The Agentic Pivot: What I Took Away From RSAC 2026

Back to all Blogs
28.03.2026 | Ariel Zamir
3 Min Read

The Agentic Pivot: What I Took Away From RSAC 2026

I’ll be upfront: I spent most of RSAC 2026 looking at the conference through a data security lens. That’s my world, and it shapes what I noticed. But even accounting for that bias, one signal was impossible to miss, and I heard it not just at our booth, but in hallway conversations, keynotes, and the quiet anxiety on the faces of CISOs who stopped to talk.

The “AI Copilot” era is over. We are now in the Agentic Era. And most agents are shadow AI agents: they are already in your environment. Nobody approves them, nobody is watching them, nobody knows which data they access.

1. AI is no longer a tool. It is part of the workforce.

Organizations are no longer experimenting with AI that summarizes alerts. They are deploying agents that act: triaging threats, isolating hosts, executing workflows, managing non-human identities autonomously.

One CISO put it to me bluntly on the expo floor: “I used to worry about my employees making mistakes. Now I worry about my agents making them at a thousand times the speed.”

That sentence stuck with me for the rest of the week.

3. The real leak isn’t the agent, it’s what the agent can touch.

Much of the vendor conversation focused on securing AI models. I think that’s one layer too high.

Agents don’t create risk by existing. They create risk by accessing data, and in most organizations today, there are almost no real-time controls on what an autonomous agent can reach, move, or leak before anyone notices.

This is where I’ll acknowledge my lens directly: this is the problem my company is built to solve. So take this with appropriate skepticism. But I’d challenge any CISO in the room to tell me they have full visibility into what their agents touched last Tuesday.

3. Identity is becoming the mechanism to control data, not the end goal.

The explosion of Non-Human Identities (NHIs) was everywhere at RSAC. Agents spin up, request permissions, act, and disappear, often in seconds. Traditional IAM was not built for this.

What’s emerging is a shift from static identity to dynamic, data behavior-based trust. Not “who is this?” but “does this type of agent, in this context, have a safe track record?”

4. Governance is the control layer that makes innovation possible.

The organizations that will move fastest in the agentic era are not those with the most advanced AI. They are the ones with the strongest governance over how that AI interacts with data (real-time enforcement, visibility into shadow agents, continuous control over data usage).

Governance is no longer a compliance function. It is infrastructure.

Closing thought

RSAC 2026 made one thing clear, at least through my lens: Security is no longer about protecting systems from users. It’s about preventing shadow AI agents from leaking your data. 

The vendors mostly aren’t there yet. Neither are most organizations. But the conversation has moved, and that’s exactly what RSA Conference is for.

Back to all Blogs

Most Popular Posts

Latest Resources

24.03.2026

The Rise Of The Ghost Agent: When Autonomous AI Gets Authority

In 2026, the primary risk question is no longer just “who” has access to your systems. It’s “what” has access. While boards spent the past decade securing human identities, implementing multifactor authentication, conducting phishing simulations and debating zero-trust, organizations invited an invisible workforce through the back door: autonomous AI agents.

Read More
15.03.2026 | Maya Schirmann

The Shadow Insider – When AI Agents Touch Your Data

The Shadow Insider – When AI Agents Touch Your Data Some data security controls can tell you who accessed sensitive data, as long as “who” means a human. In the age of agentic AI, that’s no longer enough. For years, when a security team investigated a data incident, the first question was simple: who touched […]

Read More

Ready to See Ray Security in Action?

BOOK A DEMO