The threat landscape facing the UK public sector is expanding in scale, speed and sophistication – driven by AI, geopolitical tension and deepening digital dependency.
“Generative AI has made deception effortless,” said Chris Harris, EMEA technical director, cybersecurity products at Thales. “With anyone now able to create convincing audio or video deepfakes in seconds, visual and verbal cues can no longer be relied on for identity verification.”
That shift, said Harris, fundamentally alters how trust must be established. “In 2026, organisations will rethink access management around continuous, multi-layered trust. Expect to see ‘multi-factor authentication for life’ take shape – where every high-risk interaction, even a video call, requires real-time validation.”
From episodic security to continuous verification
This move toward continuous verification reflects a broader shift away from perimeter-based security models. As remote working, cross-agency collaboration and AI-enabled services expand, trust can no longer be assumed at login and forgotten.
For Christo Conidaris, CRO at YEO Messaging, this has direct implications for how government communicates. “In 2026, verified trust will become the foundation of UK digital government,” he said. “As AI adoption accelerates and the Cyber Security and Resilience Bill reshapes accountability, public bodies must prove not only that their data is protected but that every user and interaction is verifiable.”
Conidaris argues that digital identity is evolving rapidly from a convenience to a compliance requirement. “Each message between departments, agencies, or suppliers represents a point of risk. Verified, authenticated communication will ensure these exchanges remain confidential, auditable, and tamper-proof.”
Supply chains as the weakest link
While frontline identity risks are growing, experts warn that the most damaging breaches may arrive indirectly. Harris describes third-party exposure as one of the most frustrating challenges facing CISOs.
“Enterprises can develop and maintain their own highly capable cyber resilience strategy, but numerous recent examples have shown this counts for nothing if a third-party they depend on suffers a breach.”
The integration of AI into software development compounds that risk. “There is a very real potential for an update patch, a development oversight or an attack against a third-party supplier or open-source repository to cause chaos,” Harris warned, describing the threat as “SolarWinds on steroids.”
This risk is particularly acute in the public sector, where complex supplier ecosystems underpin everything from payments to border systems. Regulatory responses such as the Cyber Security and Resilience Bill are beginning to formalise supply-chain accountability, but enforcement and assurance could be the real test.
If you liked this content…
Government unveils new digital, data and cybersecurity legislation in King’s Speech
Cyber resilience must be a priority with public sector under threat, warns Northdoor
Rebuilding Digital Trust: Lessons from Critical Infrastructure
Whistleblowers Warn of ‘Extreme’ Security Risks in UK Government’s Digital ID System
New Cyber Bill Aims to Keep ‘The Lights On and the Taps Running’
Identity at the heart of national infrastructure
Identity risk is also moving beyond IT systems into the fabric of national infrastructure. As Andy Green, partner at Avella Security, explains, cryptographic trust itself is entering a period of instability. “By 2026, quantum computing will shift from a background concern to a defining strategic priority for digital government,” he said.
“Critical public-sector datasets – legal records, citizen identity data, genomic and health archives – must remain trustworthy for decades. Once compromised, they cannot be repaired.”
This reality is accelerating interest in post-quantum cryptography (PQC). Green predicts that 2026 will be treated as an inflection point rather than a future milestone. “It will become clear that the window to prepare complex legacy estates, identity systems and cross-government data exchanges is far shorter than it appears.”
Quantum also highlights a deeper tension. Said Green: “The pairing of AI and quantum computing promises breakthroughs in public sector optimisation, but those same capabilities will enable adversaries to undermine the cryptographic trust that underpins the digital state.”
Human risk in an AI-enabled world
While advanced threats dominate headlines, contributors caution against overlooking the human dimension. Harris predicts a rise in insider threats driven by economic pressure and AI accessibility. “Thanks to the fact that anyone can weaponise AI without much in the way of tech experience, insider threats driven by the employees themselves will go up a notch in 2026.”
This risk is already reshaping hiring and verification practices. “Organisations will seek greater reassurance that the remote employees they have hired are who they say they are,” Harris says, predicting a partial shift back toward in-person verification and interviews.
This focus on identity assurance extends to citizens as well. As the UK moves toward wider adoption of trusted digital ID, expectations around transparency and assurance are rising. Alex Laurie, GTM CTO at Ping Identity, warns that public trust will be fragile.
“A cut-corners approach to launching a national digital ID would be politically catastrophic. Getting this right will become the defining factor in whether the public embraces the system at all.”
Across all contributors, there is an acceptance that cyberattacks are inevitable. The emphasis is shifting from prevention alone to recovery, visibility and resilience. Harris notes that the most advanced organisations “are building their abilities to detect and stop attacks quickly, making breaches harder, slower, and less rewarding for hackers.”
