Infosecurity Europe 2026 wrapped on June 4 at ExCeL London after three days that felt less like a trade show and more like an industry arguing with itself in public. Attendance, exhibitor counts, and the speaker roster all landed in the healthy range the event is known for, but the more interesting story was the through-line in nearly every keynote and stage session: defenders are now reasoning about AI systems that act, not just AI systems that answer.
That shift matters because it changes the threat model. For two years the conversation was about generative AI as a content problem — phishing emails that read better, deepfakes that fool a verification call. This year the framing moved to agentic AI: systems that plan, call tools, and chain actions toward a goal with minimal human supervision. When the attacker's tooling can do that, the economics of an attack change. So does the job of the SOC. Here is what stood out, and where I think the floor got ahead of reality.
Agentic AI Security Was the Center of Gravity
If there was a single organizing theme, it was agentic AI security. The AI and Cloud Security stage ran sessions on LLM application security, agentic attack paths, deepfake detection, and cloud misconfiguration exploitation, and those rooms stayed full. The recurring question was not "can AI write malware" but "what happens when an autonomous agent can probe, adapt, and persist without an operator typing each command."
The honest read: most of what was demonstrated lives on a spectrum between research and reproducible threat. Some of the agentic-attack content shown on stage was closer to a proof of concept than a campaign you will see in your logs next week. That is not a criticism — proofs of concept are how the field learns where the guardrails need to be. But it is worth being precise about it, because vendors on the show floor were happy to blur the line between "an agent could do this in a lab" and "this is hitting your environment today." Both can be true eventually. Only one should drive your budget this quarter.
The more grounded version of the agentic story was defensive. AI-powered SOC tooling, AI detection and response, and triage assistants were everywhere, and the better pitches were specific about the limitation that actually bites: an agent that triages alerts is only as trustworthy as its verification layer. Autonomy without verification just automates your false positives faster.
Post-Quantum Cryptography Stopped Being a Someday Problem
The second clear theme was post-quantum cryptography, and the framing was refreshingly blunt. One keynote took the comfortable assumption head-on — the idea that quantum is still far off, so surely we can wait — and then spent the session arguing that you cannot.
His point was operational, not theoretical. The timeline that should worry you is not the arrival of a cryptographically relevant quantum computer; it is your own procurement and depreciation cycles. Hardware and software you buy and deploy in 2026 may still be running when post-quantum migration is no longer optional. The phrase that kept coming up was crypto-fragility: the difficulty most organizations have in even finding where their cryptography lives, let alone swapping it out. Quantum readiness, in practice, starts with a boring inventory problem — what algorithms are in your stack, in your dependencies, and in your vendors' products — and crypto-agility is the property that lets you change them without a rebuild.
That is the right message. "Harvest now, decrypt later" is a real risk for long-lived secrets, and the migration is a multi-year engineering program, not a patch. The teams that treat it as an inventory and supply-chain exercise now will have a far easier 2030 than the ones waiting for a deadline.
Ransomware as an Economy, Not an Event
The ransomware track leaned into economics rather than incident horror stories, which was a welcome change. One standout session, led by a speaker with a federal law-enforcement background now working in ransomware research, focused on using intelligence from the dark web and wider criminal networks to anticipate how ransomware tactics and threat-actor behavior evolve.
The framing treated ransomware as a business with suppliers, affiliates, pricing, and reputation — because that is what it is. Data extortion (steal first, encrypt second, threaten to publish) continues to be the dominant pressure tactic, and intelligence-led defense means understanding the actor's incentives well enough to predict their next move rather than just cleaning up after the last one. Leadership-focused tracks, including a Women in Cybersecurity panel and keynotes drawn from investing, elite sport, and the military, gave the program a broader thread than the usual vendor-heavy lineup.
Supply Chain and Identity Quietly Underpinned Everything
The themes that did not get the marquee slots — software supply chain security, third-party risk, and identity — were arguably the ones doing the real work underneath the AI headlines. Every agentic-AI risk eventually routes back to a supply-chain question: where did this model come from, what data and dependencies went into it, and what is it allowed to touch. Shadow AI (teams wiring up models and agents without security review) came up repeatedly as the practical version of this problem. You cannot govern an AI system you do not know exists, and you cannot trust a component whose provenance you cannot establish.
This is where the show's optimism needs a reality check. Plenty of booths promised AI governance in a box. Governance is not a product you install; it is a set of policies enforced at the points where software and models enter your environment. The vendors who understood that were talking about gates, attestation, and inventory. The ones who did not were selling dashboards.
How Safeguard Helps
Safeguard treats agentic AI and the software supply chain as one problem, because they are. We generate an AIBOM and ML-BOM alongside your SBOM so you can see which models, datasets, and dependencies are actually in your stack, then enforce policy gates with provenance and attestation at the points where components enter your environment — including a vendor policy registry and scorecards for the third-party and shadow-AI risk that this year's show kept circling. The platform is model-agnostic: bring your own model, plug commercial or open-source models in as components, and let our Multi-Agent TAOR Deep Think AI Engine and Griffin AI handle the verification and orchestration above the model — multi-agent verification is how we cut false positives and measure value as cost per verified finding, not raw alert volume. If the agentic-AI conversation at ExCeL left you wondering what is real in your own environment, reach out.