RSAC 2026 opens today at the Moscone Center in San Francisco. I’m not there in person this year, but I’ve spent the past week tracking every pre-conference announcement, keynote preview, and vendor press release. The signal-to-noise ratio is rough. So here’s my attempt to cut through it for practitioners who want to know what actually matters this week.
The short version: if you work in security, the next four days are wall-to-wall agentic AI. Every major vendor is shipping something. The question isn’t whether agentic AI security is real. It’s whether the industry is building controls fast enough to match the deployment speed.
NHIs are the privileged service account problem reborn at 100x scale. Same mistakes, same inertia, same excuses. Except now the service account can reason, make decisions, and talk to other service accounts autonomously.
AI agents are running in production right now, autonomously calling APIs, querying databases, and triggering workflows. Most organizations have no idea what access those agents have or who approved it. This is the identity governance problem nobody is ready for.
AI agents are no longer chatbots. They call APIs, execute code, and make decisions with real consequences. The OWASP Agentic Top 10 is the first industry framework built to address this new attack surface, and the numbers behind it should concern every security professional.