HSToday Threat Forecast 2026: Leading Complexity: Necessity for Emerging Tech Policy Frameworks in 2026
Publish Date: 2026-01-29 11:00:00
Source Domain: www.hstoday.us
Using an unordered list, summarize the following article with between 4 and 8 key points. In last year’s threat forecast, I wrote about the complexity of the threat environment – with its variety of threat actors and the number of threat vectors – as well as the potential for any of these threats to overwhelm the capacity of our systems and processes. I also addressed the capacity of leaders to manage one of these threats, much less when the threats come together to create cascading disruptions.
Building on that analysis, this year I want to examine how these dynamics are playing out in practice.
For years, we’ve heard about the lack of coherent, flexible policy frameworks for advanced air mobility (AAM), cybersecurity, and artificial intelligence (AI), and the resulting conflicts in direction and expectations. The results of which leave us vulnerable to threats, especially those from nation-state competitors and transnational criminal organizations and slow innovation by U.S. governmental organizations, the private sector, and our international partners.
Those frameworks are now emerging – both in the United States and abroad – and the way these three domains intersect deserves closer examination.
Where We’ll See Agreement and Certainty
Expect alignment in foundational principles, such as safety, security, and ethical use, to continue to mature across all three areas. Aviation authorities globally are converging on baseline standards for AAM operations and certification, including airspace integration and pilot certification. Cybersecurity frameworks are similarly stabilizing – with NIST Cybersecurity Framework 2.0 (CSF 2.0) emphasizing governance, zero-trust architectures, supply chain risk mitigation, and resilience against ransomware – reflecting shared lessons from recent attacks. AI governance is also advancing, with transparency and accountability requirements – such as algorithmic audits and risk-based oversight – gaining traction as the EU’s AI Act enters its general application phase in 2026, and U.S. agencies implement OMB mandates for inventories and governance structures.
These developments are increasingly interconnected: cybersecurity assurance practices like software bills of materials and secure update pipelines are being embedded into AAM infrastructure and AI-enabled flight systems; AI risk frameworks are shaping aviation automation and predictive maintenance; and incident reporting obligations under Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) will apply to AAM operators and AI service providers. The result is a growing convergence of governance and assurance principles across the triangle of cybersecurity, AI, and AAM.
Where Gaps and Conflicts Will Persist
Despite progress, significant divergence remains. In AAM, operational rules for urban environments vary widely, particularly around airspace management and local permissions for vertiports and energy infrastructure, creating uncertainty for future cross-border commercial operations as well as future markets for cross-border AAM airframe sales. Authorities to counter unmanned aerial systems, both for governments and private sector, similarly haven’t progressed as needed, leaving gaps in security for airports and critical infrastructure.
Cyber defense maturity differs significantly across sectors, reflecting disparities in available funding as well as willingness to invest in protection and mitigation. Enforcement rigor also varies: some regions prioritize privacy or national security, while others lean on voluntary measures adopted by recognized private sector organizations. AI governance is perhaps the most fragmented. The EU’s AI Act imposes strict risk classifications and obligations for high-risk and general-purpose AI systems, while U.S. policy continues to favor a standards-based approach anchored in NIST frameworks.
Impact on Security
These differences create compliance and market complexity. In AAM, as an example, these differences mean the potential for slower growth of AAM production and operation in the United States, and between the United States and partner nations, as governments and private sector work through decisions on needed cyber protections and rules governing AI-supported systems and autonomous features.
Nation-state competitors, however, are not waiting for clarity. They are making strategic investments now, accelerating AAM deployments and embedding AI into offensive cyber capabilities to gain significant market share and long-term advantage. At the same time, critical infrastructure owners and operators, here and in partner nations, are making near-term buying decisions to meet operational needs. They are fully aware that choosing to buy a Chinese-made DJI drone, as an example, introduces security vulnerabilities into systems, operations, and supply chains.
Where frameworks align – such as CSF 2.0, OMB AI governance, and FAA AAM standards – investment in secure AAM corridors and cyber innovation will accelerate, fostering public-private partnerships in the United States and with our nation-state partners. Conversely, lack of clarity slows U.S. and like-minded nation investments, complicates supply chains, and creates exploitable vulnerabilities. The frameworks we adopt today will define the resilience of tomorrow’s critical infrastructure, systems, and national security.
What Security Leaders Should Do
2026 is the year the triangle tightens. Security leaders should support rapid policy evolution, engage in standards-setting processes, and build adaptive strategies that account for both convergence and conflict. The stakes are high: the frameworks we adopt today will define the resilience of tomorrow’s critical infrastructure, systems, and our national security. We must avoid ceding ground to competitors who are already operationalizing these frameworks.
