In 2025, the first-ever Cycode Product Security All-Stars report captured the moment development stopped being AI-assisted, and started becoming agentic. This year, that transition has accelerated into something far more fundamental, and the 2026 edition has even more to offer.
The contributions come from 14 security leaders in diverse industries, organization sizes, and job functions.
From Product Security Managers in the trenches to CISOs at large companies, their answers shed light on what security means and where it is heading in a world shaped by AI.
Below are the most important takeaways shaping product security right now, but download the 2026 Product Security All-Star report to read the full interviews.
1. AI Doesn’t Replace Humans, It Frees Them from the Boring Work
Despite the noise around AI in security, there’s still a lot of confusion about where it fits and what comes next. The reality is that AI will become part of the security team’s toolkit, but human oversight will always be critical.
This is explained by Kevin Markley and Julie Chickillo, who say that AI systems can be used for routine processes such as triaging and reviewing the code.
As such, humans are left to take care of architecture, risk assessment, and governance decisions.
2. The SDLC Is Dead, Welcome to the ADLC
The traditional Software Development Lifecycle (SDLC) was built for a human-paced world. That world no longer exists.
Multiple contributors, including Daniel Hammon, describe a shift toward an AI-native, Agentic Development Lifecycle (ADLC), where code is generated, tested, and even remediated autonomously by AI.
Security must now operate continuously, embedded across this agentic lifecycle.
3. Security Teams Are Becoming Orchestrators, Not Operators
There is a paradigm shift in the function of the security team. In contrast to analyzing code and responding to alerts, security teams are now working with agent-based systems.
As Anshuman Bhartiya says, security engineers are now becoming more like orchestrators who coordinate AI processes.
Chase Pettet adds to this shift by reframing the role of traditional security teams, moving from hands-on execution to ensuring that systems operate safely at scale.
As software creation expands beyond traditional developers, security’s role becomes less about doing the work and more about designing the systems and boundaries that govern it.
4. The Era of “Fix Everything” Is Over
It used to be that security success was all about numbers: number of vulnerabilities discovered, number of vulnerabilities patched. But that paradigm is broken.
As Nikola Dalcekovic, Kimberly Mattheys, and Rusty Perry all point out, the new paradigm is all about the exploitable reality in the context. The most effective tools in a team’s arsenal today will tie together code, identity, and runtime context for true prioritization of risk.
Fixing more things won’t make you win. Identifying, prioritizing, and fixing the vulnerabilities that matter most will.
5. Developer Enablement Beats Developer Gatekeeping
The fact that friction destroys security was one of the most apparent themes from this year’s report. Some of the speakers, including Conleth Kennedy, reject any form of overzealous protections.
They prefer to build security directly into the process of development via automation, policies, and self-service. What is the purpose? Make the secure route the easiest route.
6. Translating Risk into Business Language Is the Defining Skill
Technical know-how is no longer sufficient on its own.
Miriam Celi, among others, makes this point quite clear, in that security risks will not be acted upon unless they can be translated into business consequences. This includes financial risks, customer confidence, or regulatory risks, and the list goes on.
7. “Silent Threats” Don’t Show Up in CVE Databases
Some risks are not always apparent, and that’s where the biggest weaknesses are surfacing.
One example is Priya Balasubramaniam’s observation on tainted supply chains, alongside other issues discussed, such as fragmented identities and the rise of decision manipulation.
Many modern risks do not have CVEs, fingerprints, or easily recognizable hallmarks. Instead, they occur in the context of dependencies, interactions with artificial intelligence, and business processes.
8. Security Culture Still Outperforms Any Tool
So, what actually makes a difference? Tools help, but culture determines outcomes.
Leaders often stress behavioral change and incentives, but Cássio Pereira stresses that security can only work if culture, processes, tools, and automation are all in alignment.
The message is unequivocal: Security is only successful if it’s an organizational priority, not just something for one group to handle.
9. The Open Source Ecosystem Is Quietly Under Pressure
One of the more nuanced, yet critical risks that feature in the report are the increasing burden placed on open-source software.
According to Jamie Dicken, developers are becoming more swamped than ever before with contributions generated by AI as well as vulnerability alerts. When combined with other factors, such as a lack of trust in dependencies, there is a risk of compromising the software supply chain.
We’re Just Scratching the Surface…
These insights are only the tip of the iceberg of what’s inside the 2026 Product Security All-Stars report.
To see how leading practitioners are adapting in real time (and what it means for your own security strategy) explore the full report here.
