Key takeaways
- AI is both the primary threat and the primary defense mechanism in enterprise cybersecurity. The builders that stand out integrate AI to deliver outcomes a buyer can measure.
- Non-human identities (NHIs) now outnumber human identities 144-to-1 in many enterprises, making NHI governance one of the fastest-growing product categories in security.
- Venture capital is concentrating into AI-enabled cybersecurity companies: 72% of U.S. cyber deals through May 2026 involved an AI-enabled company, and funding reached $11.5 billion in 2025, the highest since 2022.
- The competitive frontier is shifting from detection to remediation. Products that orchestrate automated fixes while preserving human oversight are gaining the most traction.
The J.P. Morgan Innovation Economy group hosted its second annual cybersecurity summit in April 2026, bringing together founders, investors and industry experts to discuss the state of cybersecurity. From this event and conversations with stakeholders across the industry, one thing is clear: cybersecurity is at an inflection point. Artificial intelligence (AI) is simultaneously a potent threat and a powerful defense. The builders who stand out will integrate AI to deliver improved outcomes a buyer can measure.
“The modern ‘software as a service’ (SaaS) delivery model is quietly enabling cyber attackers and—as its adoption grows—is creating a substantial vulnerability that is weakening the global economic system.”
Pat Opet
Chief information security officer, JPMorganChase
The identity perimeter has moved
Enterprise AI adoption is pushing identity to the center of the threat landscape. For many organizations, non-human identities (NHIs)—digital credentials for AI agents, service accounts, machines and automated workflows—outnumbered humans 144-to-1 by mid-2025, a ratio that had grown 44% year over year, according to Entro Security’s H1 2025 research report. AI-driven automation has continued to accelerate the trend since.
BeyondTrust’s Phantom Labs research, published in March, found a 466.7% year-over-year increase in AI agents operating inside enterprise environments. As these machine identities accumulate, broad permissions, unused credentials and limited visibility can create risks that are harder to track than human access.
In enterprise conversations, governance is expanding to cover automated system-to-system access, authorized or not.
For builders, this shift is reshaping where durable product categories are forming. NHI governance is emerging as a control layer for access decisions in an AI-driven enterprise. Products that help enterprises manage NHIs, rotate secrets and keys and provide a clear rationale for access decisions in agent-to-agent workflows are becoming foundational to safe AI adoption. As the machine population grows, buyer urgency is rising alongside it.
How AI is expanding the attack surface: APIs, agents and impersonation
Identity is one dimension of the expanding threat surface; speed is another. AI is shortening the time window on both sides: attackers are automating reconnaissance, exploitation and social engineering, which can escalate misconfigurations into high-severity incidents quickly.
“AI is bringing security back to the endpoint. When models and agents execute locally, the endpoint is where intent becomes action and the only place with enough context to govern it. The winning architectures will pair on-device inference with user mode observability that captures agent behavior at its origin, before it executes, not reassembled from cloud logs after the damage is done.”
Stephen Ward
Co-founder of Brightmind Partners
The exposed area is also broadening across APIs, cloud services and SaaS platforms, with APIs central to real-world exploitation. Wallarm’s 2026 API ThreatStats report found that 36% of all published AI vulnerabilities involve APIs—and that the same percentage of actively exploited AI-related vulnerabilities involve APIs as well.
At the application edge, prompt injection—malicious or deceptive instructions embedded into inputs—is becoming a recurring risk in model-enabled applications, exploiting trust assumptions similar to earlier software injection issues. Meanwhile, AI-powered impersonation attacks are surging, with many companies reporting deepfake-driven incidents and meaningful reputational damage from AI-generated misinformation.
The number of AI-related vulnerabilities has increased sharply year over year, from 439 in 2024 to 2,185 in 2025
Chart showing that published artificial-intelligence-related vulnerabilities surged year over year, from 439 in 2024 to 2,185 in 2025. The mix also shifts: 2024 vulnerabilities are almost entirely API-related (434 API, 5 non-API), while 2025 has more non-API vulnerabilities (1,399 non-API vs 786 API), meaning growth is driven primarily by non-API issues even as API-related counts rise. Source: Wallarm 2026 API ThreatStats report.
Together, these dynamics point to three priorities we hear most often in enterprise evaluations:
- API visibility, anomaly detection and automated policy enforcement are viewed as table stakes, given the exposure described above.
- Visibility and response are expected to keep pace with automated activity; systems that detect and resolve issues without waiting for a human to connect the dots are better positioned.
- Identity verification is expanding beyond login to include media and interactions; tools that help distinguish real from AI-generated content are becoming baseline safeguards for financial transactions and high-stakes communications.
Where venture capital is concentrating in cybersecurity
Venture funding patterns reflect this shift. U.S.-based cybersecurity venture activity has remained strong: startups attracted $11.5 billion in 2025, the highest annual total since 2022. Through May 2026, investment has already crossed $4.6 billion, or $10.2 billion annualized. But the composition is shifting, as capital is concentrating into fewer, larger rounds behind companies that have already demonstrated enterprise traction.
U.S. cybersecurity venture investments hit $11.5B in 2025, the highest since 2022
Chart showing U.S. cybersecurity venture funding remains active but below the 2021 peak: investment is highest around 2021 (near 18 billion dollars), totals 11.5 billion dollars in 2025, and is 4.6 billion dollars through May 2026 with an indicated full-year extrapolation of 10.2 billion dollars. Deal volume peaks in 2021 (618 deals) and is lower afterward, with 203 deals year-to-date 2026, suggesting fewer deals alongside moderate funding levels. Source: PitchBook (U.S. only; year-to-date 2026 through May; data not reviewed by PitchBook analysts).
Source: PitchBook. Data has not been reviewed by PitchBook analysts. U.S. only. YTD 2026 is through May 2026.
One pattern stands out within that concentration: through May 2026, 72% of U.S. cyber venture deals involved a startup also classified as an AI company—up from 36% in 2019.
Investors are applying a higher architectural bar to early-stage companies clearing this concentration threshold. Boldstart Ventures’ Ed Sim said he looks first at whether founders have the core AI engineering expertise he considers table stakes, then at how the system is architected—whether it can swap across foundation models, whether it improves with more data, whether a real data flywheel exists and whether the product delivers more value as intelligence compounds or gets abstracted away. His summary:
“Build for the next model, not the current one.”
Ed Sim
Founder and general partner, Boldstart Ventures
72% of cybersecurity deals through May 2026 were for AI-enabled cyber startups
Chart showing cybersecurity venture deals are concentrated in AI-enabled startups over time. AI-enabled deals rise from 36% in 2019 to 64% in 2025 and 72% through May 2026, while non-AI-enabled deals fall from 64% to 28%, indicating AI is now the majority of deal activity in the sector. Source: PitchBook (U.S. only; year-to-date 2026 through May; data not reviewed by PitchBook analysts).
Source: PitchBook. Data has not been reviewed by PitchBook analysts. U.S. only. YTD 2026 is through May 2026.
AI is no longer a feature advantage in cybersecurity; it is a baseline expectation from buyers and investors alike. Enterprises are not asking whether a security vendor uses AI; they are asking how deeply it is embedded in the product’s ability to learn, adapt and act across their environment. As AI agents proliferate across enterprise infrastructure, the products that protect them will need to operate with comparable context and speed, and will themselves need to be hardened against the same sophistication of threat they are designed to protect.
How to build for an agent-driven security environment
Leading teams are building products that benefit as models improve over time. Products that harness each new generation to improve detection, classification and remediation can compound their advantage.
- Model compounding and abstraction: Teams are investing in model abstraction so they can work across multiple foundation models without tight coupling. Where companies can create data flywheels, each additional deployment improves outcomes for the next. Within that architecture, managing non-human identities across agent-driven workflows is essential.
- Auditability: Auditability is emerging as a gating factor in enterprise adoption, especially in regulated environments. The ability to show who accessed what, when and why can influence whether a vendor advances in procurement.
- API security: At the application layer, API security increasingly requires runtime monitoring that can spot unusual behavior, especially as system-to-system traffic grows. Enterprises are looking for prompt safety and data-loss protections built into key interaction points.
- Controls and risk mitigation: Controls that adapt to context and user intent are becoming practical differentiators at scale. On impersonation risk, many security teams are combining detection with lightweight verification—enabling secure, user-friendly confirmation flows in high-stakes transactions.
- Remediation orchestration: The competitive frontier is shifting from “find” to “fix.” Detection without orchestrated remediation leaves risk largely unchanged. The companies gaining the most traction are prioritizing workflows that assign issues to an owner and automate low-risk fixes (revoking a token, quarantining a service account), while preserving human oversight for high-impact actions. Vendors that reduce time from detection to resolution often see stronger retention and expansion.
What this means for builders and investors
The strongest candidates for success are teams building AI-native solutions to problems that AI itself is generating: securing non-human identities, hardening API- and model-augmented applications, and orchestrating remediation autonomously. As models continue to improve, the defensibility of these products likely compounds—suggesting that early movers who establish data and deployment advantages today will be difficult to displace tomorrow.
JPMorgan Chase Bank, N.A. Member FDIC. Visit jpmorgan.com/commercial-banking/legal-disclaimer for disclosures and disclaimers related to this content.
Chase, J.P. Morgan, JP Morgan and JPMorgan Chase are marketing names for certain businesses of JPMorgan Chase & Co. and its affiliates and subsidiaries worldwide (collectively, “JPMC”). “JPMorgan”, “JPMorgan Chase”, the JPMorgan Chase logo, “Story”, and “Story by J.P. Morgan” are trademarks of JPMorgan Chase Bank, N.A. JPMorgan Chase Bank, N.A. is a wholly-owned subsidiary of JPMorgan Chase & Co. Products and services offered by JPMC and its affiliates are subject to applicable laws and regulations, as well as our service terms and policies. Not all products and services are available in all geographic areas or to all customers. This material does not include all applicable terms or issues and is not intended as an offer or solicitation for the purchase or sale of any product or service. Credit is subject to approval. Rates and programs are subject to change; certain restrictions apply. This material is not intended to provide legal, tax, investment, accounting, financial, business, real estate, technology or other advice, and should not be used for or relied upon for these purposes. Any views, opinions, estimates and strategies expressed in this material are those of the respective individual contributors, authors or speakers, and may differ from those of Commercial Banking or other JPMC employees and affiliates. Any market and/or economic commentary in this material in no way constitutes J.P. Morgan research and should not be treated as such. Further, the views expressed in this content may differ from that contained in J.P. Morgan research reports. The content in this material has been obtained from sources deemed to be reliable, but JPMC makes no representation or warranty as to its accuracy or completeness. In no event shall JPMC nor any of its directors, officers, employees or agents be liable for any use of, for any decision made or action taken in reliance upon, or for any inaccuracies or errors in or omissions from, this material. Property eligibility and availability may vary and is subject to service terms and policies, and applicable law and regulations. Changes to Interbank Offered Rates (IBORs) and other benchmark rates: Certain interest rate benchmarks are, or may in the future become, subject to ongoing international, national and other regulatory guidance, reform and proposals for reform. For more information, please consult: https://www.jpmorgan.com/IBOR. Visit jpmorgan.com/cb-disclaimer for additional disclosures and disclaimers related to this content.
© 2026 JPMorgan Chase & Co. All rights reserved. JPMorgan Chase Bank, N.A. Member FDIC. Deposits held in non U.S. branches, are not FDIC insured. Non-deposit products are not FDIC insured.
