Skip to main content
  1. Posts/

The Ground Shifted at RSAC 2026. Here's What Matters.

·7 mins
Cybersecurity Agentic AI AI Security Conference Debrief RSAC 2026 Cybersecurity Leadership
Table of Contents

80% of Fortune 500 companies already run AI agents. Only 5% have them in production securely.

The last time I walked through San Francisco’s Chinatown, I was thirteen. It was 1995. The internet was a curiosity, not infrastructure. Security meant a deadbolt. I remember the steep hills, the lanterns, the smell of roasted duck from open storefronts — a kid from a different country discovering a city he was convinced he’d live in one day.

Three decades later, I walked those same streets on a Wednesday evening after a full day at RSA Conference. The lanterns were still there. The hills hadn’t flattened. I never did move here — but I’ve come back every year for a different reason. This week, it was conversations with security leaders about governing autonomous AI agents — software that can access enterprise data, make decisions, and take actions without human review.

RSAC marked its 35th year. Nearly 44,000 attendees. And in two decades of attending, I’ve never felt the ground shift quite like this. Not because the threats were louder — they always are. But because the tools we build to defend ourselves now run on the same architecture as the threats themselves.

Here are three realities every executive needs to confront.

Reality #1: Your Defenses Now Run on the Same Architecture as the Threats #

The opening keynote made it plain. Microsoft’s Vasu Jakkal and Cisco’s Jeetu Patel converged on the same point: every AI agent an organization deploys is simultaneously a new identity, a new endpoint, and a new attack surface. More than 80% of Fortune 500 companies already use active AI agents, and Microsoft materials citing IDC project 1.3 billion agents by 2028.

What makes this different from prior technology waves is symmetry. During the opening session, researchers described how North Korean operators are using AI across the attack lifecycle; separately, Anthropic disclosed a China-linked campaign in which AI handled roughly 80–90% of tactical tasks. In another session, Anthropic’s deputy CISO described a production incident where an AI agent autonomously investigated an outage, found the root cause, located the right engineer via Slack, and had a fix uploaded to GitHub — in eight minutes. Same technology. Opposite intent.

Patel captured it cleanly: “We should not think of these agents as tools. They are more like digital co-workers. With chatbots, you worry about getting the wrong answer. With agents, you worry about taking the wrong action.” His team demonstrated an unsupervised agent that booked a $40,000 hotel suite, invited ex-employees who were now competitors, and published employee home addresses — all while following its instructions correctly.

The Model Context Protocol (MCP) — emerging as the de facto standard for how agents communicate with tools — was dissected across multiple sessions. Researchers mapped dozens of distinct threat vectors across server, host, and user layers. No single security tool today provides strong coverage across all of them.

Reality #2: Security Has to Lead Where No Playbook Exists Yet #

The gap between enthusiasm and readiness is wide. Cisco reports that 85% of major enterprises have AI-agent pilots underway, but only 5% have moved them into production. That isn’t a compliance failure. It’s a signal that the problem is genuinely new.

Jacinda Ardern — former Prime Minister of New Zealand — delivered the sharpest observation of the week: “Safety requirements should precede scale, not follow it.” She was speaking about AI governance, but the principle applies everywhere security leaders operate today. You cannot secure a billion agents after the fact.

The federal absence underscored this. CISA, FBI, and NSA all withdrew from RSAC 2026. Whatever the stated reasons, the gap was visible. European officials filled more of the public-sector conversation than in prior years. When the institutional playbook pauses, security leaders must fill the space themselves.

The vendor landscape is shifting just as fast. During the market trends session, Dominic Gallello noted that cyber M&A reached 12% of all deal activity in 2025 — historically 2–4%. Google completed its acquisition of Wiz. Platform consolidation is reshaping who owns what. The Innovation Sandbox winner — Geordie AI — built its entire platform around AI agent security. Every finalist integrated AI into their core product. The startups are already building for the world the incumbents are still debating.

Reality #3: The Talent Equation Is Being Rewritten, Not Just the Technology #

The cyber war panel — featuring Jen Easterly (now RSAC’s CEO), former National Cyber Director Chris Inglis, and Navy cryptologist Chase Cunningham — delivered the week’s most human session. CISO tenure is still measured in months, not years. Burnout isn’t about long hours. It’s about ambiguity, uncertainty, and the feeling of being expendable until something breaks. “Burnout is a security problem, not an HR problem,” one panelist noted.

Meanwhile, AI is automating the entry-level work that builds the next generation. If agents handle all Tier 1 and Tier 2 triage, the analyst pipeline dries up in five to seven years. SentinelOne’s Tomer Weingarten put it precisely: “Autonomy is earned, not granted.” The risk isn’t automation — it’s automating before the humans behind the systems have developed the judgment to oversee what’s autonomous.

A research team from Flare presented findings from a sample of 10,198 stealer logs. Their analysis found 72% of victims posed organizational risk, and over 16% of those infected through a game-related vector had company infrastructure access. The human element isn’t a footnote — it’s the primary attack surface. The panel’s consensus: social engineering remains the initial vector in the vast majority of breaches. Humans aren’t the weakest link. They’re the largest sensor network we have — if we invest in them.

The conversation kept returning to access: remove certification barriers for entry-level roles, build apprenticeship pathways, and make mental health support accessible and stigma-free. Michael Lewis, in a fireside chat, framed the macro risk: AI displacement of knowledge workers won’t be just an HR problem. “Those people,” he said, “create revolutions.”

Field Notes #

Dawn runs, Embarcadero. Second year in a row. Before the keynotes, before the badge scanning — I ran. The city is quieter at 5:30 AM, and the thinking is clearer. If you don’t decide what matters before you walk through the doors, the conference decides for you.

Baseball, Tuesday night. Caught a game with friends at Oracle Park. Nothing resets your perspective like three hours where nobody mentions zero trust.

Salesforce Park, year two. Same rooftop, same bench, same beer. A tradition now. The best conversations at RSAC happen away from the expo floor.

Hugh Jackman. Wolverine headlined the closing celebration. It sounds like a punchline, but it wasn’t. He was sharp, quick, genuinely curious — adapting in real time without a script. The kind of presence this industry could use more of.

Bottom Line #

  • Agentic AI is a structural shift, not a feature cycle. Every agent is a new identity, endpoint, and attack surface — and 95% of enterprise pilots haven’t reached production.
  • MCP is the new integration layer — and the new threat surface. Dozens of attack vectors; no single tool covers them all.
  • The federal absence signals a coordination gap. Security leaders must lead where institutions have paused.
  • Platform consolidation is accelerating. M&A is reshaping vendor landscapes faster than most security programs can adapt.
  • Talent is the real bottleneck. Burnout, automation of entry-level roles, and access barriers threaten the human foundation of security.
  • Invest in humans alongside automation. The largest sensor network in cybersecurity is made of people, not models.

Security has always evolved fast. What made RSAC 2026 different wasn’t the pace — it was the realization that the line between what defends us and what threatens us has dissolved. The organizations that thrive won’t be the ones with the best tools. They’ll be the ones whose leaders had the judgment to act before the playbook was written.

What decision are you making this quarter that assumes your current security architecture will still hold?