Cybersecurity Leaders Warn of AI-Accelerated Threats, Identity Fragility, and Geopolitical Risk -- FutureCon Baltimore - February 18, 2026

Cybersecurity leaders from government, enterprise, and the security industry gathered in Baltimore last week for the FutureCon Cybersecurity Conference, outlining a threat landscape defined less by incremental change than by structural disruption. Across keynote briefings, practitioner sessions, and a closing executive panel, speakers described an environment where artificial intelligence is compressing attack timelines, identity infrastructure remains dangerously fragile, and geopolitical dynamics are reshaping the economics of cybercrime.

Taken together, the discussions pointed to a strategic inflection point. Prevention-centric security models built on expanding stacks of tools are giving way to resilience-oriented strategies focused on recovery, architectural redesign, and operational speed.

AI as Both Weapon and Shield

The conference keynote featured Roy Luongo, former Chief Information Security Officer for the U.S. Secret Service, who framed the current strategic landscape by describing artificial intelligence as a dual-use force that is simultaneously strengthening defenders and empowering adversaries. Drawing on experience spanning national security, financial services, and federal law enforcement, Luongo emphasized that AI should not be understood primarily as a productivity enhancement or analytics upgrade. Instead, he characterized it as a contested operational domain in which advantage shifts rapidly between attackers and defenders.

Adversaries are already using AI to automate reconnaissance, refine phishing campaigns, accelerate vulnerability discovery, and scale social engineering efforts with a speed and precision that challenge traditional defensive assumptions. Defenders, in turn, are deploying machine learning to improve behavioral detection, anomaly identification, and response automation. The result is an accelerating cycle in which speed of adaptation becomes more consequential than static control frameworks.

Luongo stressed that effective cyber defense increasingly requires attacker-centric thinking shaped by red-team discipline, intelligence-driven analysis, and continuous scenario planning. Organizations that continue to rely primarily on compliance checklists or perimeter defenses risk falling behind adversaries capable of iterating in near real time. His central message echoed throughout the conference: in an AI-driven threat environment, cybersecurity maturity depends as much on the ability to anticipate and recover as it does on the ability to prevent.

Architecture, Not Tooling, Under Scrutiny

Todd Ellison, Director of Solution Architects with Nile Secure, a cloud-native networking company that delivers fully managed, zero-trust campus network-as-a-service solutions, directed attention to structural weaknesses associated with the foundational design assumptions underlying enterprise networks. Modern networks, he noted, were engineered primarily for connectivity and performance rather than adversarial resilience. Segmentation approaches such as VLANs attempt to retrofit protection onto legacy architectures, while organizations deploy dozens of overlapping security tools in an effort to compensate for those limitations.

“Networks were built to connect, not to protect,” Ellison said. “We really haven’t progressed past that basic level of technology. What we’ve done instead, as an industry, is layer on additional tools to try to secure networks.”

Yet breaches continue, not because of a lack of technology but by misconfiguration, policy gaps, or failures in operational control. Ellison’s perspective reflected a broader shift across the industry. As attack automation accelerates, marginal gains from additional tools diminish, pushing organizations toward simplification, architectural redesign, and segmentation strategies aligned with zero-trust principles rather than continued expansion of security stacks.

Identity Resilience Emerges as a Primary Concern

Senior Solutions Architect, James Ravenell of Semperis, which focuses on protecting and rapidly recovering enterprise identity systems, shifted the conversation from strategic competition in AI to one of the most operationally fragile components of enterprise security: identity infrastructure. 

Despite years of investment in detection and endpoint protection, he noted that many organizations remain unprepared to restore Active Directory or hybrid identity environments after compromise. Because attackers increasingly target authentication systems to maximize operational disruption, the inability to recover trusted identity services can prolong outages and complicate remediation.

“The fact of the matter is that identity recovery is not easy,” he said. “And it doesn’t matter if you’re doing this on premises, in a hybrid environment, or cloud native. This is a very challenging thing to ever have to recover from.”

Hybrid architectures that blend on-premises directory services with cloud identity platforms introduce new governance and recovery complexities that traditional disaster-recovery planning often overlooks. Organizations may detect an intrusion yet still struggle to re-establish trust in their own authentication backbone. Ravenell argued that tested recovery procedures, clean-environment rebuild capability, and continuous governance visibility are becoming as critical to resilience as preventive controls themselves.

AI Compresses the Timeline of Attack and Response

John Davies of Arctic Wolf, a provider of managed detection and response, cloud monitoring, and security operations services, described how AI-enabled adversaries are shrinking defenders’ response windows to a degree that challenges long-standing operational models. Telemetry across global networks suggests that attacks are no longer episodic but continuous, and the time between first intrusion and meaningful exploitation is shrinking rapidly, leaving defenders little room for manual analysis. Generative AI is enhancing phishing realism, automating reconnaissance, and accelerating exploit development in ways that compress traditional detection timelines.

“The median time from initial access to active exploitation has fallen from about 11 days in 2023 to roughly five days today, and about 80% of these attacks now leverage AI or large-language-model-based tools,” he said.

Security operations designed around multi-day investigation cycles must evolve toward near-real-time containment, Davies added. Defensive automation, behavioral analytics, and managed detection capabilities are becoming essential mechanisms for restoring balance. Even so, the pace of adversary innovation continues to test the limits of conventional security operating models.

Cybercrime’s Deepening Geopolitical Ties

Ryan Alban, Director of Solutions Engineering at Sophos, described how major cybercriminal groups have evolved from early malware ecosystems into modular, service-driven operations. In many cases, he said, those operations now intersect with state interests, complicating how organizations understand cyber risk.

Ransomware platforms, botnets, and exploit marketplaces now function with levels of specialization resembling legitimate software industries. In certain geopolitical environments, these ecosystems benefit from tolerance, protection, or indirect alignment with national objectives.

“Behind all of this, there are real people operating in a different part of the world, with a different set of values, looking to maximize their financial wealth,” said Alban.

Criminals, state officials, intelligence bosses and thugs all converge to blur the boundary between financially motivated crime and strategic cyber activity, complicating deterrence and response. Incidents that appear purely criminal may carry broader intelligence or geopolitical implications, requiring closer coordination between enterprises and government agencies. Effective defense, Alban suggested, now depends on integrated threat intelligence, cross-sector collaboration, and scenario planning that accounts for nation-state dynamics alongside technical remediation.

Public- and Private-Sector Leaders Compare Operational Realities

The conference concluded with a panel of cybersecurity and technology executives representing healthcare, education finance, defense, and Maryland state government, including Nish Majmudar of Blue Cross Blue Shield Association, Abiola Olamoyegun of PHEAA, Christopher Carter of V2X, Rich Schnell of the Maryland Department of Transportation, and Chris Houseknecht of the Maryland Comptroller’s Office. 

Despite differences in mission and regulatory environment, panelists described converging operational pressures shaped by expanding compliance expectations, persistent workforce shortages, growing third-party dependencies, and rising executive scrutiny of cyber resilience.

Public-sector leaders emphasized the complexity of protecting critical services and sensitive citizen data within constrained budgets, while private-sector executives highlighted the challenge of aligning rapid digital transformation with consistent governance and risk management. Across sectors, cybersecurity is increasingly understood not as a purely technical discipline but as a determinant of organizational continuity and public trust.

From Prevention to Resilience

Viewed collectively, the Baltimore sessions illustrated a clear strategic transition. For years, cybersecurity investment centered on perimeter defense, detection tooling, and compliance alignment, reflecting an assumption that breaches could be prevented or contained before systemic damage occurred. Speakers instead described a reality in which identity systems themselves are prime targets, artificial intelligence accelerates both offense and defense, attack timelines outpace manual response, cybercrime intersects with geopolitics, and architectural complexity undermines control.

Within this environment, resilience—defined by the ability to restore operations, re-establish trust, and adapt quickly under attack—is emerging as the organizing principle for cyber strategy.

Implications for CIOs and CISOs

For enterprise and public-sector technology leaders, the discussions in Baltimore pointed to priorities that are becoming increasingly difficult to postpone. Among the most urgent is the need for credible identity recovery readiness. As attacks shift toward authentication infrastructure rather than endpoints alone, the ability to restore trusted identity services may determine whether an organization can sustain operations following a major incident.

Security teams are also confronting the limits of tool-driven defense. The emphasis on architectural simplification reflects a growing recognition that reducing overlapping controls and redesigning segmentation can address structural weaknesses that additional products cannot resolve on their own. At the same time, artificial intelligence is reshaping defensive expectations. Automation, behavioral analytics, and machine-assisted detection are moving from optional enhancements to operational necessities in an environment where adversaries act at machine speed and response timelines continue to narrow.

Beyond technology, the geopolitical dimension of cyber risk is becoming more pronounced. Threat modeling that once centered primarily on financially motivated crime must now incorporate state influence, strategic intent, and the blurred boundary between criminal and national-security activity. These dynamics are reinforcing the importance of collaboration across sectors, where shared intelligence, coordinated response planning, and deeper public-private engagement are emerging as essential elements of effective defense.

Taken together, these developments underscore a broader transformation in the role of cybersecurity. What was once managed primarily as an IT safeguard is evolving into a core discipline of enterprise risk, operational continuity, and institutional trust.