James Lyne, CEO at SANS Institute
Rob T Lee, Chief of Research Chief AI Officer at SANS Institute
Entirely new job categories are emerging. than half of organisations( 54 %) report having AI governance policies on paper, but only 38 % actually provide comprehensive AI security training to staff.
“ Policy without practice is just paper,” Lee told the RSAC audience, pointing to recent incidents including Meta’ s internal AI agent triggering a data breach on March 19 and Codeway’ s chat app exposing 300 million private messages from 25 million users.“ What does your policy say about Agentic AI? Can people use agents in your organisation? What are they connected to? These are the questions organisations should be answering right now.”
The data reveals that AI’ s primary impact is on efficiency, not elimination. Forty-nine percent of organisations report reduced manual analysis time and 48 % cite workflow automation gains. Only 16 % report actual headcount reduction. But the structural implications run deeper: among organisations experiencing role changes, SOC and security analysts lead reductions at 32 %, followed by threat intelligence analysts at 26 % and incident responders at 22 %. These are precisely the entry-level positions where the next generation of cybersecurity leaders has traditionally learned their craft.
At the same time, entirely new job categories are emerging. Among organisations adding roles, 34 % have filled AI / ML security specialist positions, 32 % added AI security engineers and 30 % employed AI governance analysts. Rob T. Lee reported finding more than 2,500 active AI / ML security engineer postings on job platforms as of March 21, a category that barely existed three years ago.
Regulatory compliance emerges as the biggest hiring driver in cybersecurity history
The report’ s most dramatic year-over-year shift is in regulatory impact. In 2025, 40 % of organisations reported that regulatory directives were affecting their hiring practices. In 2026, that number surged to 95 %, a 55-point increase that represents the fastest acceleration of any metric in the report’ s history.
“ That is a pretty fascinating shift,” said James Lyne, CEO of SANS Institute.“ This isn’ t mild compliance adjustment. Organisations are building entirely new specialist positions, restructuring teams around regulatory requirements and facing real enforcement consequences if they don’ t.”
The regulatory pressure is coming from multiple directions. NIS2 leads at 30 % of organisations reporting hiring impact, followed by CMMC at 29 %, DORA at 26 %, DoD 8140 at 24 % and SEC regulations at 21 %. NIS2 is now in active enforcement mode, with approximately 19,000 companies estimated non-compliant as of March 6, 2026, and fines up to € 10 million or 2 % of global turnover in play. Personal liability for executives adds urgency: the US Department of Justice settled seven cybersecurity fraud cases in 2025 under the False Claims Act.
The demand for new specialist roles nearly doubled, jumping from 23 % to 53 % year over year. Framework adoption is accelerating in parallel: Fiftysix percent of organisations now use NICE or ECSF workforce frameworks to define cybersecurity roles, up from 46 % in 2025.
The skills gap is producing measurable security failures
The consequences of widening skills gaps are no longer theoretical. The report documents that 27 % of organisations have experienced actual security breaches as a direct result of workforce capability gaps. Skills shortages also drive delayed projects( 57 %), increased team burnout( 47 %), slower incident response( 47 %), inability to adopt new technologies( 42 %) and reduced monitoring capabilities( 42 %).
26 WWW. INTELLIGENTCISO. COM