3 RSAC 2026 Takeaways Security and Compliance Teams Can't Ignore
RSAC 2026 was a reality check: AI agents are outpacing our security. Cyberbase co-founders Jon McLachlan and Sasha Sinkevich hit the ground to break down 3 takeaways on identity chaos, GRC burnout, and why we're automating vendor risk. This is exactly why we built Cyberbase.
April 3, 2026
4 min read
Share this post:
RSAC 2026 just wrapped up at the Moscone Center, and the atmosphere in San Francisco was different this year. With over 43,500 attendees and 600+ exhibitors, the sheer scale was back to peak form, but the conversation had shifted.
For the first time, AI wasn’t just a "track" or a trending buzzword—it was the bedrock of the entire event, woven into roughly 40% of the agenda. However, the most interesting insights didn't come from the flashy stage demos. They came from the quiet hallway conversations and the pointed questions during Q&A: AI agents are officially here, and our governance models are nowhere near ready.
We spent the week on the ground talking to CISOs and practitioners. Here are the three practical takeaways every security and compliance leader needs to process right now.
1. Agentic AI is an "Identity Control-Plane" Problem
This was the most persistent theme of the week. AI agents aren't just chatbots anymore; they are autonomous entities that need access to your systems, data, and workflows to actually perform tasks.
The challenge? Most Identity and Access Management (IAM) programs were built for humans who stay at a company for years. They weren't designed for "ephemeral" agents that spin up, perform a high-speed task, and vanish.
“With chatbots, you worry about getting the wrong answer. With agents, you worry about taking the wrong action.”
— Jeetu Patel, Cisco Chief Product Officer, during his RSAC keynote.
When an agent has elevated privileges to execute multi-step workflows, a minor permission error isn't a typo—it’s a material security incident. Since non-human identities (NHIs) now vastly outnumber human ones, the "inventory gap" is becoming a crisis. Most teams don't even know how many agents are running in their environment, let alone how to manage their lifecycle.
The Move: Stop treating agents like "tools" and start treating them like "digital coworkers." Begin with a hard inventory of all non-human identities and build a governance process that moves at machine speed.
2. GRC Teams are Hitting a "Tooling Wall"
If you walked the expo floor, a recurring frustration became clear: legacy GRC (Governance, Risk, and Compliance) platforms are failing the people who actually use them.
We heard the same story dozens of times: organizations spend millions on massive GRC implementations, only for the team to go back to using spreadsheets and email because the software is too rigid. With AI agents introducing new risks daily, the slow, "checkbox" approach of legacy tools is officially a liability.
Modern GRC leaders aren't looking for minor feature updates. They are looking for a fundamental shift:
- Speed over "Stiffness": Tools that deploy in days, not months.
- Integration over Entry: Systems that pull evidence automatically from where work happens, rather than requiring manual uploads.
- Context over Coverage: Governance that understands how your specific company operates in 2026.
The Move: Be honest about your current stack. If your team is still "toggling" between a million-dollar platform and a dozen manual trackers, the tool is broken. Prioritize agility and automated evidence collection over legacy brand names.
3. Third-Party Risk is the "Quick Win" for AI Automation
While much of AI governance feels theoretical, Third-Party Risk Management (TPRM) is the most practical place to apply AI right now. Vendor assessments and security questionnaires are high-volume, repetitive, and a massive drain on resources.
The consensus at the conference was clear: let the machines do the heavy lifting here. However, there’s a catch. Generic AI that spits out "hallucinated" or boilerplate answers doesn't work for high-stakes enterprise DDQs.
At Cyberbase, we’ve focused on solving this through what we call a Context Engine. Instead of guessing, the AI is grounded in your actual security posture, policies, and evidence.
- Referential Integrity: If the AI doesn’t find the exact evidence in your docs, it flags a human rather than making up an answer.
- Contract Redlining: AI shouldn't use a generic legal playbook; it should use your specific risk appetite and precedent.
The Move: If your vendor assessments still take weeks of manual chasing, you’re losing revenue and momentum. Look for automation that is grounded in your actual security documentation, not just an LLM that "sounds" right.
The Bottom Line: Governance Rooted in Reality
If RSAC 2026 proved anything, it’s that the era of the "AI Playbook" is over. We are now in the era of Implementation.
Practitioners don't want more theory; they want governance that fits their specific reality—their data, their vendors, and their identities. The organizations that win will be the ones that move away from manual friction and toward a unified, automated workspace.
If you were at the Moscone Center this week, what was the most "real" conversation you had? We’d love to compare notes—reach out to our team or leave a comment below.
Stop toggling between spreadsheets and legacy GRC tools. Try Cyberbase — the unified workspace where DDQ automation, AI contract redlining, and a free Trust Portal work together, powered by your own security evidence. Get started free →
Missed us at RSAC?
See where the Cyberbase team is heading next and connect with us in person. View upcoming events →
Frequently Asked Questions
What were the biggest themes at RSAC 2026?
The three dominant themes at RSAC 2026 were agentic AI governance and nonhuman identity management, the failure of legacy GRC tools to keep up with modern compliance workflows, and the rising demand for AI-powered automation in third-party risk management and vendor assessments. AI wasn't just a track at the conference — it was embedded across roughly 40% of the entire agenda.
How many people attended RSAC 2026?
RSAC 2026 drew over 43,500 attendees, more than 600 exhibitors, and over 700 speakers across 570+ sessions at the Moscone Center in San Francisco. The conference ran March 23–26, 2026.
What was the official theme of RSAC 2026?
The official theme of RSAC 2026 was "The Power of Community," emphasizing the importance of human collaboration and oversight in cybersecurity — particularly as AI agents and autonomous systems play a growing role in security operations and decision-making.
Why is agentic AI a challenge for identity and access management?
AI agents require system access, data permissions, and workflow privileges to operate — but most IAM programs were designed for long-lived human accounts, not fleets of ephemeral machine identities acting across enterprise stacks at machine speed. Nonhuman identities now routinely outnumber human ones in enterprise environments, creating gaps in onboarding, permission scoping, behavioral monitoring, and offboarding that most teams haven't addressed.
What is nonhuman identity (NHI) governance?
Nonhuman identity governance refers to the lifecycle management of machine identities — AI agents, service accounts, API tokens, bots, and automated workflows — that access systems and data on behalf of an organization. It includes provisioning, permission scoping, behavioral monitoring, and decommissioning these identities. NHI governance emerged as one of the most critical operational gaps discussed at RSAC 2026.
Why are legacy GRC tools failing compliance teams?
Many large organizations have invested millions in legacy GRC platforms only to find adoption stalled and the actual compliance work still happening in spreadsheets and email threads. The core issue is that these platforms were designed around theoretical compliance frameworks rather than the workflows teams actually run — leading to long implementation timelines, poor user adoption, and a growing disconnect between the tool and how evidence is produced, reviewed, and audited.
How can AI improve third-party risk management and vendor assessments?
AI can automate the repetitive, high-volume work in third-party risk management — drafting security questionnaire responses, orchestrating DDQ workflows, collecting and reviewing evidence, and managing vendor follow-ups — while keeping human review in the loop for high-stakes decisions. The key is that the AI must be grounded in the organization's actual security posture and policy documentation, not generic playbooks, to produce accurate and auditable responses.
How does Cyberbase approach security questionnaire automation?
Cyberbase uses an agentic AI layer called the Context Engine that's grounded in your organization's actual security posture, control evidence, and policy documentation. Instead of generating generic responses, it references your real evidence and flags low-confidence answers for human review. This approach is built into a unified workspace that also includes AI contract redlining and a free Trust Portal — so security questionnaire automation, vendor assessments, and trust management all work from the same source of truth.
Share this post:
