TL;DR
KPMG's Cybersecurity Considerations 2026 report identifies IT/OT hyperconnectivity, quantum threats, and the expanding definition of critical infrastructure as the most urgent risks for regulated industries.
For GRC teams in government, defense, and critical operations, the implication is practical: your assurance program must run where your data and systems live — including segmented, hybrid, and air-gapped environments.
That’s why 6clicks emphasizes Sovereign GRC Infrastructure: deploy on your terms (SaaS, sovereign cloud, or on‑prem) while still benefiting from AI-driven assurance.
KPMG's Cybersecurity Considerations 2026 report makes one thing clear: the attack surface for critical infrastructure is expanding faster than most GRC programs are equipped to handle. IT and operational technology (OT) systems are converging, data centers are now classified as critical infrastructure, and quantum threats are no longer theoretical. For compliance, risk, and security leaders, the question is no longer whether your GRC framework needs to evolve, it’s whether your GRC platform can operate in the same environments you’re accountable for.
For decades, industrial control systems and enterprise IT operated in separate silos. OT environments, the systems that run power grids, oil pipelines, water treatment plants, and manufacturing floors, were physically isolated by design. That isolation was the security model.
That model is gone.
KPMG's 2026 report identifies IT/OT hyperconnectivity as a top emerging risk across utilities, oil and gas, telecoms, and manufacturing. As organizations digitize operations and connect OT systems to corporate networks and cloud environments, they inherit a class of cyber risk that traditional GRC tools were never designed to address. These environments require continuous evidence collection, control mapping across physical and digital assets, and the ability to operate in air-gapped or hybrid network architectures, none of which cloud-first GRC platforms support well.
OT environments operate under fundamentally different constraints than enterprise IT, requiring a distinct approach to risk, compliance, and system management.
The table below maps the key emerging risks identified in KPMG's Cybersecurity Considerations 2026 report to the specific capabilities within the 6clicks Sovereign GRC Stack that help organizations address them.
| Emerging risk (KPMG 2026) | What it means for GRC teams | How 6clicks neutralizes it | 6clicks function / capability |
|---|---|---|---|
| IT/OT hyperconnectivity | The merging of digital and physical systems creates new attack vectors that existing cloud-based GRC tools cannot monitor or map to controls in constrained OT environments. | Agentic connectivity layer integrates directly with IT and OT systems, including CLI-based access for restricted and air-gapped environments, enabling continuous evidence collection without requiring cloud access. | Agentic connectivity, IT/OT integration layer, CLI for restricted environments |
| Data centers reclassified as critical infrastructure | Organizations operating or hosting data centers that support critical infrastructure services now face expanded compliance obligations under frameworks like SOCI, NIS2, and others, increasing the number of frameworks and controls that must be mapped and evidenced. | Hub & Spoke architecture enables program-scale GRC across multiple entities, frameworks, and jurisdictions from a single platform, with shared control libraries and automated cross-framework mapping to reduce duplication. | Hub & Spoke, Content Library, multi-framework control mapping |
| Quantum computing threats to encryption | Quantum capabilities are advancing rapidly, posing an existential risk to current encryption standards in finance and defense. Organizations must begin post-quantum cryptography planning now to avoid compliance gaps. | Sovereign deployment options allow organizations to run 6clicks inside their own environment — on-prem, sovereign cloud, or as an air-gapped appliance — ensuring that sensitive GRC data and evidence never traverses public infrastructure that could be compromised by quantum-era attacks. | Sovereign infrastructure (6clicks GRC Appliance), on-premises deployment, sovereign cloud deployment |
| Rapid digitalization accelerating attack vectors | Accelerated digital transformation is outpacing security and compliance controls, creating gaps in risk coverage as new technologies, vendors, and systems are adopted faster than GRC processes can keep up. | Hailey, 6clicks' AI engine, continuously maps new evidence to existing controls and frameworks, identifies gaps, and surfaces risk before it becomes an audit finding, building an evolving GRC knowledge base and reducing the lag between technology change and GRC program response | Hailey AI, Intelligent Evidence Collection, GRC Knowledge Graph |
| Multiplying regulatory obligations across jurisdictions | Critical infrastructure operators in global or multi-regional environments face overlapping and evolving regulatory requirements, from NIS2 in the EU to SOCI in Australia to CBUAE guidance in the Middle East, creating manual, duplicated compliance effort. | The 6clicks Content Library includes prebuilt framework content for major global standards, with intelligent cross-mapping so controls assessed once can be reused across multiple frameworks, reducing duplication and accelerating audit readiness. | Content Library, cross-framework mapping, requirement-based assessment, Reporting & Analytics |
Most enterprise GRC platforms were built for cloud-native, API-first IT environments. They assume connectivity. If your organization operates industrial control systems, segmented OT networks, or classified environments, ask your GRC vendor a direct question: can you collect evidence from a system that has no internet access? If the answer is no, or involves a manual workaround, that's a structural gap in your compliance program.
For critical infrastructure operators in the Middle East, ANZ, and EU, data sovereignty is not optional. Regulations like Australia's Security of Critical Infrastructure (SOCI) Act and the UAE Information Assurance (IA) Regulation place specific obligations on where data is stored and processed. If your GRC platform is a shared SaaS environment on a hyperscaler you don't control, you may already be out of compliance before you've opened a single framework.
KPMG's report signals that regulatory requirements will continue to multiply. If adding a new framework to your compliance program requires weeks of manual control mapping, you're going to fall further and further behind. The answer is a platform with pre-built framework content, intelligent cross-mapping, and an AI engine that can identify where new requirements overlap with controls you've already evidenced.
6clicks is built for the environments that other GRC platforms can't reach. The Sovereign GRC Stack gives teams in government, defense, and critical infrastructure three things that matter in the risk landscape outlined by KPMG:
Deploy and localize on your terms. Run 6clicks in SaaS, sovereign cloud, self-hosted, or on certified hardware (the 6clicks GRC Appliance) when the cloud is not an option. Keep custody, locality, language, and AI model choice aligned to your mandates.
Collect and assure evidence across constrained environments. Whether evidence is uploaded manually or collected via APIs/agents, 6clicks treats both as first-class: AI validates and maps evidence to controls and frameworks, including for OT, legacy, segmented, and (when permitted) air-gapped networks.
Scale assurance without compounding complexity. Hub & Spoke architecture, the Content Library, and cross-mapping let teams reuse evidence and control results across entities, jurisdictions, and overlapping frameworks so every new requirement doesn’t mean starting from zero.
What is IT/OT convergence and why is it a security risk?
IT/OT convergence refers to the integration of information technology (IT) systems (enterprise networks, cloud environments, business applications) with operational technology (OT) systems, such as industrial control systems, SCADA, and programmable logic controllers. Historically, OT systems were physically isolated. As organizations connect them to corporate and cloud networks, those systems inherit cyber risks they were never designed to handle, including ransomware, supply chain attacks, and unauthorized access.
What does critical infrastructure reclassification mean for my compliance program?
If your organization operates or hosts data centers that support critical services, you may fall under national critical infrastructure legislation in jurisdictions including Australia, the UAE, and EU member states. This typically introduces new mandatory reporting obligations, minimum security control requirements, and government audit rights. Your GRC program needs to map these obligations to your existing control framework and evidence compliance continuously, not just at annual audit time.
How should GRC teams prepare for quantum computing threats?
The practical recommendation from KPMG and other analysts is to begin a post-quantum cryptography (PQC) readiness assessment now. This involves identifying all encryption-dependent systems, cataloging cryptographic assets, and mapping existing controls to emerging PQC standards from bodies like NIST. In the near term, the most important action is ensuring your GRC program can track and evidence this work and that the data underpinning your compliance program is stored in an environment you control.
Can 6clicks operate in an air-gapped or classified environment?
Yes. The 6clicks GRC Appliance enables full on-premises deployment with no cloud dependency. For environments where even on-prem network access is restricted, 6clicks' CLI-based connectivity agent allows evidence collection from isolated systems. This makes 6clicks the only enterprise GRC platform capable of operating across the full spectrum from cloud-native to fully air-gapped.
What GRC frameworks are relevant for critical infrastructure operators in 2026?
The most commonly applicable frameworks for critical infrastructure operators include NIST CSF, IEC 62443 for industrial control systems, ISO 27001 for information security management, and jurisdiction-specific critical infrastructure legislation such as Australia's SOCI Act, UAE IA Regulation, and the EU's NIS2 Directive. 6clicks includes prebuilt content for all major frameworks, with intelligent cross-mapping to reduce duplication when multiple frameworks apply.
Join 6clicks experts and critical infrastructure practitioners to explore how sovereign-ready GRC changes the game for complex, regulated environments. Register now →