Our take on RSA 2026 and the Rise of AI-Native Cybersecurity

Introduction: This Was Not a Cybersecurity Conference

Last week, we attended the RSA cybersecurity conference at the Moscone Center in San Francisco. The RSA Conference of 2026 will be remembered as the moment when cybersecurity stopped being a collection of tools—and started becoming a system for governing autonomous machines.

Artificial intelligence has been a recurring theme at RSA for years. But in 2026, something fundamentally changed. AI was no longer a feature, an add-on, or even a distinct product category. It became the organizing principle of the entire industry.

Every conversation—whether about identity, cloud security, application security, or security operations—ultimately converged on the same set of questions:

• How do we secure systems that act autonomously?

• How do we govern decisions made at machine speed?

• How do we maintain control when humans are no longer in the loop?

The uncomfortable truth is that the industry does not yet have credible answers.

What RSA 2026 revealed is not maturity—but misalignment at scale: between technology and governance, between vendor claims and actual capability, and between enterprise adoption and security readiness.

Our analysis lays out the structural shifts emerging from that misalignment—and why cybersecurity is entering what can best be described as a control-plane war over AI systems.

1. AI Has Consumed Cybersecurity—But Without Coherence

AI dominated RSA 2026. Estimates suggest that 30–40% of conference content and vendor messaging referenced AI in some form. However, ubiquity did not translate into clarity.

Instead, the market is now suffering from semantic overload:

• “AI-powered security”

• “Agentic security”

• “Autonomous SOC”

• “AI-native platform”

These phrases are widely used but rarely defined. Vendors routinely blur distinctions between:

• AI applied to security operations

• Security applied to AI systems

• Security against AI-driven threats

This confusion is not accidental—it is symptomatic of an industry trying to retrofit new paradigms onto old architectures.

Most incumbent vendors are still in “AI augmentation mode”:

• Adding copilots to dashboards

• Automating existing workflows

• Wrapping LLM interfaces around legacy products

This approach may deliver incremental productivity gains, but it does not address the core shift underway.

The real transformation is architectural, not functional.

Cybersecurity is moving from:

That requires entirely new primitives:

• Context engines

• Policy reasoning systems

• Agent orchestration layers

Very few vendors have built these from first principles.

2. The Real Bottleneck: Enterprise Readiness, Not Technology

One of the most important—and under-discussed—insights from RSA 2026 is that enterprise readiness is lagging far behind technological capability. Across conversations with CISOs, a clear segmentation emerged:

The Proactive Minority (~20%)

These organizations:

• Understand where AI is being deployed

• Are building governance frameworks

• Are aligning security with business objectives

They are early adopters—and potential lighthouse customers.

The Transitional Majority (~40%)

These organizations:

• Know AI adoption is happening

• Lack visibility into scope and risk

• Are actively seeking frameworks and tools

They represent the primary near-term market.

The Unaware Segment (~40%)

These organizations:

• Have limited or no visibility into AI usage

• Assume adoption is controlled

• Are significantly exposed

They represent the latent risk pool—and future demand spike.

This distribution highlights a critical reality:

This creates a powerful wedge for startups and platforms that can:

• Rapidly map AI usage

• Provide immediate visibility

• Translate complexity into actionable control

3. Shadow AI Is Already a Systemic Risk

The concept of “shadow IT” is not new. But “shadow AI” is fundamentally different in both scale and consequence.

Enterprise environments today routinely contain:

• Hundreds of AI tools and services

• Most operating outside formal governance frameworks

Crucially, many of these tools are not obviously risky:

• Writing assistants

• Productivity copilots

• Embedded AI features in SaaS platforms

Yet they introduce:

• Data leakage risks

• Model training exposure

• Compliance violations

The key shift is this:

This invalidates traditional security models based on:

• Approved vs. unapproved applications

• Static access controls

Instead, security must evolve toward:

• Continuous discovery

• Behavioral monitoring

• Context-aware policy enforcement

This is a fundamentally harder problem—and one that most existing tools are not designed to solve.

4. Identity Is Being Redefined by Autonomous Agents

If there was a single theme that stood out at RSA 2026, it was the rise of non-human identity (NHI). Machine identities—APIs, services, workloads—have long outnumbered humans. But AI agents introduce a new dimension:

They are not just identities.

• They are actors.

These agents:

• Make decisions

• Access systems

• Execute workflows

Often:

• Without direct human intervention

• With inherited or delegated credentials

This creates an entirely new class of risk:

Traditional IAM systems are not designed to answer this question. What is emerging instead is a new category:

• Agent identity and intent governance

This will likely become one of the most important battlegrounds in cybersecurity over the next decade.

5. The AI Attack Surface Is Expanding Faster Than It Can Be Secured

AI adoption is introducing entirely new layers of infrastructure:

• Data pipelines for model training and inference

• Vector databases and embedding stores

• Retrieval-Augmented Generation (RAG) architectures

• Agent orchestration frameworks

• Agent-to-resource communication protocols

Each layer introduces new attack vectors:

• Prompt injection

• Data poisoning

• Model inversion

• Unauthorized data access

• Protocol-level vulnerabilities

Yet security coverage across these layers remains uneven.

One of the most concerning gaps is at the protocol layer:

• How agents communicate with systems

• How permissions are delegated

• How actions are authorized

This mirrors earlier transitions:

• APIs in the 2010s

• Containers in the late 2010s

There is little reason to believe this time will be different.

6. Security Operations Are Becoming Autonomous Systems

AI is not just changing what needs to be secured—it is changing how security is executed.

At RSA 2026, multiple vendors demonstrated:

• AI-driven triage

• Automated investigation

• Autonomous response workflows

This is the beginning of the agentic SOC.

The drivers are clear:

• Attack speed is increasing dramatically

• Human response times are insufficient

• Talent shortages persist

The implication is unavoidable:

However, this introduces a new challenge:

• How do you trust automated decisions?

• How do you audit them?

• How do you intervene when necessary?

This brings us back to the central theme: governance of autonomous systems

7. The Collapse of Cybersecurity Categories

For decades, cybersecurity has been organized into discrete categories:

• Endpoint security

• Network security

• Identity

• SIEM

• Cloud security

This model is breaking down. AI systems do not operate within these boundaries. They:

• Observe across domains

• Correlate signals in real time

• Act across multiple layers simultaneously

As a result, we are seeing the emergence of:

• Integrated, AI-native security platforms

These platforms are not defined by category—but by capability:

• Visibility

• Context

• Decision-making

• Execution

The long-term outcome is likely:

• Fewer vendors

• Larger platforms

• Significant consolidation

8. Application Security Is Facing a Structural Crisis

One of the least mature areas exposed at RSA 2026 is application security for AI-generated code.

AI is now writing production-grade software at scale. This introduces new risks:

• Hallucinated dependencies

• Unverified libraries

• Lack of provenance

• New classes of vulnerabilities

Traditional AppSec tools—designed for human-written code—are not sufficient. This is not an incremental gap. It is a structural mismatch.

As AI-generated code becomes dominant, this gap will become:

• A major enterprise risk

• A significant market opportunity

9. Governance Is the Weakest Link

Despite widespread awareness of AI risk, governance remains underdeveloped. Many organizations:

• Discuss AI risk at the board level

• Lack operational mechanisms to manage it

The concept of “human in the loop” is frequently cited—but rarely defined.

At scale:

• Humans cannot review every decision

• Systems lack sufficient transparency

• Auditability is limited

This creates a dangerous illusion of control. Effective governance will require:

• Real-time observability

• Behavioral traceability

• Policy-driven enforcement

In other words:

10. Incumbents vs. Startups: A Narrow Window of Advantage

Incumbent vendors currently benefit from:

• Established relationships

• Integrated platforms

• Customer trust

However, this advantage is fragile. History provides a clear precedent:

• Cloud disrupted on-prem vendors

• Cloud-native startups outpaced incumbents

The same pattern is emerging in AI. Incumbents that:

• Extend existing architectures

• Add superficial AI capabilities

…will struggle.

Startups that:

• Build AI-native systems from first principles

• Focus on control, not features

…have an opportunity to redefine the market.

The window for incumbents is likely 12–24 months.

Conclusion: The Emergence of the AI Security Control Plane

The most important insight from RSA 2026 is this:

This shift is giving rise to a new architectural layer:

The AI Security Control Plane

This control plane encompasses:

• Identity (human and non-human)

• Context (data, behavior, intent)

• Policy (rules, constraints, governance)

• Execution (agents, automation, response)

The companies that successfully build or control this layer will:

• Define the next generation of cybersecurity

• Capture disproportionate value

This is not a short-term trend. It is a structural transformation. And like previous platform shifts, it will:

• Create new market leaders

• Render existing categories obsolete

• Reward those who move early—and decisively

Final Thought

RSA 2026 did not provide all the answers. But it made one thing clear:

/ Service Ventures Team