The cybersecurity industry is telling buyers to move faster. Many buyers are doing the opposite.

That doesn’t mean they’re ignoring the risk. It doesn’t mean they’re unconvinced by AI. And it definitely doesn’t mean security leaders have suddenly become relaxed about cyber threats. That would be a bold lifestyle choice, and not a sensible one. The real issue is more practical.

Enterprise security teams are being asked to make long-term cybersecurity investment decisions in a market that keeps changing shape. AI capabilities are evolving. Attack techniques are evolving. Vendor messaging is evolving. Even the language used to describe security products seems to change every few months.

em360tech image

So when a CISO looks at an AI-enabled security platform today, the question isn’t only, “Does this solve a problem?”

It’s also, “Will this still matter six months from now?”

That’s the tension sitting underneath a lot of current cybersecurity buying behaviour. Buyers aren’t waiting for AI to disappear. They’re waiting for the market around AI to become easier to trust.

The Cybersecurity Industry Is Changing Faster Than Enterprise Buying Cycles

Enterprise buying cycles were never built for this pace of change.

Security teams may identify a need quickly, but the actual buying process usually moves through budget approval, technical validation, risk review, vendor assessment, legal checks, procurement, integration planning, and internal stakeholder alignment. None of that happens overnight. Nor should it. A cybersecurity platform isn’t a stationery order. 

It becomes part of the organisation’s risk posture. AI is moving on a very different clock.

Vendors are adding AI capabilities to existing products. New AI-native security companies are entering the market. Large platforms are repositioning around AI-powered operations. Agentic AI, which refers to AI systems that can take more autonomous action rather than simply answer prompts, has become one of the latest competitive battlegrounds.

You can see that shift in the market itself. Reuters reported that Databricks agreed to acquire Panther Labs as part of its push into cybersecurity, with Panther’s platform focused on consolidating security data so AI-powered agents can respond to rising threat volume and complexity. Reuters also noted that this was Databricks’ third cybersecurity acquisition.

That kind of activity matters because it tells buyers something important: the security vendor landscape is still being rearranged around AI.

For buyers, that creates a real problem.

If they buy a point solution now, will it still be independent in a year? If they invest in a specialised AI capability, will it be absorbed into a larger cybersecurity platform? If they commit to a platform roadmap, will the vendor’s AI strategy still be credible once the next model, agent framework, or attack pattern appears?

Those aren’t abstract concerns. They affect budget, architecture, integration, training, reporting, and accountability.

A fast-moving market is exciting from the outside. Inside an enterprise security team, it can feel like trying to pour concrete while the floor plan keeps changing.

Buyers Aren't Waiting Because They Distrust AI

The hesitation around AI cybersecurity isn’t a rejection of AI itself.

Most security leaders already know AI will reshape cyber defence. Many are already using it, planning for it, or being pushed to explain where it fits. The question is no longer whether AI belongs in cybersecurity. The question is where it creates durable value.

PwC’s 2026 Global Digital Trust Insights found that organisations are prioritising agentic AI for cloud security, data protection, and cyber defence and operations over the coming year.

That supports the point clearly enough. Buyers aren’t sitting around wondering whether AI has a future in security. They’re trying to work out which use cases deserve investment now, which ones should wait, and which ones are mostly vendor theatre with a dashboard attached.

The same tension appears in CISO investment data. RH-ISAC and IANS found that nearly 90 per cent of CISOs expect AI-security investment to increase over the next 12 to 18 months, with 43 per cent expecting significant growth.

But increased interest doesn’t automatically mean unlimited budget. That’s where the pressure sharpens. Security leaders aren’t evaluating AI in a vacuum. They’re evaluating it against ransomware exposure, cloud risk, identity sprawl, regulatory pressure, operational resilience, and the very boring but very real fact that budgets have limits.

KPMG’s 2026 Cybersecurity & Technology Risk Survey adds useful context here. It found that 83 per cent of organisations reported an increase in cyber attacks over the past 12 months, while only 24 per cent have fully integrated AI into cybersecurity. That gap matters.

Security teams are under more pressure, but many are still early in their AI maturity. They may be using AI in parts of the security operations centre, threat detection, vulnerability management, or reporting. But partial adoption is not the same as strategic confidence.

That’s where buyers are pausing. They’re not asking, “Is AI useful?”

They’re asking, “Which AI capabilities are mature enough to build around?”

The Real Fear Is Strategic Obsolescence

The real fear is not buying the wrong tool. It’s buying the right-looking tool at the wrong moment. Cybersecurity buyers know that some parts of the current market won’t survive in their current form. 

Some AI security tools will become standard features inside broader platforms. Some vendors will be acquired. Some capabilities will become less valuable as models improve. Some workflows may disappear completely because AI changes how security teams investigate, triage, respond, and report.

That makes today’s buying decision feel unusually exposed.

In a normal technology refresh cycle, buyers can usually compare products against a fairly stable operating model. They know what the team does. They know where the tool fits. They know how success will be measured.

AI makes that harder.

If an organisation buys a tool designed to reduce alert fatigue, but its wider security platform adds stronger AI triage six months later, what happens to that investment? If a product is built around manual analyst workflows, what happens when those workflows become partly automated? 

If a vendor promises AI-powered detection, how does the buyer know whether that capability is genuinely differentiated or simply using the same underlying models as everyone else? That’s why the word “future-proof” is doing a lot of heavy lifting in cybersecurity conversations right now.

The problem is that no product is fully future-proof. Not really. The better question is whether the investment is resilient enough to stay useful as the environment changes.

That means security leaders need to look beyond features. They need to understand architecture, integration, data access, governance controls, model dependency, roadmap credibility, and measurable outcomes.

This is where buyer hesitation becomes rational.

Waiting doesn’t always mean delay for the sake of delay. Sometimes it means the organisation is trying not to lock itself into a strategy that may age badly before the contract renewal arrives.

AI Is Changing The Threat Landscape At The Same Time

Cybersecurity buyers are dealing with uncertainty on both sides.

They’re evaluating AI-enabled defensive tools while attackers are also experimenting with AI. That makes the decision harder because buyers aren’t only asking what AI can do for them. They’re also asking what AI will help attackers do next.

Google Threat Intelligence Group said that it has seen a transition from early AI-enabled activity to the industrial-scale use of generative models in adversarial workflows. The group also described AI-enabled malware that can support more autonomous attack orchestration by interpreting system states and generating commands.

That doesn’t mean every cybercriminal is suddenly running advanced autonomous attack systems. The basics still matter. Phishing, credential theft, ransomware, exposed systems, weak access controls, and poor patching remain painfully effective.

But AI changes the economics of attack.

It can help attackers move faster. It can improve phishing quality. It can support reconnaissance. It can help generate or modify code. It can lower the skill barrier for some types of activity. It can also increase the volume of attacks that security teams need to triage.

Salt Security’s June 2026 research shows how this pressure is already affecting application security. It found that 90 per cent of security leaders have active concerns about AI-generated code, 67 per cent say AI coding assistants are widely adopted across development teams, and 38 per cent still rely mainly on manual review for AI-generated code.

That’s not only a coding issue. It’s a governance issue.

If AI increases software output, security review has to keep up. If development teams use AI tools faster than policies can adapt, risk starts spreading through normal business activity. If manual review remains the main control, the organisation may be trying to govern AI-speed work with pre-AI processes.

Security buyers can see this coming. They know they need better tools. But they also know the threat landscape isn’t finished shifting. So they’re trying to buy for a moving target.

Governance Has Become Just As Important As Detection

For years, security buying conversations often centred on detection.

Can the tool find the threat? Can it reduce noise? Can it block the attack? Can it help analysts move faster?

Those questions still matter. But AI has pushed another set of questions much closer to the centre of the buying process.

Can we govern this? Can we explain it? Can we audit it? Can we control what data it uses? Can we prove it’s working? Can we trust the vendor when something goes wrong?

The World Economic Forum’s Global Cybersecurity Outlook 2026 shows the shift clearly. It found that the share of organisations with a process to assess the security of AI tools before deployment rose from 37 per cent in 2025 to 64 per cent in 2026. But roughly one-third still lack any process to validate AI security before deployment.

That’s the gap buyers are trying to close.

AI creates new risks around data leakage, shadow AI, model reliability, prompt injection, and unclear accountability. Shadow AI simply means employees or teams using AI tools without proper approval or oversight. It’s not always malicious. Most of the time, it’s people trying to work faster. Unfortunately, good intentions don’t stop sensitive data from ending up in the wrong place.

RH-ISAC and IANS found that CISOs’ top AI security concerns include data leakage through public AI tools at 74 per cent, insider misuse or shadow AI at 56 per cent, lack of governance or usage policies at 49 per cent, accuracy and reliability of AI-generated outputs at 40 per cent, and model poisoning or prompt injection attacks at 29 per cent.

That list tells us something important.

Security leaders aren’t only worried about attackers using AI. They’re worried about their own organisations using AI in ways they can’t fully see, control, or defend.

That changes vendor evaluation.

A tool that detects threats well but creates governance confusion may not be enough. A platform that promises automation but can’t explain decision logic may make risk harder to manage. A vendor that talks confidently about AI but can’t provide detailed evidence, controls, and accountability may struggle to win trust.

And trust is already thin.

Sophos’ Cybersecurity Trust Reality 2026 found that 95 per cent of respondents don’t have full trust in their cybersecurity vendors. It also found that 79 per cent struggle to assess the trustworthiness of new cybersecurity partners, while 62 per cent find it difficult to assess existing vendors.

That’s a brutal number for the market.

It means AI isn’t arriving into a high-trust environment. It’s arriving into a market where buyers are already sceptical, already overloaded, and already asking vendors to prove more.

The Winners May Not Be The Vendors With The Most AI

Are you enjoying the content so far?

The next phase of cybersecurity procurement probably won’t be won by the vendor that says “AI” the most times in a pitch deck. Mercifully.

The stronger position will belong to vendors that can show where AI improves security outcomes without making the operating model harder to govern. That’s a different kind of sale. It’s less about novelty and more about confidence.

Buyers are likely to care about several things. They’ll want stability. Not stagnation, but evidence that the vendor has a clear direction and won’t rewrite its entire story every quarter.

They’ll want integration. Security teams already have too many tools that don’t speak cleanly to each other. AI that creates another silo isn’t helpful. It’s just a shinier version of the same old problem.

They’ll want measurable outcomes. Fewer false positives. Faster investigation. Better prioritisation. Shorter response times. Clearer reporting. Lower operational burden. Better visibility across the environment.

And they’ll want governance built in, not bolted on afterwards.

That’s where the market may start to separate. AI features are becoming easier to claim. Trustworthy AI-enabled security will be harder to prove.

For buyers, the question becomes less “what can the AI do?” and more “what can the organisation safely depend on?”

That’s a much better question.

It brings the conversation back to enterprise security strategy rather than vendor excitement. It also helps security leaders avoid the trap of buying tools that look advanced but don’t make the security function more resilient.

Because the best cybersecurity platform isn’t the one with the loudest AI story. It’s the one that makes the organisation better at understanding, reducing, and responding to risk.

What Security Leaders Should Be Asking Right Now

Security leaders don’t need to wait for the AI market to become perfectly settled. It won’t. Technology markets rarely reach a neat little resting position because apparently that would be too kind.

But buyers can become more disciplined about how they evaluate AI security tools. The goal is not to avoid AI. It’s to avoid buying AI in a way that creates new uncertainty inside an already complicated security environment.

A useful evaluation should start with practical questions:

  • What specific operational problem does this solve?
  • Would this capability remain valuable if AI models improve significantly next year?
  • Is the product improving an existing workflow, replacing one, or creating a new dependency?
  • How dependent is the solution on proprietary models?
  • What data does the tool use, store, share, or learn from?
  • What governance controls are built into the platform?
  • Can the organisation explain how decisions or recommendations are made?
  • How easily does the tool integrate with existing systems and processes?
  • Can value be measured independently of the AI claims?
  • Is this a long-term platform investment or a temporary capability investment?

Those questions matter because they force the buying conversation back to value. Not hype. Not fear. Not the uncomfortable sense that everyone else may be moving faster. Actual value. If the answer is clear, the product is easier to defend internally. If the answer is vague, that tells the buyer something too.

For many organisations, the strongest approach may be phased. Start with high-friction workflows where AI can create measurable improvement. Build governance around those use cases. Track outcomes. Then expand when the organisation has enough confidence to do so responsibly.

That’s slower than the market would like. It’s also how serious enterprises tend to make decisions when risk, budget, operations, and accountability all meet in the same room.

Final Thoughts: The Challenge Is Not AI, It's Timing

Cybersecurity buyers aren’t waiting because they’ve lost confidence in AI.

They’re waiting because AI has made the buying decision more complicated. The technology is changing. The threat landscape is changing. The vendor market is changing. And security leaders are being asked to make decisions that may shape their architecture, budget, and risk posture for years.

That’s why the concern about relevance matters so much.

If a cybersecurity solution bought today may feel outdated in six months, hesitation isn’t weakness. It’s a signal that buyers are thinking strategically. They’re not only asking whether a product works now. They’re asking whether it will still belong in the security roadmap once the next wave of AI change arrives.

The organisations that make the strongest decisions won’t be the ones chasing every new AI capability. They’ll be the ones that can separate lasting security value from short-term market noise.

AI will keep changing cyber defence. It’ll keep changing cyber attacks too. But the best buying decisions will still come down to the same grounded questions: what risk does this reduce, what value does this create, and can we trust it enough to build around it?

For security leaders trying to make those calls, EM360Tech will keep tracking how vendors, attackers, regulators, and enterprise peers are adapting, so the decisions ahead feel less like guesswork and more like strategy.