Gartner’s flagship US cybersecurity summit lands at the Gaylord National Resort in National Harbor, Maryland from 1–3 June 2026 — the same week the firm expects global information security spending to cross $244.2 billion for the year, a $29 billion jump on 2025. Roughly 110 research-backed sessions will be delivered by 62 Gartner experts, and the message from the firm’s published research so far is blunt: the CISO role is expanding faster than the governance frameworks meant to support it, and the decisions made in 2026 will determine whether security leaders remain strategic partners or become compliance scapegoats.
This article is a reader’s guide to that research — the six trends Gartner published in February, the spending signals behind them, the keynote positions, and the session tracks where each theme gets operationalised. The summit itself is one data point; the research agenda behind it is the actually useful thing to read, whether or not you attend.
What the summit covers this year and why the timing matters
The 2026 edition is themed Smarter, Faster, Stronger … Together, and the premise is that an expanding threat landscape, AI, tariffs, global instability, and regulatory fragmentation are simultaneously stretching cybersecurity programs. The event features five comprehensive tracks and five spotlight tracks spanning leadership, risk management, infrastructure security, application and data security, and cybersecurity operations. Track names do real work here — the new Evaluating and Negotiating With Technology Providers spotlight track, combining Magic Quadrant sessions with Contract Negotiation Clinics, reads like Gartner’s response to years of CISO complaints about spiralling vendor costs during consolidation waves.
Gartner’s National Harbor event is one of four regional summits this year. The Sydney edition ran in March; Tokyo follows on 22–24 July, São Paulo on 4–5 August, and London on 22–24 September. Analysts rotate, but the core research presented — Top Trends in Cybersecurity for 2026, the Forecast Analysis for Information Security, Worldwide, and the planning guide — is consistent. If you can’t get to National Harbor, the London edition covers substantially the same ground.
The six cybersecurity trends Gartner is telling CISOs to act on
Gartner’s Top Trends in Cybersecurity for 2026, published 5 February 2026 and authored by analysts Alex Michaels, Will Candrick, Chiara Girardi, Arthur Sivanathan, Jeremy D’Hoinne, Pete Shoard, Mark Horvath and Nathan Harris, organises the year’s six priority trends under three themes: transform governance, secure new frontiers, and normalize AI adoption. These aren’t surprises for anyone watching the industry — but the ordering and the emphasis are worth reading carefully. CISOs who turn up to National Harbor expecting a different research story than the one already published will be disappointed.
Agentic AI demands cybersecurity oversight. This is the trend Gartner puts first, and the one that drives the most session volume across the agenda. AI agents — systems that take autonomous action rather than just produce recommendations — are already being deployed by employees and developers through no-code and low-code platforms and through “vibe coding” workflows where LLMs generate production code from natural-language prompts. The result is an unmanaged population of AI agents with credentials, API access, and sometimes privileged operations, most of which security teams haven’t inventoried. Gartner’s position is that this creates both new attack surface and new regulatory compliance liability.
Collaborative governance replaces centralised policy. Gartner’s framing here is that control-heavy, centrally mandated AI policies don’t work against shadow AI — over 57% of employees are using personal GenAI accounts for work according to the firm’s research, and roughly a third admit uploading sensitive data into unapproved tools. The recommendation is to shift from prohibition to co-created guardrails, monitoring behaviour and exception patterns while giving the business accountability for AI-related risk.
Postquantum cryptography moves into action plans. The deadline Gartner is now quoting is 2030 — the year by which the firm expects quantum computing advances to render asymmetric cryptography unsafe. “Harvest now, decrypt later” attacks, where adversaries capture encrypted traffic today expecting to decrypt it once quantum capability matures, make long-lived sensitive data the immediate priority. Gartner’s action list: inventory cryptographic assets, pressure vendors for post-quantum cryptography (PQC) roadmaps, build cryptoagility into architecture, and prioritise migration for systems whose data retention extends past 2030.
Identity and access management adapts to AI agents. Traditional IAM assumes humans. Agents are machine actors with their own identity, credential, and authorisation needs — and most organisations have uneven IAM maturity that wasn’t built for this load. Gartner’s recommendation is a targeted, risk-based approach: extend IAM to machine actors, automate credential lifecycle, and define policy-driven authorization rather than trying to re-platform everything at once.
Regulatory resilience becomes a core CISO competency. Regulators are now holding boards and executives personally accountable for compliance failures. Reporting deadlines are compressing — some regimes require breach notification within 24 hours — and data sovereignty requirements are fragmenting vendor decisions by jurisdiction. Gartner pushes cross-functional collaboration between legal, procurement, and security, with clearly defined compliance ownership.
AI-driven SOC adoption requires new skills, not just new tools. Over 75% of enterprises will use AI-amplified cybersecurity products by 2028, up from less than 25% in 2025, according to Gartner’s 4Q25 forecast. The firm is explicit that this is not additive spend — it’s the AI embedding itself into existing product categories. The workforce implication: analysts who can’t critically evaluate AI-generated findings will become less effective, not more. “To realize the full potential of AI in security operations, cybersecurity leaders must prioritize people as much as technology,” said Alex Michaels, Director Analyst at Gartner, in the trends announcement.
The spending numbers behind the trends
Gartner’s research isn’t aspirational. The firm’s Forecast: Information Security, Worldwide, 2023–2029, 4Q25 (document G00843183, published 18 December 2025) and the Forecast Analysis: Information Security, Worldwide, 2026 (G00838442, 5 February 2026) project the global information security market reaching $244.2 billion in 2026. The AI-amplified segment specifically is forecast to reach $160 billion by 2029, up from $49 billion in 2025.
Two things make those numbers useful for CISOs reading them at planning time. First, the AI-amplified figure represents existing security products that now embed AI capabilities rather than a net-new category — vendors that don’t integrate AI will lose shelf space, which has procurement implications for any multi-year contract being signed this year. Second, Gartner’s planning-horizon prediction — that over 50% of enterprises will use AI security platforms to protect their AI investments by 2028 — effectively tells CISOs that AI-specific security tooling will be its own budget line by the end of the decade.
The numbers also frame the session economics at National Harbor. A $244 billion market with Gartner’s positioning at its centre is why attendees pay full-conference pricing — roughly $4,500 to $5,500 depending on discounts and timing — and why the one-on-one analyst meetings are the most competed-for item on the agenda. Gartner one-on-ones are private 30-minute sessions exclusive to paid registered attendees (not exhibitors), allocated first-come-first-served through the Conference Navigator app, and they’re the single best reason to go.
The keynotes worth planning around
The 2026 keynote programme signals what Gartner wants CISOs to take away before they enter the track sessions. Four sessions anchor the programme.
“Seize the Moment” is the opening Gartner keynote, delivered by Leigh McMullen, Distinguished VP Analyst. Opening keynotes at these events typically set the conceptual frame for the week, and the title maps directly to the firm’s thesis that 2026 is the operational decision point for AI governance, PQC, and agentic IAM.
“The Future of Cyber 2030 – Skills, AI, Tech” by Peter Firstbrook, Distinguished VP Analyst, is the farther-horizon session. Firstbrook is one of the longer-tenured voices in Gartner’s security research — his 2030 framing is effectively the answer to “what does the CISO role look like when agentic AI and post-quantum are both normalised?”
“Creativity and Innovation for a Better Tomorrow” with chef, restaurateur and humanitarian José Andrés alongside VP Analyst Christopher Mixter is the guest keynote that typically gets the largest non-security audience. World Central Kitchen’s operational model — deploying capability into chaotic environments at speed — has been borrowed by security leadership literature for years, so the framing fits.
“Leading with Levity” with executive advisor Naomi Bagdonas closes the guest-keynote lineup. The premise — that humour and improv are competitive leadership advantages — sounds soft, but lands differently in a profession measurably fighting burnout.
A set of specialist sessions repeated from Gartner’s Sydney summit in March is expected to be re-delivered in National Harbor. Richard Addiscott, VP Analyst, opened Sydney with the Top Cybersecurity Trends briefing — the canonical presentation of the six trends covered above. Kristin Moyer, Distinguished VP Analyst, delivered a session on the board-confidence gap, citing research that 90% of non-executive board directors lack confidence in cybersecurity value. Mia Yu, Director Analyst, covered the human element of cybersecurity — specifically, that secure behaviour only becomes resilient when it becomes habit. All three sessions are worth watching for if they appear on the National Harbor agenda.
The tracks and where CISOs should actually spend their time
The conference’s ten tracks — five comprehensive, five spotlight — each target a specific CISO pain point. A few deserve particular attention.
The Evaluating and Negotiating With Technology Providers spotlight track is a new addition for 2026 and signals Gartner’s read of the market. The Magic Quadrant sessions are the firm’s structured comparison of vendors in a given category — walking into one with active RFPs is how to extract the most value. The Contract Negotiation Clinics are more unusual: Gartner analysts work through procurement scenarios with live attendee questions, and they tend to fill up fast.
The Navigating the Volatile Environment track carries much of the geopolitical and macro content — tariffs, executive orders, cost pressure — that affects security budget decisions but isn’t itself a security topic. CISOs briefing finance or the board after the summit will mine this track for talking points.
The CISO Circle Program is application-only and runs as a curated executive stream alongside the main agenda. Similar programmes at past Gartner summits have tended to attract Fortune 500 CISOs specifically; it’s worth applying if you manage a security organisation with meaningful scale, and worth skipping if your role is more operational.
How to get the most out of the conference
A few tactical points worth front-loading. Gartner one-on-one meetings are allocated first-come-first-served through the Conference Navigator app — registrations that complete profiles early and book analyst slots as soon as they open get access to the most in-demand researchers. If you want time with Alex Michaels on the trends research, or with a Magic Quadrant author in your vendor category, book on day one of registration rather than closer to the event.
Workshops, roundtables, and Meetups are separately gated and also require preregistration. These aren’t available to exhibitors or exhibitor conference session passholders — only paid full-conference attendees. If a session shows “full” or “closed” in Navigator, Gartner’s guidance is to turn up 15 minutes early to the room and join the waiting list.
Attendees earn CPE credits through ISACA and other providers for select eligible sessions. For CISSP, CISM, or CISA holders, the three-day agenda is a meaningful chunk of an annual CPE requirement. The dress code is business casual with explicit guidance to wear comfortable shoes — the Gaylord Convention Center is large and session rooms are widely distributed.
Gartner’s own advice is to treat the summit’s mobile app — Gartner Conference Navigator — as the primary planning tool rather than the static agenda page. The profile-match feature surfaces sessions based on role and interests, and the networking features let attendees find peer discussion partners with matching priorities.
FAQ
Do I need to be a Gartner client to attend? No. Full-conference registration gives access to all sessions, analyst one-on-ones, and session documentation regardless of whether you have a separate Gartner advisory contract.
Can I get a press pass? Full-time journalists from editorial publications are eligible. Requests go to Gartner’s press contact directly rather than through a self-service registration.
What’s the single highest-value session to target? For most CISOs, a one-on-one with the analyst whose coverage matches their biggest current decision — a Magic Quadrant author if you’re mid-RFP, a trends analyst if you’re setting strategy. A 30-minute direct analyst meeting is higher signal than any keynote.
Are there discounts available? Some exhibitors and partner vendors offer discount codes — Salt Security, for example, has publicly offered $350 off full-conference passes via their sponsor page. Group rates for multiple registrations from the same organisation are typically available through Gartner’s registration team.
The honest read on Gartner’s 2026 message
Gartner’s research this year reads as less patient than previous editions. The PQC deadline is now 2030 rather than “a decade away.” Agentic AI is framed as an existing security liability rather than an emerging concern. Board personal liability and 24-hour reporting windows are presented as current operational realities. The through-line is that CISOs who treat 2026 as a planning year will be running to catch up by 2027 — and that this summit, and the research behind it, is Gartner telling its clients explicitly which decisions need to be made now.
Whether the summit is worth the ~$5,000 depends on your role. For CISOs with active vendor decisions, ongoing AI governance builds, or board-reporting demands where Gartner research carries weight, the one-on-ones and Magic Quadrant sessions alone can justify the trip. For directors and senior engineers without signing authority, the same research is available through Gartner client access or — selectively — through the firm’s free press releases, planning guides, and public analyst commentary. Read Top Trends in Cybersecurity for 2026 first. The rest of the decision flows from there.
