RSAC 2026: From Hype to Agency

Reflecting on 100 Days of AI Acceleration and the New Era of Identity

RSAC 2026 felt like a milestone. If 2024 was about the potential of AI and 2025 was about implementation and agents, 2026 is officially the year of the agents in the context of enterprise security. Walking the floor this year, the conversation shifted. We are no longer just defending perimeters. We are managing an entirely new ecosystem of digital behavior.

The Reality of AI Adoption

Alan Snyder, CEO of NowSecure, captured the complex reality of the current landscape. The industry is moving fast, driven by a mix of high-velocity ambition and deep-seated apprehension.

"The reality is that AI confusion and mania are real. Everyone wants to use AI, even though they are afraid of it, and even though they haven't yet figured out how to properly implement or secure it," Snyder noted.

"Right now, organizations are more afraid of AI-enabled attackers or being left behind by competitors than they are of the consequences of wasted dollars or failed efforts.”

It should be noted that this urgency is not born out of irresponsibility. It is driven by the stark realization that only automation and AI can effectively defend against AI.

The Reality Check

That rapid adoption still comes with growing pains. Jeff Man, the INFOSEC Curmudgeon and Co-Host of Paul’s Security Weekly, provided a historical perspective on how the industry talks about and deploys these new capabilities.

"Two years ago everyone was mentioning AI in their pitches because they thought they should. Last year AI seemed to have been integrated into their products and they had a more tangible pitch. This year the theme that emerged for me was, 'shoot, now we have to worry about the security of AI'."

Jeff pointed out the familiar trap of "bolting on" security rather than baking it in from the start. It is a vital reminder that as our tools get smarter, our foundational security practices cannot be left behind.

Empowering the Defender

Despite the security hurdles, the utility of these tools is undeniable. At the Cloud Security Alliance (CSA), the focus is on how agents are rewriting the job description of the modern security professional. Scott Williams, Director of Startup Acceleration at CSA, sees this as a pivotal moment.

"The swift adoption of agents to enhance and empower human capabilities is already underway. I am encouraged by the level of innovation in Agentic AI, whether it's aimed at ensuring safe usage or utilizing agents to strengthen both offensive and defensive cybersecurity measures."

This positive impact is already being felt on the front lines. Esfandiyar Alaee, a Sales Director and familiar face at RSAC with over 20 years of experience selling cyber security technologies, has seen how quickly the market is adapting.

"We are seeing a level of diversity and growth in AI applications that was unthinkable even six months ago," Esfandiyar observed. "It’s affecting every security product on the market, but more importantly, it’s finally helping security practitioners move from being reactive to being proactive."

The Rise of Agentic Traffic

This rapid growth leads to the most critical technical shift discussed at RSAC 2026: the rise of agentic traffic.

Right now, agentic traffic is still less than 10% of total volume, but it is disproportionately influential. It is growing exponentially, not linearly, and it is reshaping how traffic flows even before dominating the full volume.

The old binary of "is this a bot?" is obsolete. Some of these are going to be good bots adding a lot of value. Detection must shift from identifying the origin to questioning the behavior. We need to start asking:

• Is this a legitimate bot?
• Is this a legitimate human?
• Is this a legitimate action?
• Are they allowed to do what they are asking to be able to do?

Cryptographic Proof is Still the Future

This brings us to a fundamental truth. No matter what happens with AI moving forward, trusted computing and cryptographic proof will be paramount.

The bedrock of future security is proving you are communicating with the right entity. It will not matter if that entity is a person, an app, an agent, an agentic AI, a traditional AI, or a backend workload. If we cannot positively prove identity and intent, the rest of the security stack falls apart.

Moving Forward Together

One speaker from the CSA talk track Monday of RSAC suggested we should treat these agents like humans and employees. While this was in the context of understanding they can make mistakes, I think taking that approach to securing agents, like we would our own employees, is a smart approach. Zero trust, least privilege, continuous authentication.

The tools that served us in 2025 are already being rewritten to accommodate a world where legitimate action and verified identity are the only metrics that matter.

We are all navigating this massive architectural pivot at the same time. To get this right, we need to collaborate. Now is the time to listen to best practices from others across the industry, be it friend or competitor. The only way we secure the future of Agentic AI is by building it together.