user when they attempt to install an unauthorised application.
“These nudges help people to spot risks at the very moment they could escalate into incidents,” he says.
Over the coming year, Excite Cyber expects organisations to shift away from reliance on traditional awareness training and towards HRM-driven models that embed security into daily workflows. By making people active participants in cyber resilience, not passive recipients of annual training modules, organisations will reduce risk, improve response, and strengthen their overall security posture.
