By Carlos Buenano, Field CTO for OT, Armis

As we step into 2026, AI-driven adversaries, supply chain fragility, and relentless digitisation are forcing Operational Technology (OT) security to mature into a force to be reckoned with. Here’s what 2026 looks like:

AI-Powered adversaries demand autonomous defence

AI is no longer an abstract threat vector; it’s an operational force multiplier that attackers are leveraging with frightening results. We’re witnessing adversaries use autonomous agents to probe networks, map exposed devices, and launch dynamic exploitation campaigns that run continuously.

In 2026, those systems will act autonomously: isolating compromised segments, or enforcing multifactor re-authentication for operators under suspicious conditions. In OT, where minutes can mean millions, automation will be the only meaningful defence.

CTEM becomes the operational centre of gravity

A few years ago, “CTEM” was just another Gartner acronym. In 2026, it’s the organising principle for any serious OT security program. CTEM represents a shift from periodic vulnerability management to continuous, risk-based exposure assessment and management across hardware, firmware, network paths, and even supply-chain dependencies.

But the key difference this year is context. We’re aligning exposures with what actually matters; the physical process, the human safety implications, and the potential operational impact.

The cybersecurity landscape in 2026 is clearly set for a strong and necessary integration where vendors leverage the strengths of CTEM to directly inform actionable firewall enforcements, workflows, and reporting.

This narrative is driven by the final “Mobilisation” step of the CTEM cycle, which demands that validated, confirmed high-priority exposures leads to an immediate, automated remediation.

Specifically for firewalls, this means a CTEM platform will no longer just issue a general alert but will use its deep, risk-based context to trigger a Security Orchestration, Automation, and Response (SOAR) playbook that instantly pushes a micro-segmentation policy or a temporary block rule to the Next-Generation Firewall (NGFW), effectively “virtually patching” the exposure until a permanent fix is applied.

This automated workflow, combined with unified, business-risk-aligned reporting, will shift security teams from reactive firefighting to a proactive, measurable risk reduction strategy, fulfilling the Gartner prediction that CTEM-focused organisations will be three times less likely to suffer a breach by 2026.

Access decisions and the principle of least privilege

A core pillar of modern OT resilience in 2026 is the enforcement of least-privileged access. As we harden supply chains and operational networks, access decisions must become dynamic, auditable, and context-aware. Every human, machine, vendor tool, or firmware update should be treated as an identity that earns only the rights required, for only the time necessary, and only on the systems needed.

This means enforcing role-based and attribute-based access controls (RBAC and ABAC) within control environments, using just-in-time (JIT) elevation for maintenance tasks, short-lived credentials for vendor sessions, and hardware-backed identities for devices.

Firmware updates should always be digitally signed and verified before deployment, and vendor access must pass through brokered, monitored jump hosts with session recording and automatic credential revocation once work is complete.

When these access decisions feed into CTEM, exposure scoring becomes far more precise by tying risk not only to asset vulnerabilities but also to who or what can actually interact with that asset. In other words, identity becomes an active exposure variable.

This shift helps organisations detect over-provisioned accounts, orphaned vendor credentials, and unsafe maintenance workflows before attackers exploit them.

Legacy OT: Protect, don’t pretend

Despite the progress, one reality hasn’t changed is the fact that OT environments are still full of legacy systems that can’t be patched, can’t be replaced, and often can’t even be monitored safely. Many are running firmware that predates modern cryptographic standards or is no longer supported by the manufacturer.

In 2026, the dominant defensive posture remains protection over replacement. Virtual patching, deep device fingerprinting, and application-aware micro-segmentation are now standard practice.

Exposure management tools can finally safely inventory, track and quantify the risk of “unpatchable” assets, assigning business impact scores and recommending compensating controls automatically.

Rather than chasing unrealistic modernisation, organisations will implement application-aware firewalls and fully embrace safe active querying where appropriate, and treat OT as an environment that is a hacking target, whether it is airgapped or not .

The lines between IT, OT, and cyber-physical systems will be effectively gone. The environments we defend are living, interconnected ecosystems that run our lives and they’re under constant assault.

The convergence of AI-driven attacks, expanding regulatory pressure, and rising safety expectations means that visibility, context, and continuous exposure management are the operating foundation of modern OT security.

But visibility alone isn’t enough. Least-privileged access, dynamic authorisation, and supply-chain accountability now define whether an organisation can withstand the next generation of AI-powered threats.

We must automate faster than attackers, measure risk in the language of business, and treat every device, supplier, and process as part of a unified exposure landscape.