RSAC 2026 opens today at the Moscone Center in San Francisco. I’m not there in person this year, but I’ve spent the past week tracking every pre-conference announcement, keynote preview, and vendor press release. The signal-to-noise ratio is rough. So here’s my attempt to cut through it for practitioners who want to know what actually matters this week.
The short version: if you work in security, the next four days are wall-to-wall agentic AI. Every major vendor is shipping something. The question isn’t whether agentic AI security is real. It’s whether the industry is building controls fast enough to match the deployment speed.
NHIs are the privileged service account problem reborn at 100x scale. Same mistakes, same inertia, same excuses. Except now the service account can reason, make decisions, and talk to other service accounts autonomously.
On March 10, 2026, AppsFlyer’s JavaScript SDK was compromised in an active supply chain attack. If you run an ecommerce site and that script loads on your payment pages, you’ve potentially been serving malicious code to every customer who checked out over the past 72+ hours. No changes to your codebase required. No alerts from your WAF. No red flags on your server logs.
This is actively happening.
And for anyone who’s been wondering why the PCI Security Standards Council added requirements 6.4.3 and 11.6.1 to PCI DSS 4.0.1, this is your answer.
A practitioner breakdown of the IBM X-Force Threat Intelligence Index 2026. Vulnerability exploitation overtakes phishing as the top attack vector, supply chain compromises quadruple, and AI accelerates attacker operations while defenders struggle with the basics.
A reality check on why running your environment through Vanta, Drata, Secureframe,Delve, or a SaaS app doesn’t make you PCI-DSS compliant, and why enterprises should be asking harder questions about their vendors.
AI agents are running in production right now, autonomously calling APIs, querying databases, and triggering workflows. Most organizations have no idea what access those agents have or who approved it. This is the identity governance problem nobody is ready for.
PCI DSS v4.x wasn’t written with AI in mind, but the framework is more adaptable than it gets credit for. Here’s where the standard holds up, where there’s room to grow, and how the PCI SSC is already engaging with AI through initiatives like The AI Exchange.
After nearly 20 years of operation, the PCI Security Standards Council published its first annual report. It is a surprisingly revealing look at where payment security is headed, from product family restructuring and standards consolidation to AI guidance and global expansion.
AI agents are no longer chatbots. They call APIs, execute code, and make decisions with real consequences. The OWASP Agentic Top 10 is the first industry framework built to address this new attack surface, and the numbers behind it should concern every security professional.
When we talk about PCI DSS compliance, the conversation tends to stay clinical. Scoping exercises. Network diagrams. Encryption at rest. But compliance doesn’t exist in a vacuum. It exists because there’s a thriving, industrialized criminal economy on the other end waiting to monetize every gap you leave open.
Rapid7 published a detailed piece of research this month that every QSA, security engineer, and compliance leader should read: their analysis of the carding-as-a-service (CaaS) ecosystem and the underground dump shops that power it. Having spent years on the assessor side of PCI, I want to connect what Rapid7 found directly back to what it means for your cardholder data environment and your scoping decisions.