RSA Conference 2026 ran March 23 to 26 at the Moscone Center in San Francisco, the 35th edition of the event, under the official theme "The Power of Community." That was the banner. The actual subject of nearly every keynote, booth pitch, and hallway argument was something else entirely: agentic AI, and the uncomfortable realization that a lot of it is already running inside enterprises with nobody watching.
This is a recap written from a specific point of view. We build AI security tooling, so we went in skeptical of the agentic AI marketing wave and came out convinced that the underlying problem is real even if the slogans are overcooked. Here is what actually mattered, and what we think is mostly noise.
Agentic AI Was Everywhere, and That Is Part of the Problem
You could not walk ten feet on the expo floor without seeing "agentic" on a banner. RSAC remains one of the largest gatherings in the industry, drawing tens of thousands of attendees and hundreds of exhibitors, and this year the vendor messaging converged hard on a single word. When every booth claims the same capability, the term stops carrying information.
But strip away the branding and there is a genuine shift underneath. AI agents are no longer demos. They are autonomous processes that hold credentials, call tools, and take actions on behalf of users and systems. That changes the security question from "is the model safe" to "what is this agent allowed to do, and who is accountable when it does something wrong." The mood in the hallway conversations was that defenders have a mature playbook for ransomware and almost none for a compromised AI agent. That gap captured the anxiety better than any keynote slide.
The honest read is that the industry has a vocabulary for agentic risk but not yet a settled practice. Several large vendors used the show to extend zero trust principles across the AI lifecycle and to pitch securing the broader "agentic enterprise." Those framings are directionally sensible. Whether they amount to more than zero-trust rebranding is something teams will have to test against their own environments, not take on faith.
Shadow AI Is the New Shadow IT, Only Faster
The loudest recurring concern at RSAC 2026 was not ransomware or nation-state activity. It was shadow AI: autonomous coding agents, LLM runtimes, and AI tools spinning up inside organizations, touching sensitive data and credentials, entirely outside the security team's line of sight.
The pattern that kept surfacing in survey data is worth repeating because it explains the panic. A large majority of IT teams report that their organization has an AI usage policy, yet a much smaller share of end users say they have ever seen one, and a sizable fraction of employees admit to using unsanctioned AI tools anyway. That gap between governance-on-paper and behavior-in-practice is exactly where risk accumulates.
There is also what you might call the block paradox. Restricting AI tools does not eliminate usage; it pushes it underground onto personal devices, screenshot uploads, and indirect workarounds, which makes shadow AI harder to see than if you had left it in the open. Blanket blocking is also increasingly impractical because AI is now embedded by default in everyday productivity software. You cannot simply ban the tools your workforce already depends on.
Vendors responded predictably with discovery products. Several endpoint and EDR vendors pitched tooling aimed at finding unauthorized AI applications, LLM runtimes, and Model Context Protocol servers operating at the endpoint, and some described scanning large numbers of public MCP servers and flagging security concerns among them. Discovery is the right first move, but discovery alone is not control. Finding a shadow agent tells you it exists; it does not tell you whether the agent's tool calls are safe, whether its credentials are scoped correctly, or whether its dependencies are trustworthy.
The Endpoint Quietly Came Back
The most interesting undercurrent at RSAC 2026 was not on the main stage. It was the quiet return of the endpoint.
For years the endpoint was treated as a swappable terminal, a thin client to cloud services. Agentic workloads are reversing that. The economics are simple: running every agent action through frontier cloud inference burns tokens, and token consumption at scale gets expensive fast. The agents that hold up under real workloads tend to mix local data, scripts, and small on-device models with cloud inference reserved for the hard parts. That makes the endpoint an active participant again rather than a dumb pipe.
Security implications follow directly. If agents reason and act partly on the device, then the device is once again a primary control point, not an afterthought. That is a meaningful shift for teams that spent the last decade moving their security center of gravity into the cloud.
Enterprise Browsers and the Consolidation Wave
If the endpoint is back, the enterprise browser is its front door, and the market has been consolidating fast. Major platform vendors have been acquiring browser-security and AI-security startups, and several of the early enterprise-browser companies have repositioned themselves as broader workspace platforms rather than just a browser. The deal flow in this category has been steady enough that it was a recurring topic on the floor.
The logic is sound: the browser is where users meet AI tools, where data leaves the building, and where shadow AI usage actually happens. Owning that layer gives you a vantage point on agent activity that endpoint agents and network gateways miss. The caution is the same one that applies to every consolidation cycle. Platformization promises one pane of glass and frequently delivers one vendor's lock-in. Buyers should weigh the integration benefit against the cost of betting an entire control layer on a single supplier.
Data Sovereignty and Platformization Lurking Underneath
Two slower themes ran beneath the agentic noise. The first was data sovereignty: once agents move data between local devices, enterprise systems, and third-party model providers, the question of where data physically lives and which jurisdiction governs it gets sharper. Agentic workflows cross those boundaries constantly, often without an explicit decision being made.
The second was platformization, the broader push to fold point products into suites. The acquisition spree above is one expression of it. For agentic security specifically, the open question is whether a single platform can credibly secure agents it does not control, especially agents built on models and tools from outside its own ecosystem. Our view is that the verification and policy layer matters more than which vendor owns the most boxes.
How Safeguard Helps
Safeguard treats agentic AI as a supply-chain problem, because that is what it is: agents pull in models, tools, MCP servers, and dependencies, and each of those is a component you need provenance and policy for. Our Multi-Agent TAOR Deep Think AI Engine and Griffin AI verify findings across multiple agents to cut the false positives that single-model checks produce, and our AIBOM and ML-BOM, policy gates, and vendor scorecards give you an inventory and a control point for the shadow agents RSAC spent four days worrying about. We are model-agnostic by design, so frontier models from any provider plug in as components while the reliability lives in the orchestration layer above them, and we measure value as cost per verified finding, not raw alert volume.
If you are trying to get ahead of shadow AI and agent governance before it gets ahead of you, reach out and we will walk through your environment.