RSAC 2026 Observations: When Agents Moved from Concept to Operational Reality
Late March at the Moscone Center in San Francisco. 44,000 security professionals gathered for RSAC’s 35th year. The theme: “Power of Community”, drawn from an African proverb: “If you want to go quickly, go alone. If you want to go far, go together.” Fitting for a 35th anniversary. RSAC itself is the best proof of that proverb, from a closed-door panel of 50 cryptographers in 1991 to a global summit of 44,000. But walking into the venue, there was a subtle tension with the theme. AI Agents everywhere. Automation everywhere. And the question everyone was actually debating: is the human still in the loop?
As the article is very long for the professional readers, I made a short video for who needs the useful info with busy schedule:
My coming Innovator Coffee podcast session will have a great discussion on RSA as well. Stay tuned….
Index is below for your reference and enjoy:
I. The Atmosphere Has Shifted
II. The Most Important Signal: Geordie AI Wins Innovation Sandbox
III. Three Trends That Actually Matter
IV. New Faces on the Show Floor: AI Hacker, AI DevOps Engineer, Vibe Coding Security, and the Platform Shift
V. Three Things Different from Previous Years
Closing: Three observations to take away
_______________________________________________________________________________
I. The Atmosphere Has Shifted
For the past few years, AI was background noise at RSAC. This year, it was the main event.
600+ exhibitors, and nearly every booth was talking about Agents. Large cooperations launched Zero Trust for AI Agents, largest Agentic SOC, AI Agent Security and real-time AI governance engine. AI/AI agent security related vendors are more than 110+. This isn’t vendors chasing a trend, it’s because enterprise buyers actually have a problem.
A SiliconANGLE analyst said something on Day 2 that I thought was a useful point to read of the room: “The technology industry is in the third inning, but buyers are just getting started.” That gap was the realest tension in the entire conference. ArmorCode’s research put numbers to it: 90% of organizations claim visibility into their AI footprint, while 59% simultaneously admit that Shadow AI is operating outside their governance processes. Those two numbers together say one thing: most organizations’ “visibility” is self-deception.
II. The Most Important Signal: Geordie AI Wins Innovation Sandbox
Every year, the Innovation Sandbox winner is the best entry point for reading the next security investment cycle. This year’s winner: Geordie AI, a company founded in 2025 building a security and governance platform purpose-built for AI Agents. The founding team came from Snyk, Veracode, and Darktrace. Backed by General Catalyst and Ten Eleven Ventures. Core capability: real-time discovery of which Agents are running in the enterprise, what they’re accessing, and whether their behavior is anomalous. The numbers are striking: agent count grew 10x in five months, revenue grew 10x in two months.
The award carries serious historical weight. Over the past 20 years, Sandbox finalists have collectively seen 100+ acquisitions and more than $50 billion in investment. This year, Wiz, a 2021 finalist, completed its $32 billion acquisition by Google, the largest acquisition of a private venture-backed U.S. company in history. Geordie AI winning isn’t just one company’s moment. It’s a signal: AI Agent Security has been formally recognized as a standalone category by the industry’s most authoritative platform.
This aligns closely with our recent research at SafenAI (Nonprofit). In our mapping of 50 companies, we break the category into four layers: Discovery & SPM, Runtime Security, Identity & Access, and Governance & Audit. (Refer to my previous blog in this newsletter) What Geordie AI captured is the layer hardest to ignore, before you can govern Agents, you need to know what you have. Meanwhile, companies like Aira Security Tenet Security and others in our report are filling the gaps at the Runtime layer.
III. Three Trends That Actually Matter
Trend 1: The Attack Window Is 22 Seconds
Mandiant released M-Trends 2026 at RSAC. The most striking data point wasn’t a technical vulnerability detail. It was a number: the window for defenders to intervene, from initial compromise to completed attack chain, has been compressed to 22 seconds. Behind that number is a structural shift. Attackers aren’t just using AI tools. They’re deploying adaptive Agents that rewrite their own code in real time, finishing the attack before a human analyst completes a first response.
This means the traditional detect-alert-respond workflow has failed on the time dimension. Defense has to operate at machine speed. This isn’t a product pitch. It’s a physical constraint.
Trend 2: Identity Has Expanded Beyond Humans
RSAC has always been a major battleground for identity security. This year, the identity conversation made a fundamental expansion: non-human identities. This has been a theme in the investment community for the past year or two, and something I wrote about in last year’s conference analysis.
At RSAC, IBM, Auth0, and Yubico demonstrated a concrete implementation: when AI Agents execute high-risk operations, they require cryptographic authorization through YubiKey physical hardware, creating an irrefutable chain of human decision-making. The core assumption: Agents can handle routine tasks autonomously, but large financial transfers, production code deployments, and sensitive data access require a traceable human authorization node. This takes “human-in-the-loop” from a design principle and turns it into an auditable technical implementation. For regulated industries, finance, healthcare, government, this isn’t an optional enhancement. It’s a prerequisite for using AI Agents at all.
Delinea’s CPO put it plainly: “AI Agents are becoming the fastest-growing class of identities in enterprise environments, yet most organizations lack the controls and accountability needed to govern what those identities can do.”
Trend 3: MCP Is the New Security Perimeter
Model Context Protocol, the communication layer that lets AI Agents connect to external tools and services, predictably generated a wave of session proposals across this year’s RSA agenda. Topics ranged from Tool Poisoning attacks to “Trust Me, I’m a Tool” to MCP’s threat detection capabilities.
I’ve written and talked about this before in my previous blog and podcast: MCP has network effects. It gives Agents the ability to cross system boundaries, which is exactly what makes it powerful, and exactly what makes it dangerous. A poisoned MCP tool description can be modified after a security review passes, hijacking Agent behavior at runtime. Your security review happens in a static state. The threat is dynamic.
RSAC designating MCP security as a core trend this year signals that the industry has accepted something: protocol-layer security is just as important as application-layer security, and in some ways harder to defend.
IV. New Faces on the Show Floor: AI Hacker, AI DevOps Engineer, Vibe Coding Security, and the Platform Shift
This year I noticed three product categories at RSAC that I had never seen before: AI Hacker, AI DevOps Engineer, and Vibe Coding Security.
Taken together, they describe the same thing: every layer of security, development, operations, offense and defense, is being reshaped by AI simultaneously.
On the attack side, Novee is the defining example of the AI Hacker category. They launched an AI red-teaming product specifically targeting LLM applications at RSAC. The key distinction from other AI red-teaming tools: platforms like Garak and Promptfoo run predefined probe libraries of known vulnerabilities, essentially automating known attacks. Novee’s Agent first performs reconnaissance on the target application, builds an internal model of how it works, then autonomously reasons and chains together attack paths specific to that system, much closer to how real attackers operate. All three founders come from national-level offensive security backgrounds. The company raised $51.5 million within four months of founding.
On the operations side, DuploCloud is the clearest example of AI DevOps Engineer. It packages the entire DevOps lifecycle, infrastructure provisioning, Kubernetes management, compliance auditing, CI/CD pipelines, into an AI Agent-driven automation platform, embedding security compliance (SOC 2, PCI, HIPAA) into every operational node. They explicitly call their AI product “AI DevOps Engineers”, not assistants, but Agents directly executing a professional role.
On the development side, a new category emerged this year: Vibe Coding Security. As developers increasingly use Cursor, Claude Code, and GitHub Copilot to write code, a new problem has appeared. Traditional code security scanners were designed for human-written code, while AI-generated code has its own vulnerability patterns: over-trusting external inputs, hidden dependency chains, context injection risks. Backslash Security positioned itself explicitly as a “Vibe Coding security company.” OX Security launched the “VibeSec” concept. The logic is straightforward: if your code is increasingly written by AI, the tools that scan it need to understand AI.
Put these three categories side by side and they point to one conclusion: AI isn’t just helping security teams work. It’s entering security workflows at every layer in the form of professional roles, attackers using AI to attack, developers using AI to build, operations teams using AI to manage. This symmetry appeared in product form for the first time at this year’s RSA.
ServiceNow’s presence also deserves mention. Just three weeks before RSA opened, ServiceNow completed its acquisition of identity security company Veza. Veza’s Access Graph technology visualizes the permission relationships of every identity in an enterprise, human accounts, machine accounts, AI Agents, answering questions like “who can access what, and what’s the blast radius?” For ServiceNow, this fills its most critical gap: 75 billion workflows run on its platform every year, but it has always lacked a layer that can clearly explain who is executing those workflows and whether they’re operating within their authority. When AI Agents start autonomously executing tasks within those workflows, identity governance and workflow management become the same problem.
The same logic applies more broadly: Salesforce appeared as a named partner in CrowdStrike’s Charlotte AI AgentWorks ecosystem announcement at RSAC. None of them are traditional security vendors, but all of them are being forced to answer the same question: when an Agent running on our platform does something wrong, who’s responsible? Platform vendors are answering with action: we are. Security is no longer an add-on compliance layer. It’s infrastructure that every enterprise software platform must build in.
One more first worth noting-Quantum: this was the first year I saw a real quantum hardware prototype at RSAC. IBM demonstrated their quantum system on the show floor. VP of Technology Suja Viswesan summed up where quantum security stands right now: “I cannot fix what I don’t know exists. Visibility is the most important thing.” The industry conversation has shifted from “will the quantum threat arrive?” to “we have no idea how many cryptographic assets we even have.” IBM’s focus at RSAC was the operational framework: how to inventory existing cryptographic libraries, how to build crypto-agility, how to complete algorithm migration without rebuilding everything from scratch.
V. Three Things Different from Previous Years
International Cybersecurity Forum Four former NSA Directors on stage together to discuss the boundaries of offensive cyber operations. UK NCSC CEO Richard Horne explored cross-border collaborative defense frameworks. European companies openly advocated for “digital sovereignty.” Together, these voices make one thing clear: compliance frameworks in cybersecurity are diverging, not converging. For any enterprise operating across multiple jurisdictions, this is a reality that must be confronted directly.
ISACA + CSA ISACA released a preview of its 2026 AI Pulse Poll on the conference’s opening day: 32% of organizations have no AI disclosure requirements whatsoever, and large numbers of respondents don’t know how quickly they could shut down AI systems in the event of a security incident. At the same time, CSA released its AI Security Maturity Model and established CSAI, a dedicated nonprofit focused on the AI Agent ecosystem. Both announcements point to the same gap: the frameworks and certifications are being built, but most enterprises can’t even articulate what AI assets they have.
The Women in Security Amid all the discussions about security, one quieter moment deserves to be recorded: the documentary The Women in Security had its world premiere in San Francisco during RSA. Techstrong interviewed the filmmakers on-site, and one line stayed with me: “This industry is paying a price we can’t see because of the lack of diverse perspectives.” Five years in the making, the film documents the real career journeys of women in cybersecurity.
Closing: Three observations to take away
Agent security is a procurement decision, not a research topic. Geordie AI takes the Sandbox. Large coorporations all ship in the same direction. ServiceNow closes an acquisition three weeks before the doors open. The market signal is clear. The four-layer framework, Discovery, Runtime, Identity, Governance, is taking shape, but most enterprises haven’t completed the first layer: they don’t know how many Agents they’re running.
Both sides of offense and defense are AI-powered. Defense hasn’t caught up. Attackers are leaving you 22 seconds. The emergence of AI Hacker and Vibe Coding Security shows that security tools themselves are being rewritten. But ISACA’s data is sobering: 32% of organizations have no disclosure requirements for AI usage at all. The tools are running. The governance mindset hasn’t kept up.
Security is a boarder problem, not just a technical one. Four former NSA directors on the same stage. Europe debating digital sovereignty. The JVG algorithm compressing the quantum cryptography timeline. Compliance frameworks diverging rather than converging. The meaning of “security” is expanding, it’s no longer just the CISO’s problem. It’s a board-level problem, and a question every enterprise operating across borders must answer directly.
Again, RSA 2026’s deepest impression on me wasn’t a product launch or a keynote moment. It was the great people and the communities.
My coming Innovator Coffee podcast session will have a great discussion on RSA as well. Stay tuned….
(This is my own observation without vendor preference and there is no buying recommendations.)
The post RSAC 2026 Observations: When Agents Moved from Concept to Operational Reality appeared first on Chasing Polaris – Wickey's blog.
*** This is a Security Bloggers Network syndicated blog from Chasing Polaris - Wickey's blog authored by Wickey Wang. Read the original post at: https://wickey.substack.com/p/rsa-2026-observations-when-agents-moved-from-concept-wickey-bo7lc
