The 2026 South African circus is over. The tents are packed and the elephants are loaded onto the train.
Still, it was an eventful week. There were tons of cars — Escalades, Rivians, trucks but surprisingly, no Teslas — covered in dealer names and tag lines, and you couldn’t walk anywhere along Howard Street in San Francisco without seeing, “AI-[insert word here like enabled, enhanced, native, powered, etc., etc., etc.]”
I spent the week talking to CISOs, cybersecurity professionals, technology vendors, and service providers. Here are a few of my takeaways.
The CISO AI hierarchy is real
While every marketer is communicating with AI for the gaga opportunity, the attitude of cybersecurity professionals was one of panic. In fact, I came up with a profile of three different CISO archetypes:
Active CISO (about 20%): These security leaders were well versed in AI-driven business and technology change and came armed with a list of questions tailored to their business needs. Many of these managers come with security engineers and architects – an action-oriented team. These CISOs have a good understanding of their organization’s AI business plans, as well as their security needs. The goal? Create a shopping list that aligns with their organization’s strategy and supports their governance models, policy compliance controls, and security technology stacks.
A curious and confused CISO (about 40%): These managers know that something is happening with AI in their organization, but they are not sure what, where, or how much it is happening. Their goal was to learn – what risks they face, what risk mitigation measures they should take, and what is available in the industry to help them stop the bleeding. CISOs in this category are looking for help in some way.
Blissfully ignorant CISO (about 40%): Okay, this one is not as fair to CISOs as it is to their organizations. There may be AI development and CISO use and maybe some managers don’t know it. They approached RSA believing that time was on their side, so they might as well have been dissecting AI talk, interviewing vendors, and looking for the best cocktail parties.
In my humble opinion, CISOs will quickly circle this stage next year. Blissfully ignorant CISOs will get wind of the AI projects in their organization and be overcome with curiosity and confusion. This will not take long. Moving from curiosity and confusion to self-reliance will be a very difficult transition. These CISOs must assess business goals, operational projects, and user activities, then work with managers to create a governance structure, create policies, implement oversight, monitor operations, and manage a flexible model that meets current and future business and technology needs. A common analogy heard at RSA is that companies should be able to fix an aircraft while it is flying.
Legacy security vendors have the inside track on AI – yet
Regarding the use of AI technology in cybersecurity, most CISOs I spoke to were open-minded while leaning on their existing vendors – at least in the short term. This may buy security dealers die a little, but not a lot of the time.
Remember what happened to the cloud as we evolved from a lack of cloud trust, to “lift and shift,” to a cloud environment? The same is happening with AI, only faster than the cloud. Applying AI to existing tools won’t work for a long time, a year at most.
You should get the basics of AI right
I was inspired to hear vendors explain how they started their AI transformation by building the infrastructure foundation – data base/content engine, intelligent control plane, execution layer, services, monitoring lines, etc. – then add active agents on top of this base. Cisco/Splunk impressed me with their development approach and roadmap, while AI-based startups like Abstract, Crogl, and Sidekick are betting the farm on this approach.
AI code makes an impact
Marketers are also perfect in using AI development tools and seeing strong results. I heard about project acceleration and downsizing. Building links is a good example. Axonius and Tenable, both known for integrating a wide range of technologies, use AI to outsource much of the tedious but necessary work, freeing developers to work on performance rather than plumbing.
The price of AI remains an insult
While AI capabilities seem to be baked into many tools, I’ve found that no one knows how to price their AI services. Some do so with a token, some with the number of users, and some charge an agent. The market will release this throughout the year.
App security gets an AI fix
We all know the impact of AI on software development. It is clear to me that even after RSA the same thing happened with application security. Anthropic’s Claude Code Security is one example, but I also got the idea of AWS Security Agent, which provides software testing capabilities throughout the software development lifecycle – from design, to development, to runtime, to red integration.
Likewise, I came across a company called XBow that specializes in autonomous security based on AI agents. Based on these developments, we will see a very different security market in RSA 2027.
Few may be ready for what follows from cyber enemies
There is an active debate in the industry about the impact of AI on the threat landscape: Are existing cybersecurity defenses sufficient or will AI tilt the battlefield in favor of its adversaries?
After RSA, I believe both of these premises are true. Sophisticated firms with strong governance, risk management, asset visibility, modern training, and reasonable hygiene and posture management should be fine. It is surprising that this is a small percentage of organizations. Most of the others do not have advanced security capabilities and adequate resources. Adversaries armed with AI tools and automated workflows will have a field day here.
Managed providers are developing an AI SOC
Managed security service providers (MSSPs) and managed detection and response (MDR) vendors are pushing the envelope on the AI-enabled security operations center (SOC).
Arctic Wolf unveiled the Aurora Superintelligence Platform and Aurora Agentic SOC, which includes agents for surveillance, alerting, investigation, and more. I also came across Ontinue, an MSSP that provides services on top of Microsoft security tools such as Defender for Endpoint, Defender for Azure, and MS Sentinel. It uses AI to achieve what it calls “hyper-contextualization” to understand everything it can about its customers’ business processes and technology infrastructure to improve decision-making.
Microsoft is strengthening its position
Speaking of Microsoft, it’s hard to point to any other vendor that can match its cybersecurity coverage.
Unlike others, Microsoft came to RSA armed with AI metrics and proof points. For example, Microsoft provided some metrics from several customers who have enabled their Defender agents and saved many hours of work while improving accuracy and productivity. I’m sure Microsoft has many examples to share.
Beware of cyber class killers
We’ve always looked at cyber security through the lens of security product categories – EDR, firewalls, SIEM, CSPM, etc. But multi-agent AI products can take on many of these tasks at once, breaking down traditional product buckets and acting as category killers.
CISOs must anticipate this and be open to organizational, process, and budget changes. Also, will multi-agent cybersecurity products spell the death of the Gartner Magic Quadrant and all other vendor mapping products as well?
Awareness training is slowly changing
Training is in flux. I am happy with this development. Awareness training is alternated with behavioral monitoring and change. Human risk management (HRM) tools from Fable Security, KnowBe4, and Mimecast, among others, monitor users and provide nudges when they go astray.
Besides fake phishing, some tools even offer deepfake training. The sale of HRM is limited today in developing organizations, but I believe it will become the real standard as regulators and cyber insurance companies see the light and support this renewal of training.
Claims for patent protection
Well, partial ownership, but this is a step in the right direction. I see interesting developments in areas such as passwordless authentication (I can’t believe it’s 2026 and we still use passwords), browser security, non-personal security (NHI), and special account management.
RSA also pushed discussions about AI agent access and action control – detection, monitoring, control of shadow agents, unauthorized rights, etc. AI will be a major player, helping to ease the painful process of modernizing your identity.
As a cryptographer might say, in this article, I tried to hash every RSA event to a single key. I really enjoyed RSA 2026 (the 20th) and am looking forward to next year. See you at the Moscone Center from April 5 to April 8, 2027.
