Artificial Intelligence
Quantum
Robotics
Wise words and waggishness… June 2026
Reading time: 3 mins
AI and quantum are rewriting the security rulebook. Is industry keeping up?
In April 2026, the UK government’s Cyber Security Breaches Survey confirmed what many in the industry already knew. 43% of British businesses had suffered a breach or attack in the past year, which is roughly 612,000 companies. Meanwhile, the government’s own Cyber Action Plan acknowledges that existing approaches across critical national infrastructure have been too fragmented and inconsistent.
For Simon Gooch, senior vice president of Expert Services at security software firm Saviynt, the UK’s position is indicative of what is happening across the globe. Industry’s biggest problem, he says, is not just hackers, ransomware, or state actors, it is the slowness with which companies react.
“We’ve set the bar in the wrong place,” says Gooch, recounting a conversation with senior chief risk officers from major global financial institutions at a recent conference in Rome. “Because we didn’t understand this thing, we decided to slow everything down. The biggest risk we’ve just imposed on our organisations is the slowness to change, not the implication or the output of that change.”
“You don’t want to be thinking about what you’ve got and what’s now vulnerable at the point at which it becomes a problem”
Simon Gooch
Gooch, who spent 25 years at Accenture as global digital identity lead before moving to Saviynt, has seen both sides of the market. But it is industry’s caution around change and adoption of new technologies that concerns him most, and where he sees the clearest opportunity for innovators and entrepreneurs to step in.
The feared outcomes of AI adoption (large-scale breaches, loss of control, regulatory failure) have not materialised at anything like the scale that justified the restrictions put in place, he says, and yet the brakes remain on.
For start-ups and scale-ups building in the security and identity space, that gap between what industry fears and what is actually happening is, arguably, a market opportunity.
“There’s a little bit of a lack of maturity about this,” he says. “A lot of organisations have started with: take the lowest risk, because we don’t understand the risk. We probably need to break some more stuff.”
The security sector is not short of problems to solve. What Gooch describes is an industry that understands this but has not yet built the tools, platforms, or organisational confidence to really get to grips with it.
The most pressing concern is identity. AI agents, systems that act autonomously, make requests, and execute transactions at machine speed, are breaking the assumptions most enterprise security is built on.
“AI agents are going to force us down a path of needing to double down on zero trust principles,” says Gooch. “Historically we’ve been used to humans that move pretty slowly. There was still quite a lot of standing privilege, with the odd bit of verification built in. But the speed at which transactions happen means we can’t have standing static privileges. It just doesn’t work anymore. We need to move to a world where everything is continually verified.”
For start-ups and scale-ups building identity, access or verification products, this is a current and active market. Large enterprises are looking for solutions that can operate at the pace AI demands.
Another growing concern is quantum. We know that post-quantum computing will break asymmetric cryptography. NIST published updated post-quantum cryptography standards last year and browser vendors are already updating to them.
However, for Gooch, the question is whether organisations are making the right technology decisions today, before quantum becomes an issue. He talks about choosing technology that can adapt and asks can that technology provide the latest quantum-resistant algorithms as we start to see the implications of post-quantum risk?
The specific vulnerability most organisations have not addressed is PKI infrastructure, the foundation on which zero trust architectures verify identity. Replacing it without causing business disruption requires planning well in advance and most organisations, he says, have not yet started.
“You don’t want to be thinking about what you’ve got and what’s now vulnerable at the point at which it becomes a problem. You need to start planning for it now,” says Gooch.
Part of that planning, he argues, is architectural diversity. Organisations that have consolidated everything into a single provider or platform are most exposed.
“There is real risk in putting your eggs in one basket, whether it be a technology provider, a source, or a particular domain,” he says. “All of these things have massive crossover. You’re probably not going to get some of that thinking unless you have cross-domain, incubator capabilities that start to bring it together.”
One encouraging sign he has seen is organisations beginning to ask questions of security vendors. They want to know roadmaps and technologies and what is going to be covered, especially when it comes to providing quantum-resistant services.
It’s an opportunity for innovation, something he wants to see more of in UK cybersecurity, both within existing organisations but also in the start-up and spinout communities.
This brings him onto collaboration. He thinks the UK’s growing innovation ecosystem is well placed to address gaps in knowledge and development. In particular he sees university-led enterprise models coming into their own.
“We need to improve our collaboration models, starting in cyber,” he says. “The threats we face come from organisations that are highly organised and incredibly good at sharing resources and networks. That alone says we need to take the next step in terms of collaboration.”
The University of Bristol’s new Temple Quarter Enterprise Campus, bringing together research labs, business school, spinouts, and technology companies under one roof is, he argues, a direct response to that structural problem. A cross-domain, multi-discipline, facility with no institutional hierarchy between research and commerce is, he says, what the UK desperately needs.
It feeds into his own belief that innovation happens through diversity of experience and thought. Connections between AI and quantum, for example, the way zero trust architecture requirements map directly onto the cryptographic vulnerabilities quantum creates, are exactly the kind of thinking that proximity enables and silos prevent.
“I think it’s not only an interesting and good thing to do. I think it’s absolutely necessary,” says Gooch, referring to Bristol’s Temple Quarter Enterprise Campus, which opens in September. “It’s the sort of thing that will help UK businesses and government enable a much more informed and broader transition to whatever the future is.”
Working as a technology journalist and writer since 1989, Marc has written for a wide range of titles on technology, business, education, politics and sustainability, with work appearing in The Guardian, The Register, New Statesman, Computer Weekly and many more.
Quantum
Reading time: 10 mins
Quantum
Reading time: 10 mins
Future Telecoms
Reading time: 2 mins
Quantum
Reading time: 11 mins
Quantum
Reading time: 5 mins