RSAC 2026 Recap: What Actually Matters (And What Was Just Noise)

Forty-three thousand people. Six hundred exhibitors. Thirty-one session tracks. Hugh Jackman somehow closing out the week at the Moscone Center.

That’s RSAC 2026 in a sentence — massive, loud, and relentlessly marketed at from every direction. If you attended, you’re probably still recovering from the badge lanyard tan lines and the booth swag guilt. If you didn’t, you likely watched the highlights from a comfortable distance while your inbox filled with vendor follow-ups from companies you’ve never heard of.

Either way, here’s the practical question: what should you actually take back to your security program?

Not everything. The signal-to-noise ratio at a conference with 600+ exhibitors is brutal. So let’s cut through it.

The Theme Was “Community.” The Real Story Was Agentic AI.

RSAC’s official theme this year was “The Power of Community” — a nod to the conference’s 35th anniversary and a deliberate counterweight to an industry obsessed with technology at the expense of people. It’s a good message. It’s also not what dominated the floor.

Agentic AI — autonomous AI systems operating inside enterprise environments — was the defining conversation, on both the attack and defense side. This isn’t a future concern anymore. Organizations are already deploying AI agents to automate workflows, and those agents are creating identity and access challenges that current IAM models weren’t built to handle.

Traditional identity and access management was designed for humans. AI agents operate at a scale and speed that breaks those assumptions — and the governance frameworks to manage them largely don’t exist yet.

If you left RSAC with one operational takeaway, this should be it: your identity program has a non-human identity problem, and most organizations haven’t started addressing it.

Post-Quantum Moved From “Eventually” to “Start Now”

The conversation around post-quantum cryptography shifted noticeably this year — from theoretical risk to actionable planning. Sessions were no longer asking whether organizations should prepare, but how to start the migration and what to prioritize first.

The practical starting point isn’t replacing encryption overnight. It’s inventory. You can’t migrate cryptographic assets you don’t know you have. If your organization hasn’t started cataloguing where and how cryptography is in use — in applications, APIs, data at rest, and in transit — that’s the foundational work. Everything else follows from it.

NIST finalized its first post-quantum cryptographic standards last year. The timeline is compressing. This is no longer a research project.

The Vendor Floor: Separating Real From Theater

Major product announcements came fast: Cisco introduced a Zero Trust framework specifically for AI agents. CrowdStrike expanded its AIDR capabilities across desktop and development environments. Palo Alto launched a secure browser targeting SMBs. Arctic Wolf announced an agentic SOC platform. Accenture and Anthropic announced a joint security operations platform built on AI reasoning.

Here’s the honest read on most of this: it’s real technology, but it’s early. The majority of these announcements are v1 capabilities being marketed as transformational. Some will matter to your program in 12-18 months. Few are worth a procurement conversation today.

The useful filter is this: does the announcement address a problem you have documented in your risk register right now? If the answer is no, put it in the “watch” file and move on. Don’t let a polished booth demo rewrite your roadmap.

The one exception worth paying closer attention to is anything in the identity space tied to machine identities and non-human access governance. That problem is already in your environment whether you’ve named it or not.

What RSAC Doesn’t Tell You

RSAC reflects what vendors want to sell and what the industry wants to believe it’s solving. That gap is always worth acknowledging.

The threat actors targeting your organization this quarter are not waiting for your agentic AI rollout. They’re using phishing campaigns, credential stuffing, unpatched vulnerabilities, and third-party access abuse — the same fundamentals they’ve relied on for years. Research highlighted at the conference noted that near-fully automated attack chains are emerging, with roughly 80% of some attack sequences now AI-driven — but the underlying stages haven’t changed. What’s changed is the speed, and therefore the window defenders have to respond.

That’s the real takeaway. The fundamentals haven’t been solved. They’ve just gotten faster.

The Practical Filter: What to Bring Back

If you’re distilling RSAC 2026 into action items for your program, here’s where to focus:

Audit your non-human identities. Service accounts, API keys, OAuth tokens, and now AI agents — if you don’t have a clear picture of what has access and what it’s doing, start there.
Start your cryptographic inventory. Even a rough mapping of where encryption is in use gives you a foundation for post-quantum planning before it becomes urgent.
Watch the agentic SOC space, but don’t buy yet. The capability is real; the maturity isn’t. Understand the landscape so you’re not caught flat-footed in a procurement conversation next year.
Ignore most product launches. Anchor your roadmap to your documented risks, not the vendor floor.

RSAC is useful for orientation — understanding where the industry thinks the puck is going. The work of actually getting there happens every other week of the year.

Discussion Questions

Does your organization have a current inventory of non-human identities — service accounts, API keys, and automated processes with access to sensitive systems? When was it last reviewed?
Has post-quantum cryptography come up in your risk conversations yet, or is it still being treated as a future-state problem?
How do you evaluate vendor announcements from conferences like RSAC — do you have a process for filtering signal from noise before it influences your roadmap?

CODY KELLER