The official theme of the 35th annual RSAC Conference was "The Power of Community." The unofficial theme, the one you could not escape on the show floor, in the keynote halls, or in the hallway conversations at Moscone Center, was agentic AI. Specifically: the growing realization that we have started deploying software agents that can act on their own, and that we do not yet have a good story for securing them.
That gap is the most important thing that came out of RSAC 2026, which ran March 23 to 26 in San Francisco. The conference drew nearly 44,000 attendees, around 700 speakers, more than 600 exhibitors, and roughly 400 members of the press, according to RSAC's own closing figures. It was big, it was crowded, and underneath the marketing it was honestly a little anxious. Here is what stood out, and what I think defenders should take away.
The Theme Said Community, the Subtext Said Reckoning
There is a reason RSAC leaned on community for an anniversary year. Thirty-five years in, the conference is as much an institution as an event, and the keynote roster reflected that. Former New Zealand Prime Minister Dame Jacinda Ardern, venture capitalist Ben Horowitz, author Michael Lewis, and MythBusters host Adam Savage all took the stage. The 35th Anniversary Closing Celebration paired RSAC Executive Chairman Dr. Hugh Thompson with actor Hugh Jackman, which is exactly the kind of crowd-pleasing bookend you program for a milestone year.
But the security content told a different story. The sessions, more than 430 of them, kept circling the same set of problems: how do you secure AI agents that authenticate as users, call tools, move money, and take actions across systems without a human in the loop on every step? "Community" was the comfort blanket. Agentic risk was the thing keeping people up at night.
It is worth naming a quieter signal too. Coverage noted that U.S. federal agencies that normally have a heavy presence were notably scaled back this year. Whatever the cause, a thinner government turnout at the industry's flagship event is the kind of thing the community should not shrug off.
Agents Are Coworkers Now, and That Is the Problem
The clearest articulation of the shift came from Cisco's Jeetu Patel, whose keynote "Reimagining Security for the Agentic Workforce" argued that AI agents are better understood as digital coworkers than as tools. That framing sounds like a marketing line until you sit with what it implies. We have spent decades building identity, access, and audit controls around the assumption that the thing taking an action is either a human or a fairly dumb, predictable service account. Agents break that assumption. They are non-human identities that reason, improvise, and chain actions together, and they need to be governed like workers without ever being trusted like one.
That is a genuinely hard security problem, and most of the vendor messaging at RSAC was further ahead on naming it than on solving it. The honest read is that the industry has agreed agentic identity, least-privilege scoping for agents, and runtime guardrails are the next battleground. The market has not yet agreed on what good looks like.
The Threat Clock Is Collapsing
If there was one statistic that landed, it came from Google's Sandra Joyce, who said the time between an attacker's initial access and the handoff to the next stage of an intrusion has collapsed from roughly eight hours in 2022 to about 22 seconds in 2025. Take the precise numbers as her firm's telemetry rather than gospel, but the direction is the part that matters, and it is not controversial. Automation, including attacker-side AI, is compressing the window defenders have to detect and respond.
This is the real argument for the AI-powered SOC, and it is a better argument than the one most vendors make. The pitch is usually framed as efficiency. The actual driver is that human-speed triage simply cannot keep pace with machine-speed intrusions. If your detection and response loop still assumes you have hours, the data says you are planning for a war that already ended.
The CTF Result Nobody Should Ignore
The single most concrete data point about agentic capability did not come from a keynote. It came from the competition floor. In the Cyber Apocalypse capture-the-flag event, which reportedly drew more than 18,000 participants, AI agents finished in the top 10 percent of the field, outperforming roughly 90 percent of human entrants.
Sit with that. Autonomous agents, competing against tens of thousands of skilled humans at offensive security challenges, beat most of them. CTF challenges are not the messy real world, and a leaderboard finish is not the same as compromising a hardened production environment. But the trajectory is unmistakable. The same capability that lets an agent solve a CTF challenge is the capability an attacker can point at exposed infrastructure, at scale, around the clock. Defenders who treat agentic offense as a future problem are mis-reading the calendar.
The Villages and the Honest Middle
Away from the main stage, the RSAC villages remained the most useful part of the conference, with dedicated spaces for AI, AppSec, cloud, industrial control systems, and physical security. This is where "community" actually meant something practical: working defenders comparing notes on problems that do not have a product yet. The AI village in particular was where you heard the unglamorous truths that keynotes skip, including how messy agent observability is, how few teams have an inventory of which agents exist in their environment, and how often prompt injection and tool poisoning slip past controls built for a pre-agent world.
That gap between the polished main-stage narrative and the hallway reality is the most useful thing to bring home from any RSAC. This year the gap was wide. Everyone agrees agentic AI is the future. Almost nobody has it under control yet.
How Safeguard Helps
The lesson of RSAC 2026 is that agents are powerful, fast, and not yet trustworthy on their own, which is exactly the problem we built Safeguard to address. Our Multi-Agent TAOR Deep Think AI Engine treats reliability as a property of the verification and orchestration layer above any single model, so the model you bring, whether a frontier model from OpenAI or Anthropic or your own, plugs in as one component while multi-agent verification cuts the false positives that would otherwise flood your team. For the supply-chain side of agentic risk, our AIBOM and ML-BOM give you provenance and attestation over the models and components your agents actually run, and policy gates and our vendor scorecard keep third-party agent risk inside guardrails you set. If you want to see how that holds up against your own agent and dependency footprint, reach out and we will walk through it with your stack.