As part of an online miniseries, Adam Markowitz, Co-Founder and CEO, and Matt Hillary, SVP of Security and CISO of Drata discuss their industry predictions for 2026.
Can you tell me a bit about yourself, your job role and how long you have been at the company?
AM: My name is Adam Markowitz and I am the Co-founder and CEO at Drata, an AI-native trust management platform that champions automation to streamline governance, risk, compliance and assurance, which was launched in 2021.
Drata helps 8,000+ customers in 60+ countries across the globe develop a more secure, proactive, audit-ready and risk-aware organisation to continuously maintain trust.
Before Drata, I was the Founder and CEO of edtech startup Portfolium, which was acquired by Instructure in 2019.
I’ve also worked as an aerospace engineer designing, analysing and testing liquid rocket engines for NASA’s next generation Space Shuttle Main Engine.’
MH: My name is Matt Hillary and I am the Senior Vice President of Security and CISO at Drata where I oversee Drata’s global security, IT, compliance and privacy strategy and programmes.
I’ve been at Drata for just under three years and I have over fifteen years of experience in security leader roles, building and leading exceptional security programmes.
Some of my areas of expertise include risk management, IT governance, security, compliance, identity and access management, application security and data protection.
What are some of the key trends and predictions you think we will see in the security industry in 2026?
AM: By 2026, the era of timeline gimmicks in trust management – like promises of “compliance in two weeks” or bundling in audits – will be over.
These shortcuts may have attracted attention early on, but they’ve eroded confidence in the entire category.
Enterprises facing relentless regulatory scrutiny, escalating third-party risks and customers who expect transparency in real time will no longer settle for surface-level signals of compliance based on point-in-time checks.
The next phase of trust management will be defined by continuous assurance – a model where businesses can demonstrate that their controls, vendor relationships and compliance frameworks are not only documented but actively working at all times.
The companies that endure will be those built on staying power and substance, able to provide verifiable, real-time proof of trustworthiness.
In this landscape, assurance will no longer sit adjacent to governance, risk and compliance (GRC); it will be fully integrated, reshaping the very definition of trust management.
MH: By 2026, shadow AI won’t just be a nuisance, so we should expect more and more discovered and disclosed instances of where shadow AI is traced back to trust-impacting incidents.
Just as shadow IT reshaped the risk landscape a decade ago, employees today are already turning to unsanctioned AI tools, models and agents to accelerate their work.
This trend is unstoppable; it will only grow as pressure mounts to move faster, do more and be more productive.
The result will be sprawling risks: Potential data leaks, noncompliance, privacy implications, security blind spots, unanticipated actions taken by AI agents ultimately attributed to the accountable human and blurred lines of accountability when AI goes wrong.
Companies won’t be able to contain it with policies alone.
They’ll need to fundamentally rethink their governance, visibility and culture to stay ahead. Shadow AI is not a side issue.
It’s the next frontier of enterprise chaos and only those who prepare now will survive the reckoning or realise the fulfilment of the associated risks becoming a reality.
What is one piece of advice you would give organisations and professionals as they head into 2026?
AM: For years, compliance management has leaned on spreadsheets and screenshots – a fragile, manual system built on human input and prone to human error.
By 2026, that dependence won’t just be outdated, it will be dangerous. As regulations tighten and scrutiny intensifies, enterprises clinging to spreadsheet-driven compliance will face major violations, not just inefficiencies.
The gaps, version errors and lack of real-time visibility will leave businesses vulnerable to missed controls, audit failures and even legal consequences.
The next era of trust isn’t about doing the same manual work faster.
It’s about replacing brittle systems with intelligent solutions that provide continuous, automated assurance. In 2026, legacy practices won’t just slow companies down, they’ll expose them.
MH: Trust is no longer a marketing line – it’s survival.
In a world where every interaction, transaction and compliance claim can be faked, managing trust has become the new existential discipline.
Companies won’t just need to earn trust; they’ll need to prove it continuously with verifiable data, transparency, openness and accountability.
The ones who thrive will treat trust like uptime: Monitored, measured, reported, verified and never assumed.
To that end, annual audits won’t cut it anymore, customers now want live, continuous proof that your controls actually work.
Real-time assurance is shifting from a back-office ideal to a front-line demand, as buyers, partners and regulators all expect transparency that updates as fast as the risks do.
Showing automated, API-level evidence and continuous control validation without waiting for an audit cycle are essential to meeting this demand.