Google just paid $32 billion for Wiz. The same company that built the world’s most sophisticated AI research lab decided that cloud security was worth more than some countries’ GDP. This wasn’t a defensive acquisition – it is throwing down a gauntlet.

My prediction for 2026: The foundational AI companies (Anthropic, OpenAI, Google, and AWS) will enter enterprise security as classic disruptors, and most incumbent security vendors will be caught flatfooted. Not because they lack talent or technology, but because they’re trapped in a business model that’s about to become obsolete.

The Business Model Collision

Here’s what most industry observers are missing: This goes beyond technology. It’s a buggy-whip level disruption.

Security with AI is an attractive business for AI model vendors. Endpoint security, network security, identity management, date leakage prevention, application security, incident response – all require processing massive amounts of data and token consumption. The AI vendors already have the infrastructure. They already have the models. And they have a pricing model that makes traditional security licensing feel like a protection racket.

Pay-as-you-go versus annual licenses. Transparent pricing versus “contact sales.” Self-service onboarding versus six-month enterprise deployments. Value-led growth versus hordes of account executives, and directly measurable ROI (that is built into their products).

The pure AI companies—Anthropic, OpenAI, xAI—don’t worry about EBITDA or EPS. They’re investing to win. They hire the best engineers at salaries that security vendors don’t match.  They’re building their own cloud infrastructure. And since they’re not hyperscalers competing for general cloud business, they don’t have to worry about cannibalizing existing customer relationships.

The hyperscalers—Google, AWS, Microsoft—are playing both sides. Google’s Wiz acquisition shows they’re willing to pay premium prices for security assets. Google’s Palo Alto Networks partnership (reportedly worth $10 billion over multiple years) shows they’re hedging their bets. Heads they win with their own products; tails they win with partnerships.

Who Gets Hurt

The large-cap security vendors will survive; they have the balance sheets to acquire their way out of disruption. But the mid-cap vendors? The ones with $100M-$500M in revenue, owned by PE and VC firms demanding 10-20% growth while maintaining EBITDA margins? They’re in trouble.

Let’s be up front about their situation: Product innovation isn’t their strong suit anymore. Their value proposition has quietly shifted to “we’re already in, and replacing us is a headache.” They can’t acquire promising startups because even “free” acquisitions require ongoing investment they can’t afford. They’re the walking dead of enterprise security—still moving, still generating revenue, but strategically frozen.

These vendors face three choices: Continue until a larger player acquires them at a discount. Cut 50% of sales and marketing spend to fund a genuine AI-first product transformation. Or convince their investors to accept lower returns while they invest in a future that may never arrive and a fundamental shift in how they generate value (hint: it is not through coding).

For startups, this restructuring creates opportunity. Somewhere among the current crop of security startups is the next Palo Alto Networks or CrowdStrike. But the distribution channels and buyer expectations are shifting too fast to predict who wins. The advice is boring but effective: preserve capital, get customers, prove value, regenerate continuously.

What This Means for Enterprises

For enterprise security buyers, 2026 demands a different approach. The comfortable strategy (buying IBM because nobody ever got fired for it) may keep you compliant, but it won’t keep you secure.

 AI-driven security will not wait. Enterprises must act:

First, benchmark aggressively. Run the AI-native security tools against your incumbent vendors on real workloads with measurable outcomes. Not vendor-supplied metrics. Your metrics. The results might surprise you, and the cost comparison almost certainly will.

Second, learn by doing. The AI security technology landscape is moving faster than analyst reports can track. The only way to understand what’s really available at the leading edge is to deploy it, even if in limited pilots.  Compare efficacy against your benchmarks.   Enterprises that wait for “mature” solutions will find themselves years behind competitors who took calculated risks.

But here’s the critical question: Are the AI vendors’ security offerings truly enterprise-ready, or are they still just impressive technology looking for a product wrapper? That distinction matters. Technology demos don’t stop breaches. Production-grade, accurate, reliable, context-aware, integrated, supported solutions do.

The Bigger Question

This consolidation around AI infrastructure raises a question the industry hasn’t seriously addressed: Does concentrating security capabilities in a handful of foundation model providers make us more secure or less?

On one hand, these companies have resources and talent that no pure-play security vendor can match. On the other hand, we’ve seen what happens when critical internet infrastructure becomes concentrated in a few providers – just ask anyone who was affected by the recent AWS and Azure outages.

The security industry has spent decades arguing for defense in depth and avoiding single points of failure. Now we’re potentially moving toward a world where a handful of AI providers underpin most enterprise security.

2026 is a year for action—for enterprises evaluating new options, for vendors deciding whether to transform or coast, and for the industry to grapple with what AI-driven consolidation means for security’s future. The companies that recognize this shift early will have options. The ones that don’t will have excuses as predictable AI threats overwhelm them.

—

Bruce Fram is the Founder & CEO of AppSecAI and was the founding CEO of Contrast Security. He is the author of The AI Security Advantage: Fix Code 10X Faster.