It’s hard to believe 2025 is already wrapping. As is pseudo-tradition, I wanted to share a couple of thoughts on how I think 2026 will go and review my original 2025 predictions I made last year.
2025 Predictions: How’d I do?
We’ll take the summative approach here, let’s review!
- The Identity Evolution: We’re seeing more and more identity-centric requests at Pax8 Pro Services, which is amazing. With the advancement of “Agents” and AI assistants, identity security is essential. The progress is slow, but noteworthy.
- Tech Debt Indeed Still Haunts: I’ve been seeing slow progress towards modernization, but certainly not enough progress on tech debt pay-down. We’re still moving a lot of legacy crap to the cloud.
- We’re Still Struggling with Basic Cyber Hygiene: I don’t know what else to say. If you don’t have 100% MFA adoption, mature and verifiable patching, effective detective controls… you’re behind. We’re raising the tide, rise with us or drown. I’m not saying that to dismiss, I’m saying that to indicate that you must lean in and pivot your conversations to drive these critical milestones.
- AI is an Increasingly Powerful Tool and, Yep, It’s an Insider Threat: I’ve been seeing more talk about controls around AI tools like DLP, labeling, et al. However, we need more action. We successfully drove more affordable licenses to market alongside Microsoft this year, and that feels like a good start!
- Market Forces Hardly Pushed: We didn’t see the push we wanted. The market has to force and incentivize the change, and right now we’re going backwards. AI investors are chasing dragons like “AGI” and brushing aside safety and security. This has to change soon.
- Attrition: It’s there: Yes, we saw some attrition. MSP911 (Matt, Jason and team) saw some attrition first hand. Attrition will continue, partly because of cyber, moreso because the market is changing and businesses need business advisors, not just nerds anymore. Technical excellence is table stakes, advisory is a value multiplier.
Alright, Let’s Get That Crystal Ball Out
This is the fun part. In no particular order, here are some takeaways from little notes I’ve been taking for weeks.
Cyber All Up
Sorry for the doom, but I think things have to get worse before they can get better. Like I mentioned before, the market isn’t incentivizing safety. It’s incentivizing vanity, and that means quality and safety will suffer. Historically, intervention doesn’t happen until the consequences of not intervening become untenable, and I don’t think we’re there yet. I think we’ll see plenty more bad code, inexcusable breaches, and basic hygiene-related failures. We’ll even see more real world, physical consequences attributable to cybersecurity failure. Think about OT in critical infrastructure and how AI will eventually touch it, or healthcare networks…
I don’t think it’s all bad. I think there are segments of the market that will grow spectacularly in maturity for sure. I just don’t think we’ll see it on a macro level. If you aren’t already, now is the time to frame critical risk conversations and have them with business leaders. BEFORE they have language models that don’t like following instructions in their environment.
Identity Will Keep Growing
Identity is King. It has been for a while, and will continue to be. We’re seeing Microsoft and others invest heavily on this front. Better application governance (apps have identities!), identities for Agents, and continued emphasis on securing human identities.
Identity has to be at the center of your security strategy. There’s no way around that, it just has to happen. We need to think about the finer details in the coming months and years. How are your automations or agents identifying themselves? Are we taking advantage of “on behalf of” capabilities that are coming out? Do we have an “identity killswitch” (privilege revocation) for runaway agents?
The basics here are critical as well! Healthy Conditional Access enforcing MFA, regular practices to cleanup unused identity, etc. Moreover, the basics are shifting under you whether or not you’re caught up.
The standard is rapidly moving towards phishing resistant authentication, stricter controls on application scoping, and layers of access management most SMBs (and many enterprises) have yet to venture towards.
Data Management and Security Governance
I’m squeezing these into one section on purpose. We have to get better at understanding our data, knowing what we have vs. what we need. We have to organize it, label it, apply access controls to it. We need to purge data we don’t need as well. This has the double benefit of making your AI tool more able to parse the data, and reducing the risk presented by said data.
This brings Governance into the picture, and it has to be dealt with. We have to document our security programs so that we can prove them. We need to set and enforce user expectations and policies.
On MSP1337, Chris Johnson and I settled that the risk register needs to come into play. We’re going to have a lot of work to do on tech debt and risk management. We have to inventory our risk, get in the business, and help business leaders prioritize it. This creates an immortal process of continuous improvement, finding and fixing new problems regularly.
Managed Intelligence
I have been chewing on this one for a bit. I’m pretty bullish on the Managed Intelligence idea, but maybe not at the light speed that the market is projecting. In practice, today, we’re seeing environments that Agents will simply fall over in, and we have to respect that. We’re also seeing mixed levels of desire to actually adopt, and this drives the need to start small.
If you’re serious about this, now is the time to make adjustments to how you interact in your existing client base and offerings. Stop being just the techy, start being the business advisor. Instead of hiring another engineer, think about consultancy talent for services like business process mapping (e.g., mapping a client’s quote-to-cash process).
So many small business owners out there simply cannot see the opportunity, or they do and don’t understand that it’s easier to attack than they think. Uncovering small but meaningful opportunities to drive business value is your gateway, and has the added benefit of creating manageable learning opportunities for your team.
The AI Bubble
I’m not a market projection person, and I don’t often venture there. However, I feel the need to recently. If in five years, there hasn’t been a “pop,” but the market still looks anything like it looks today, I’ll still be telling you we’re in a bubble.
AI, in general, is in the “new and cool but inexperienced kid” phase. We’re seeing startups materialize into bullshit valuations left and right. Often without meaningful revenue, sometimes without a functional product. We’re seeing infrastructure projects pop up faster than the public infrastructure around them can sustain.
Perhaps most notably, we’re seeing “AI Startups” create what amounts to a feature within another’s platform. This means that the dominant platform players (Microsoft, Salesforce, Hubspot) will turn your fancy little tool into a feature in their platform that gets to skip all the GRC and budget checks. They’ll kill your AI startup in less time than it took you to think about it.
Maybe not in 2026, but at some point, I think 80%+ of these new startups are going to die. Not be acquired, just be out maneuvered.
However, I also think the “bubble pop” will represent a necessary market correction. It will bring us back to sanity and create focus on things that consistently create meaningful value. However again, on this several-edged sword, it also means the highest quality will be killed off with the platform play. We won’t have the best products, we’ll have the pre-integrated products. This is how enterprise software companies survive. They get market dominance, and the quality of the tool matters less and less over time.
We also can’t overlook the market opportunity that exists within platform players. Aggregate marketplaces (yes, I work for one, but my point stands) will provide huge opportunity to sell and deliver solutions built within platforms. Think of Copilot Studio agents, Power App configurations, etc.
The AI Market Upside
MSPs and young entrepreneurs are poised to win. Not because we’re AI startups, but because we’re using AI tools to drive our startups. Even if they don’t drive the shiniest features, these platform players will be able to drive consistent value. Those that learn how to maximize the output of these technologies will be able to out maneuver competition, start focused businesses that can grow in ways we haven’t seen. You (or maybe more accurately our kids) will be able to drive outsized value for each other that can create massive economic exchanges and growing wealth.
The opportunity lies not in building AI fluff, but in using AI to drive meaningful outcomes for those you’re looking to serve, in arenas where platform dominance is inherently weak.
Citizen Development (“Non-Developer Developers”)
This is both exciting and terrifying. Citizen Development has been tossed around for a long time, but has never been particularly successful in practice. Power Apps is cool, but hasn’t historically been so easy that anyone can develop. AI drives real capabilities here, but also immense risk.
“Micro apps” that drive specific workflows can transform businesses, and those willing to make the right, often small investments in this direction can use it to their advantage. But every coin has two sides.
AI can write great code, sure, but it often isn’t secure or logical code. We have to be extremely cognizant of this as we empower this change, and it is on the technologists of the world to educate on how to do this correctly.
This matters. Embrace those with less ‘skill’ who are venturing, mentor them, teach them what ‘right’ looks like, and build roads with guardrails that allow innovation to scale while risk stays managed. Empowerment without visibility, ownership, and boundaries isn’t innovation; it’s deferred incident response.
Wrapping It Up
I’ve got plenty more predictions, but I’m not trying to write a book here. I think 2026 is bound to be eventful in so many ways. It will be hard and continue to get harder. We have to dive into human relationships, not just sit on old transactional B2B ways. We have to reframe our value and create more of it.
I’ll leave you with a parting though I had on Beard Banter:
Technology is changing and evolving at a speed we haven’t really seen before. It’s terrifying, and it won’t all be good. But we should be embracing that, doing our best to keep up, and learning how to use this innovation to drive the outcomes we want.