RSAC 2026: Security Must Evolve from Access Control to Action Governance
The RSA Conference did not mark the arrival of AI in cybersecurity. However, it did expose a more critical reality: the industry is not yet fully equipped to control what AI-enabled systems can do.
The defining shift is not AI adoption; it is the transition from access control to action governance. As AI agents, automation, and non-human identities proliferate, risk no longer originates at the point of entry. It emerges after trust is granted, through actions that are technically permitted but operationally dangerous.
The Agentic Era Has Begun—But the Market Is Not Aligned
RSAC 2026 confirmed that cybersecurity has entered the agentic AI era, where AI systems are no longer passive tools but active participants in operations. Vendors across the ecosystem are introducing “agentic SOCs,” AI-driven workflows, and autonomous response capabilities.
However, the market remains structurally fragmented:
- There isn’t a consistent definition of an “agentic SOC”
- We still do not have a standardized architecture or deployment model
- The market still lacks clear pricing or a value measurement framework
There are parallels to the early evolution of XDR, where vendor positioning outpaced market clarity. Today, many vendors are taking a wait-and-see approach, recognizing that premature commitment to a single model carries risk.
More importantly, the industry has not resolved a fundamental question: How much autonomy should security teams delegate to AI systems, and under what controls?
“You Have AI – So What?”
One of the most important signals at RSAC 2026 was the market’s growing intolerance for vague AI claims. The era of “AI-powered” as a differentiator is over. Buyers are now applying a simple but effective filter:
- What specific outcomes does AI provide and/or improve?
- How is value measured?
- Can it reduce risk, not just activity?
Vendors that cannot clearly articulate a quantifiable impact are now getting pushed aside. This is particularly evident among service providers, where proving ROI has historically been a challenge.
For example, partnerships such as IBM collaborating with cyber risk platforms like CyberSaint signal a shift toward quantifiable, business-aligned security outcomes. Security is increasingly being framed in financial terms, not just technical metrics, because it is considered a modern business enabler.
Risk Has Moved: From Access to Action
The most structurally significant shift discussed at RSAC 2026 is the redefinition of risk. Historically, security models focused on controlling access:
- Authentication
- Authorization
- Perimeter defense
That model is now insufficient. Risk begins after access is granted. Security leaders are increasingly concerned with what trusted entities, human or non-human, are doing:
- Authorized users making unintended changes
- Automation executing flawed logic
- AI agents acting within permissions but outside intent
This shift reframes cybersecurity as a behavioral control problem, not just an identity problem.
Non-Human Identities Become First-Class Risk Actors
The rise of non-human identities (NHIs) is accelerating this challenge. These include:
- Service accounts
- API keys
- Automation scripts
- Bots
- AI agents
Unlike human users, NHIs operate continuously, at machine speed, and across multiple systems.
Traditional IAM frameworks, designed for human users, are not sufficient to govern these entities. This is driving a fundamental transformation:
- Movement toward unified identity control planes
- Shift from persistent privileges to just-in-time access
- Emerging need for new identity classes with distinct governance models
The long-term implication is clear: Identity security must evolve from human-centric models to hybrid identity ecosystems.
Visibility Is Not Understanding: The Judgment Gap
Organizations today are saturated with telemetry, including alerts, dashboards, and a high volume of signals. Yet decision-making has not improved proportionally. The gap is not visibility, it is judgment:
- What matters?
- Who is accountable?
- When should action be taken?
This distinction between exposure and risk is becoming more pronounced as AI increases the volume and velocity of activity. Security operations must therefore evolve from data aggregation to contextual prioritization and decision frameworks.
AI in the SOC: Augmentation, Not Replacement
Despite aggressive narratives, the reality of AI in the SOC is pragmatic.
No credible vendor is operationally committing to a fully autonomous SOC. Trust, accountability, and technical limitations prevent this. Instead, AI is being deployed to:
- Augment Tier 1 analysts
- Accelerate investigation workflows
- Reduce alert fatigue
However, this introduces a structural risk: If entry-level roles are automated, the industry may undermine its future talent pipeline.
Without hands-on experience at the Tier 1 level, developing Tier 2 and Tier 3 expertise becomes significantly more difficult. This remains an unresolved challenge with long-term implications.
Runtime Security Becomes the Primary Control Layer
A major architectural shift emerging from RSAC 2026 is the elevation of runtime security. Traditional approaches such as vulnerability scanning, posture management, static analysis, are increasingly insufficient in cloud-native and AI-driven environments.
Runtime is becoming:
- The source of truth for risk validation
- The primary enforcement point for threat prevention
Technologies such as extended Berkeley Packet Filter (eBPF) based controls are gaining traction because they enable:
- Real-time visibility
- Inline enforcement
- Immediate threat interruption
This reflects a broader transition: From visibility-first architectures to control-first architectures.
AI Reshapes AppSec and the Software Supply Chain
AI is fundamentally changing application security. Traditional scanning models are under pressure as organizations move toward, AI-driven prioritization, automated remediation, and developer-centric workflows.
At the same time, software supply chain security is evolving beyond static inventory (e.g., SBOMs) toward continuous trust validation.
Organizations must now answer:
- What entered the pipeline?
- How has it changed?
- Does runtime behavior align with expectations?
This is particularly critical as AI-generated code increases development velocity beyond what traditional controls can manage.
Identity and Data Security: The Core Structural Weakness
RSAC 2026 reinforced that identity and data security are the most significant structural vulnerabilities in modern environments. AI agents amplify both risks:
- They operate using valid credentials
- They interact continuously with sensitive data
- Their behavior often appears legitimate
This creates critical blind spots in, detection, attribution, and forensics.
Legacy security models—built on distinguishing malicious from legitimate access—are increasingly ineffective when malicious outcomes originate from legitimate actions.
A Subtle Shift Toward Hybrid and On-Premise Models
An emerging, though not dominant, trend is a renewed interest in hybrid and on-premise deployments. Vendors such as Cisco noted that some organizations are reassessing cloud dependency due to geopolitical concerns, sovereignty requirements, as well as a desire for greater operational control.
While cloud remains central, this suggests a potential rebalancing toward more distributed and self-sufficient architectures.
What This Means for CISOs
The shifts observed at RSAC 2026 require immediate strategic response:
- Reframe risk models: Move beyond access control to governing actions and behavior
- Modernize identity governance: Extend controls to non-human identities and AI agents
- Prioritize runtime enforcement: Treat runtime as the primary control layer, not a secondary one
- Demand measurable AI outcomes: Apply the “So what?” test to all AI investments
- Prepare for hybrid architectures: Maintain flexibility across cloud and on-premise environments
- Address talent pipeline risk: Balance automation with workforce development
Conclusion: Security Must Govern Autonomous Systems
The cybersecurity industry is entering a fundamentally new phase. The challenge is no longer securing users or systems; it is governing autonomous actors operating at scale.
The last decade of cybersecurity was defined by controlling access. The next decade will be defined by controlling behavior. Organizations that fail to make this transition will not lack visibility, they will lack control.
