That framing matters because it changes how leaders should think. For years, many organizations treated cybersecurity as a technology stack problem: firewalls, endpoint tools, network monitoring, and patching. Those still matter. But PwC argues the real battleground has shifted toward credentials, session tokens, federated access, SaaS sprawl, and trust relationships that let attackers “log in rather than break in.” In plain English, the attacker does not always need to smash a window anymore. Often, they just need a believable identity and a valid-looking path.

That is why identity now sits at the center of the modern threat equation. PwC highlights that social engineering is becoming more sophisticated through AI-generated deepfakes, IT helpdesk impersonation, stolen identities used in illicit remote worker operations, and multi-stage phishing campaigns aimed at both human and machine identities. In a cloud-heavy enterprise, one compromised identity can create cascading access across systems, vendors, apps, and data stores. That is no longer just an IT issue. That is an enterprise risk issue.

PwC’s second major point is just as important: AI is accelerating both offense and defense. Threat actors are using AI to automate reconnaissance, generate more convincing phishing lures, accelerate malware development, and scale social engineering across languages and platforms. PwC also warns that the time between a public AI release and attacker weaponization is shrinking, while autonomous AI agents capable of carrying out attack sequences are becoming a serious concern. At the same time, defenders can use AI for faster detection, automated containment, and intelligence-led decision-making at scale.

This is where many security conversations still fall short. Enterprises talk about AI governance, but often focus mostly on what an AI model is allowed to do in policy terms. That is necessary, but incomplete. The harder question is: who actually authorized the action at the moment of execution? If an AI agent initiates a workflow, approves a payment, accesses a document, or triggers a system change, policy alone is not enough. You need proof of authority tied to that action. That is precisely the gap iVALT is trying to address with its “provable human authority” approach before execution, including real-time identity verification, human-authorized AI agents, and controls designed to reduce reliance on fragile credential trust alone.

I think that is the deeper strategic lesson hidden inside PwC’s report. The future of cybersecurity is not just stronger authentication at login. It is stronger validation at execution. PwC says attackers are increasingly targeting identities, non-human identities, automated workflows, and cloud-connected environments. iVALT’s positioning maps directly into that shift: prove the human behind the action, verify trust continuously, and reduce the chance that a stolen credential becomes a catastrophic event. Its platform describes capabilities around real-time verification, human-bound authority, PKI-based protections, SAML/IAM integration, and workflows meant to stop social engineering and AI deepfake-driven impersonation.

PwC’s third point may be the most overlooked by boards: cyber risk is now inseparable from business and geopolitical strategy. The report says geopolitical turbulence is shaping targeting and tempo, while espionage, influence operations, disruption, financial crime, insider threats, supply-chain compromise, and digital-to-physical risks are converging. PwC also notes that the old boundaries between threat motivations are blurring, with ransomware actors, espionage actors, and North Korea-linked operators overlapping techniques and objectives in ways that make traditional risk categories less useful. ()

That means the old silo model is breaking down. Security cannot sit in one corner, legal in another, HR somewhere else, and operations in a separate tower. If attackers are targeting executives, developers, vendors, hiring processes, customer-service channels, crypto assets, and financial workflows at the same time, resilience has to be coordinated across the business. PwC explicitly says organizations that align cyber, legal, HR, finance, communications, and geopolitical awareness will be better positioned to navigate what is coming.

So what should enterprises do now?

First, treat identity as a board-level control surface, not a background IT function. PwC is clear that identity governance has become strategic.

Second, move beyond access controls alone and focus on execution controls. In the AI era, it matters not just who logged in, but who authorized the action, under what conditions, on what device, and with what level of confidence. iVALT’s model is worth watching here because it is built around proving human authority at the point of action, not just authenticating a session once and hoping trust holds.

Third, assume deepfake-powered social engineering will keep getting better. Helpdesks, customer support, executive approvals, document access, and high-risk workflows are all soft spots if trust is still mostly based on passwords, voice, email, or weak MFA patterns. iVALT specifically positions On-Demand ID and related controls to combat deepfakes, impersonation, and social engineering in those workflows.

Fourth, connect cyber strategy to business strategy. PwC’s report is really a warning against narrow thinking. If cyber risk, geopolitical risk, cloud dependence, AI automation, and third-party exposure are all converging, then the response has to be enterprise-wide and leadership-owned.

The organizations that win the next phase of cyber defense will not be the ones with the longest tool list. They will be the ones that understand trust more precisely than their adversaries do. PwC is right: the race is accelerating. And in that race, identity is no longer just part of security. Identity is the battleground. The next step is proving authority before the action happens. That is where I expect more attention to go, and it is exactly why platforms like iVALT belong in the strategic conversation now.

https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/annual-threat-dynamics.html https://www.ivalt.com/ https://www.ivalt.com/why-ivalt