Acknowledgments: Special thanks to Jennifer Halsey and Gavin Hill for their contributions to this blog.
I spent time at Gartner Security & Risk Management Summit last week listening for the signal, not the noise.
There was plenty of conversation about AI. Plenty about strategy, plenty about what is next. But what stuck with me most was something simpler: the teams that are going to do well over the next few years are not the ones chasing every new headline. They are the ones getting brutally honest about what actually causes damage, where their weak spots really are, and how fast they can recover when something goes sideways.
Here is the other thing I keep coming back to: security is not a destination. It is a spectrum, a journey that never really ends, especially in the age of AI. What matters is whether your organization is moving in the right direction with the right foundation under it.
That is the lens I am taking away from the event: it's not about perfection, hype, or bigger stacks for the sake of bigger stacks. It is about resilience. Identity. Control effectiveness. Operational reality.
Here are the biggest lessons I took from the sessions our team attended and what I think security leaders should do with them.
1. Resilience is no longer a soft concept. It's the job.
If I had to boil down the keynote message and a lot of the supporting sessions into one sentence, it would be this: the point is not to stop every bad thing from ever happening. The point is to keep incidents from turning into business-level disruption.
That may sound obvious, but a lot of programs are still built and measured as if "nothing got through" is the only acceptable outcome. That is not how the real world works. The real world is messy. Adversaries adapt. Users click things. Configurations drift. Third parties create risk you do not fully control.
The conversation at Gartner was not about building better cybersecurity programs. It was about building cybersecurity resilience. Those are not the same thing, and that distinction matters more than people give it credit for.
When you think about resilience in practical terms, it breaks down into two pillars that every strategy needs to address:
Identity Resilience: prevention through ISPM (identity security posture management) and response through ITDR (identity threat detection and response).
Endpoint Integrity: prevention through ESPM (endpoint security posture management) and response through EDR (endpoint detection and response).
Everyone's strategy should include both sides of each pillar. Not one or the other. Both. That is not aspirational. That is the baseline.
A few practical implications:
-
Know what business disruption actually means in your environment
-
Be honest about how quickly you can contain a real incident
-
Exercise recovery, not just response
-
Look for places where one mistake can still create an oversized impact
This is an area where Huntress' philosophy maps pretty cleanly to what I heard at Gartner. Security should reduce the chance that an interruption becomes an existential problem. That is a much more useful standard than pretending your goal is magical, total prevention.
2. Identity isn't a side conversation anymore
This came through loud and clear in the sessions, in the analyst conversations, and directly from Peter Firstbrook's keynote. Firstbrook is a VP Analyst at Gartner, and he said it plainly: everyone should have ITDR. Not "consider ITDR." Not "ITDR is a nice-to-have for mature organizations." Everyone.
He is right.
For a long time, CISOs let identity live somewhere else. It sat in IAM teams, in IT operations, in HR-driven provisioning workflows. It was an access management problem, not a security problem. CISOs owned the firewall, the endpoint, the SOC. Identity was someone else's lane.
That era is over.
Identity is the perimeter now. Not eventually. Not directionally. Now. The network edge has dissolved. Endpoints are everywhere. Cloud services authenticate through credentials, not IP addresses. Attackers are not breaking through walls anymore. They are logging in. And when identity is not owned by the security function, that gap is exactly where they go.
Security leaders who are still leaving identity governance, visibility, and response to other parts of the organization are leaving a door open. This is a paradigm shift that requires ownership, not coordination. Security leaders must get their arms around identity, because organizational resilience now depends on it.
The right framework here is identity resilience: ISPM to harden your posture before the attack, ITDR to detect and respond when something gets through. Prevention alone is not enough. Detection and response alone is not enough. You need both sides of the equation, and that is exactly what Firstbrook's keynote was pointing to.
Gartner's focus on identity visibility, intelligence, and resilience is growing because the identity attack surface is growing. Hybrid work, machine identities, cloud services, service accounts, and AI agents all increase the number of ways identity can become both the target and the path in.
If I were translating that into action:
-
Stop treating identity as a narrow toolset discussion
-
Get serious about visibility across human and machine identities
-
Reduce the number of unknown, unmanaged, or overprivileged identities in your environment
-
Pull identity and security teams closer together if they still operate in parallel lanes
CISOs are increasingly talking about identity resilience, not just alphabet soup. That is the right framing. And Firstbrook made clear that it is no longer optional.
3. The right AI takeaway is operational, not ideological
I expected AI to dominate the event, and it did. But the most useful guidance was not "go buy more AI." It was more grounded than that.
Peter Firstbrook said it plainly in his keynote: “there will not be a fully agentic SOC.”
Good.
Because if you have spent time in real incidents, you already know why. The hard part is not just triage speed. The hard part is ambiguity, judgment, escalation, business context, and knowing when something weird is actually the thing that matters.
The sessions pointed to a few realities worth sitting with:
-
AI is speeding up attacks
-
AI agents introduce real security risk, including prompt injection, data poisoning, and posture drift
-
AI can still be genuinely useful when applied to the right operational work
-
Human judgment is not going away
Where I think teams should land:
-
Use AI to reduce toil
-
Use it to accelerate triage and investigation support
-
Use it to improve speed where speed matters
-
Do not confuse faster output with sound decision-making
4. EDR is useful, but EDR alone is not a strategy
This was one of the most practical session takeaways from the event. Overreliance on standalone EDR is leading to failure because controls get bypassed, configurations drift, and teams mistake tool presence for protection.
That is not an argument against EDR. It is an argument against wishful thinking.
Endpoint integrity, like identity resilience, requires both sides: Endpoint Security Posture Management (ESPM) to continuously manage and reduce your attack surface before an incident, and EDR to detect and respond when something gets through. One without the other is a gap. And gaps are exactly what attackers look for.
The session walked through why multilayered defense in depth still matters: application control, exposure management, configuration management, and tighter coordination between endpoint management and security all strengthen the posture in ways a single detection layer cannot.
The control hygiene point matters too. Gartner called out misconfigured technical controls as a major driver of future breaches, which should be a wake-up call for teams that keep adding tools without investing enough in tuning, validation, and day-two operations.
A few practical steps:
-
Audit whether your controls are effective, not just deployed
-
Review where your team assumes protection instead of validating it
-
Make sure endpoint, security, and IT operations are not handing critical work off across silos in ways that create delay or ambiguity
-
Build layers that reduce blast radius when one layer fails
This is not flashy guidance. It is just the kind that tends to hold up.
5. Exposure management is getting more honest
Another thread I liked from the summit was the move away from shallow vulnerability narratives.
The exposure management material was not just "patch faster" or "scan more." It focused on continuous visibility, validation, attack paths, and a more realistic understanding of what actually creates exposure.
That distinction matters because most teams do not struggle to generate findings. They struggle to decide what matters, what is exploitable, what can wait, and what is quietly creating unnecessary risk right now.
The recommendations pushed toward risk-based prioritization, validation, and measuring the window of exposure instead of treating everything as an undifferentiated backlog.
That is the right move. My advice here is simple:
-
Get beyond CVSS-only thinking where you can
-
Prioritize based on exploitability and attack path relevance
-
Measure how long meaningful exposure stays open
-
Treat remediation as an operational discipline, not a reporting exercise
The bottom line
If I had to sum up Gartner Security & Risk Management Summit in a few practical takeaways, it would be this:
Security is not a destination. It is a spectrum and a journey. The organizations that understand that and build accordingly are the ones that will come out ahead.
That starts with having a real strategy. Not a list of tools. Not a compliance checklist. A strategy that aligns your organization toward a north star: what you are protecting, why it matters, and how you are going to get there.
And it needs practical AI adoption that keeps humans in the loop, layered defenses that reduce blast radius when things go wrong, and metrics that actually reflect operational readiness.
That is what I took away from the event. Not that the problem set is getting smaller. It is not.
But the signal is getting clearer for teams willing to ignore the noise and do the harder, more honest work.
