RSAC 2026 preview: AI hype meets operating model reality – News

We know that the RSAC 2026 cybersecurity conference this week in San Francisco is going to be an artificial intelligence-heavy show. And though we’re going to hear the “AI will change everything” narrative, our premise is that security leaders are being asked to put AI into operation in an environment where complexity is rising faster than control.

Organizations are still struggling to consolidate the sprawl of tools in their security stacks and at the same time apply zero-trust principles. To avoid AI becoming yet another layer, organizations must tie AI to clear outcomes and integrate intelligence into operating processes. Enterprise Technology Research survey data captures the challenge. At least 90% of organizations say they’re leveraging AI somewhere in their security stack, but 75% are applying AI to less than 10% of their security portfolio.

And that gap quantifies the degree to which AI is present, but not yet scaled. Most deployments are narrow or tactical and constrained by the same blockers: reliable data access, integration across tools, governance and trust.

The AI security operations center conversation will also dominate RSAC with increasingly automated triage, investigation, things such as isolation and patching and the like. But agents will succeed or fail on foundations such as telemetry, quality, identity controls and exposure management hygiene, and, of course, recoverability. As cybersecurity expert Jon Oltsik wrote in his RSAC preview, the agenda for RSA 2026 should be approached with curiosity and optimism, but also suspicion and, of course, a plan. The conference is going to be full of platform claims across AI SOC, exposure management, identity and cyber resilience. But the practical question for chief information security officers is where AI reduces time to detect, time to respond, and operational friction without increasing risk.

And where it simply adds another tool that the team can’t integrate, govern or measure, that should be avoided. In this week’s Breaking Analysis, we collaborate with Jon Oltsik to prepare you for RSAC 2026 and highlight five top trends that he believes CISOs should monitor at this year’s conference.

RSAC’s theme this year is “The Power of Community,” and the timing is a little ironic given how much of the conference buzz is going to be about AI agents. The security industry has become more collaborative over the last decade – competitors share more threat intelligence and practitioners work together more than they used to. Now there’s a new dimension: machine-based agents acting on behalf of humans.

The right way to square the circle is to treat agents as a complement to what security teams already do. Sometimes they replace people, sometimes they augment people, but they extend the community rather than compete with it. The community and collaboration have always been there in cybersecurity, to varying degrees. Agents are another tool inside that community that can extend, enhance, and supplement human work.

The practical implication is the theme works if the focus stays on how AI helps the community do better work, and how it helps practitioners as individuals and teams. When AI is used that way, the ironic theme becomes more than marketing.

The rise of the AI SOC: Progress meets caution

The AI SOC will be one of the loudest conversations at RSAC 2026. Vendor messaging is moving beyond copilots that help analysts, toward agents that can take on real SOC work such as triage, investigation, containment and even remediation steps such as isolating hosts and initiating patch workflows. The direction is alluring, but the gap between promise and operational reality still lingers.

The most credible progress is coming from focused use cases. Startups have generally picked a slice of security operations and gone deep with things such as alert triage as an obvious example. SOCs drown in alerts. Historically, even strong teams could only treat a small fraction of them. We believe AI-driven triage can push that number dramatically higher – from the old 15% to 20% range to something closer to 90% to 95% in the best cases. That is meaningful to a group of pros that are constrained by time, attention and data volume.

Security teams remain cautious by nature. The human-in-the-loop mindset is still deeply embedded in their psyche. In our view, the practical approach is to assess where automation helps most – where processes are inefficient and where teams are bottlenecked by data. That should be the starting point for AI SOC adoption.

The near-term reality is that implementation is bifurcated. Some capabilities will be added onto existing platforms and workflows. Other capabilities will emerge as more AI-native approaches. The market is in the early phases, but the innovation is moving fast, and RSAC will be a good place to separate signal from rebranding.

MSSPs: The fastest path to ‘automation at scale’

The most aggressive AI SOC deployments may come from managed security service providers, for a simple reason that the MSSP business has thin margins and scaling by hiring and training people doesn’t work. It’s especially hard when everyone is competing for the same talent.

This creates strong economic pressure for MSSPs to adopt AI and process automation quickly. Our expectation is that large MSSPs such as Arctic Wolf Networks Inc., Expel Inc. and LevelBlue Inc. will be among the most aggressive in deploying automation because doing it well expands margins and grows market share. That is a path many buyers and vendors overlook, and it will be worth listening closely to what these providers are saying at RSAC.

Nick Schneider, CEO of Arctic Wolf, is coming on our CEO series, and probing this specific point – how far they can push automation while managing trust and liability – should be high on the question list.

CTEM and the mandate for credible data

Continuous threat exposure management or CTEM will get attention at RSAC because snapshot scanning and static vulnerability doesn’t hold up in a world that moves at machine speeds. The premise is that security teams want a clearer picture of assets, configurations, location, vulnerabilities, ownership and business criticality, tied to threat intelligence and adversary tactics so they can prioritize.

The catch is CTEM lives or dies on data. The first questions are boring but important: Is the data accessible, available and in a format that can be used effectively? Once the data is usable, the next step is context : Which assets are critical, what are the critical paths to those assets, who has access, are systems configured correctly, and is MFA in place? That upfront work is often ignored as people jump to tooling.

CTEM also doesn’t work well as a generic product drop-in. It has to be customized by industry, use case and organization. The vendors that thrive will be those that acknowledge this reality and can help operationalize the work, not just sell a platform.

When CTEM is done right, the benefits are tangible as follows:

• Higher confidence in risk scoring – distinguishing “vulnerable” from “exposed;”
• Predictive analysis based on what adversaries have exploited in the past and likely future paths;
• Better alignment with information technology operations – replacing “here are 1,000 exposures, patch now” with prioritized remediation that maps to business criticality.

The other important point is that “get your data house in order first” can be a limiting strategy. The security world has been on the data security journey for years – discover data, classify data, then apply the right controls. The reality is there is too much data and it’s growing too quickly.

AI becomes an accelerant for quality discovery and classification, and it hastens the path to better controls. Waiting for perfect data clarity doesn’t make sense. The practical approach is working in parallel. In other words, build the data foundation while using AI to shape, cleanse and focus on the data that matters for the task at hand.

Cyber resilience: A capability, not a product

Cyber resilience is one of those terms the industry loves to market, but it only becomes useful when it can be operationalized. The NIST definition helps break resilience into phases: Anticipate, withstand, recover and adapt. And it forces teams to think beyond a single control or a single tool.

The first red flag is if any vendor says “we sell a cyber resilience product” – run, don’t walk. As if it’s a product you can buy off the shelf. A tool may support one part of the framework, but cyber resilience is the outcome of multiple capabilities working together.

The right starting point is the business. Identify what systems and business processes must remain resilient. Healthcare is a good example because the focus isn’t “hospital resilience,” it’s clinical resilience – treating patients. If systems go down, the organization still has to operate, even if that means paper and pencil. That mindset helps focus on the path to a desired outcome.

From there, step through each phase of the NIST framework:

• Anticipate – understand threat intelligence, who is attacking and how, apply frameworks like MITRE ATT&CK, do detection engineering and tune controls;
• Withstand – use segmentation so compromise in one area can’t reach crown jewels elsewhere, and strengthen the ability to detect and respond quickly.
• Recover – focus on the mechanics of getting back online fast, including immutable backups and proven recovery processes; with minimal loss for high value data.
• Adapt – learn from incidents, tune technology, refine procedures and make targeted investments with CISO leadership driving the changes.

A key learning from experts is that resilience depends on planning and testing. Business continuity and disaster recovery works when it is practiced, but the worst-case scenario is always the one that wasn’t planned for. 9/11 is a reminder in that many financial firms were diligent about BC/DR with redundant sites and connectivity, but they didn’t anticipate the simultaneous impacts of people not being available and infrastructure crushed across multiple locations. Resilience means thinking about those scenarios, planning for them and testing the plan.

The north star is not a product portfolio. It’s the ability to keep critical processes operating through disruption, limit blast radius when systems are compromised, and restore operations quickly with confidence. In our view, that’s the mindset CISOs should use when evaluating “cyber resilience” claims at RSAC.

Identity is the perimeter: Governance, no passwords and identity-first detection

In 2023, the theme of the conference focused on an identity crisis. Identity is always center stage at RSAC 2026 because the perimeter is gone and has been for quite some time. The old idea of digging a moat around a network has long been obsolete in a world of cloud apps, remote data and distributed access. Identity becomes the security perimeter, and the biggest question we pose and are watching at RSAC is where identity is actually advancing versus getting repackaged.

One change is organizational. In the past, security had a seat in the room when identity came up. Now security has a seat at the table and a primary voice. Identity is pulling security into development, IT operations and business processes because you can’t bolt it on later.

The practical progressions we advise are as follows:

• Identity governance: Who should have access to what? The early approach was a checkbox exercise where security presents business owners with lists of users and asks, “Should they have access or not?” Business owners didn’t have time to deeply consider the implications and that approach didn’t scale; nor was it personalized. The opportunity now is to use AI and assess entitlements continuously – who is accessing what, whether that matches their role, whether their role changed and whether access should be revoked. This is a strong fit for agents because it’s high-volume and repetitive, and rules plus context can be learned from behavior over time — and change dynamically.
• Passwordless: The obvious question is why passwords still exist in 2026. The technology is here – FIDO2, passkeys – and the momentum is shifting toward mandate. The consumerization of identity is coming to the enterprise. People use passkeys for banking and other consumer workflows, and then come into the enterprise asking why internal systems are behind. Identity often enters through the back door that way. We agree with Larry Ellison: Passwords are a terrible idea.
• Identity threat detection and response: The focus is moving toward identity-centric attacks and detection. Identity attacks are dominating because stealing or finding passwords is often easier for attackers than exploiting software vulnerabilities. That pushes enterprises toward behavior-aware detection – understanding what “normal” looks like for a user in the context of daily work and flagging deviations. This is related to UEBA, or user and entity behavior analytics, but the point is security teams need better identity telemetry and better response vectors when credentials are abused.
• Human risk management: Training becomes individualized rather than broadly applied across an organization or department. AI can identify who is more likely to click phishing links and tailor training and “nudges” to how that person learns – video, reading, short prompts – and deliver it in the moment when behavior needs to change.

The ideal outcome in our view is an identity program that’s not just authentication and provisioning. It’s governance, behavior and response, tied into business process and operations. And if the industry is serious about getting rid of passwords, the goal is simple that computers should know who you are when they see you.

ETR data: AI adoption is steadily increasing but still shallow

Let’s take a quick detour into Enterprise Technology Research’s pre-RSAC survey data, which shows why RSAC 2026 is going to feel like an AI conference, even though adoption is still uneven. The latest survey shown below has 517 respondents, and the question posed is: What percentage of an organization’s security tools leverage some form of AI or ML?

The first point is that AI is nearly ubiquitous. Only 5% of respondents say they are not using any AI at all, and that’s likely understated because machine learning has been embedded in security tools for at least a decade. AI has been present longer than many teams realize.

The more important datapoint is we see gradual expansion across the stack:

• Respondents saying AI is used in more than 10% of their security tools rose to 51%, up from 40% last year.
• Sixteen percent say AI is used in more than half of their security tooling, up from 11%.

So yes, the data suggests AI is steadily being injected into security portfolios. The caveat, however, is security practitioners are paid to be paranoid. They worry about hallucinations and black-box behavior. They want to know what their products are doing, how AI is characterized, how models are built, and who is building them. Those questions are relevant, especially as agents start taking actions.

The right posture is cautious optimism, in our view. Be skeptical and ask hard questions, but stay open-minded. AI is coming fast and furiously, and organizations that treat it as “optional” will get surprised on the downside.

Everything AI: Governance first, then visibility, then tooling

AI is going to 2026 conferences, and RSAC is no exception. The problem is the topic is sprawling. Every category has subcategories, and every subcategory has hype. To simplify we assess two tracks – securing AI and defending against AI-enabled threats – then tie it back into an operating plan.

The defender track starts with a reality CISOs are living every day. Executives are gaga over AI – revenue, cost reduction, competitive pressure. The CISO’s job is to say yes, but do it intelligently and manage risk. That’s a careful dance inside most enterprises right now, and it only works if governance is consistent across the company.

The practical sequence we advise is shown below:

• Governance – Establish a framework that is universally true across the enterprise. Business units need a common baseline for how they justify AI use, how they build AI applications responsibly, and how they manage bias and risk.
• Visibility – Understand what data is being used and who is using it. Shadow AI is the obvious issue here. Who is using AI tools and are they exposing company data? You need visibility before you can control it.
• Tooling – Once governance and visibility are in place, then bring in the controls that enforce the rules. That includes AI in the development cycle (DevSecOps), identity and liveness checks for biometric-based access, and AI firewalling where rules have to be enforced around AI use and AI application development.

AI security is not a single category. MCP security, authentication, provenance, posture management, DevSecOps, SecOps – it all gets pulled into the conversation because the attack surface is expanding quickly. And a lot of this is being done in co-development with partners and vendors, which adds another layer of complexity and risk.

On the attacker vector, RSAC will be full of scary narratives – polymorphic agents, control bypass, more convincing phishing. Much of it is real. The useful approach is to focus on where the enterprise is actually exposed today. Specifically, governance gaps, unknown AI usage, weak data controls and inconsistent enforcement. That’s where real budget decisions should be made in 2026.

There is more here than can be unpacked in one segment, but the key point is CISOs have to get their hands on this now. AI is moving fast, the attack surface is growing, and the organizations that treat AI governance as a side project will find out quickly that it isn’t.

Tool consolidation vs. platformization: Fewer vendors, more integration, same reality

Tool sprawl has been a recurring theme for years, and the ETR data still reflects how hard it is to reduce vendors in a real security stack. The “decrease” bar in red below is still tepid – around 10% of respondents say they expect to reduce the number of cybersecurity vendors over the next 12 months. That hasn’t moved much. The more meaningful delta is the percentage saying they expect to increase vendors has dropped from 51% two years ago to 35% today. That’s “mission accomplished,” but it suggests the frantic adoption of shiny new point tools is slowing.

Large enterprises show more movement in the ETR data. In the Fortune 1000 cut (75 respondents), 16% say they’re decreasing vendors, noticeably higher than the average. Even there, the bigger story is that rationalization is a constant activity for CISOs – requirements change, tools converge, and teams are always asking what can be retired.

There’s also an important nuance in that vendor consolidation is not the same as “platformization.”

Vendor consolidation

Vendor consolidation is the “one throat to choke” move. If an environment has CrowdStrike, SentinelOne, Trend Micro, plus legacy Symantec or McAfee, a new CISO may simply pick one vendor, standardize and scale skills and operations around that vendor’s product. The benefits are:

• Better pricing leverage;
• More operational scale for desktop support and SOC teams;
• Fewer consoles and fewer workflows.

That reduces vendor count, but it doesn’t necessarily create a platform.

Platformization

Platformization is buying diverse tools from a single vendor that has integrated them – threat intelligence, EDR, SIEM, SOAR and other “alphabet soup” capabilities – so the SOC standardizes on a tightly connected set of controls. That approach can work well for small and medium-sized businesses, state and local governments, and any organization with resource constraints. The bigger and more diverse the enterprise, the more the platform fit becomes uneven because the environment is customized, the threats vary and global requirements are hard for any one platform vendor to keep up with.

Platformization also carries a “platform ecosystem” benefit. Major platform vendors bring:

• Partners with custom integrations that extend the platform;
• Developer tooling and services;
• Professional services and service providers that can run the platform on your behalf.

Those are definite advantages, but the platform ceiling is hit in highly heterogeneous global enterprises.

Integration philosophy varies

At the end of the day, a platform has to be tightly integrated. Platforms can be extended through application programming interfaces and custom integrations and work pretty well, but the question is whether it works the way customers want in the most demanding environments. That’s why the acquisitive strategy continues to be a theme in the security industry. Vendors that buy and integrate argue they do it better when it’s native – proprietary access to code and deeper engineering integration.

This explains why identity keeps showing up in M&A strategies. Identity as the perimeter isn’t new, but it is strategic, and the platform is only as good as its elements. If identity is a core element, platform vendors will either partner deeply or acquire – because weak identity erodes the value of the rest of the stack.

The bottom line is platformization is real for a segment of the market, consolidation is always happening, and innovation still forces new point tools into the biggest enterprises. The most likely near-term outcome is more dollars flowing to fewer vendors (industry consolidation), while niche innovators still enter where requirements outpace the platforms – then get acquired and absorbed later.

Final thoughts: Zero trust is still relevant, as are many other topics

RSAC 2026 is going to be overloaded with topics – zero trust, cloud security, platforms, all the “DR/CDR/EDR/XDR” alphabet soup, IT/OT, post-quantum and a lot of hallway conversations that end up being more valuable than some keynotes. That’s the nature of RSAC. The agenda is big, but the lobby con is where people compare notes, figure out what’s real and do deals.

The closing segment here focuses on zero trust. It may not be as sexy as it was a few years ago, but it’s still there and it’s still consuming real cycles. The Department of Defense has something like 156 different categories or descriptions of what makes up zero trust. And CISOs are still in the middle of initiatives – not theory, not “we’re thinking about it,” but doing active work.

The reason zero trust persists is it cascades into identity, resilience and other parts of the stack. So although it may not be the marquee topic on stage, it will be in the conversations. Everyone is dealing with it, and it’s deeply intertwined with the agent and AI discussions because the minute you move toward more automation, you need clearer access control, tighter policy enforcement and better containment.

RSAC is going to be a full-contact week. The CEO series is back, and theCUBE is live on Media Row in Moscone West. We’ll be exploring the hard questions, comparing practitioner experiences and using the community to sanity-check vendor claims.

Come join us!

Image: theCUBE Research/Gemini

Disclaimer: All statements made regarding companies or securities are strictly beliefs, points of view and opinions held by News Media, Enterprise Technology Research, other guests on theCUBE and guest writers. Such statements are not recommendations by these individuals to buy, sell or hold any security. The content presented does not constitute investment advice and should not be used as the basis for any investment decision. You and only you are responsible for your investment decisions.

Disclosure: Many of the companies cited in Breaking Analysis are sponsors of theCUBE and/or clients of theCUBE Research. None of these firms or other companies have any editorial control over or advanced viewing of what’s published in Breaking Analysis.