My RSA 2026 Impressions: AI Everywhere, but Trust Was the Real Theme
7 Apr 2026
RSAC 2026 felt like the year cybersecurity stopped merely “using AI” and started trying to secure AI, govern AI, and survive the identity explosion AI is creating. The conference left me with one overwhelming impression: cybersecurity has fully entered its AI era. But what stood out to me was not simply the number of vendors adding AI to their messaging. It was the deeper shift underneath it all: the industry is now grappling with what happens when AI systems become active participants in enterprise workflows, data access, decision-making, and identity sprawl.
Almost every booth seemed to have an AI story. Some were credible. Some were clearly still finding their footing. But beneath the marketing noise, a few themes showed up consistently enough to feel real.
To me, RSA 2026 was less about “AI as a feature” and more about security teams trying to answer four uncomfortable questions:
1. How do we let AI touch enterprise data safely?
2. How do we protect sensitive information from AI agents?
3. How do we manage the explosion of machine and non-human identities?
4. And how much of this future will still require hardened hardware, cryptographic trust anchors, and stronger key control?
Here are the themes, I noticed -
Everyone had an AI story — but not every AI story was real
The first and most obvious takeaway from RSA 2026 was simple: if you did not have an AI story, you looked out of place.
Across the floor, AI showed up in every possible form: AI for threat detection, SOC automation, data security, code review, insider risk, identity and governance, and, increasingly, AI for securing AI itself!!!
But what I found more interesting was the split between vendors using AI inside their product, vs vendors trying to solve the security problems created by AI adoption
The real problem was not AI usage, but what AI is allowed to touch
The second major theme I noticed was that the industry is becoming much more focused on a practical question: what happens when AI agents, copilots, and autonomous workflows are allowed to interact with enterprise data?
That is where the conversation felt much more concrete. A lot of security discussion is moving away from model fascination and toward data exposure risk - what the AI can see, retrieve, infer, store, and what it might accidentally leak.
This explained why so many vendors were emphasizing data security posture for example - retrieval governance, prompt/input filtering, output inspection, access boundaries and policy enforcement around AI workflows.
Data masking, encryption, tokenization, and privacy controls are reborn
One of the more interesting things about RSA 2026 is that AI seems to be reviving and re-packaging older data protection disciplines. A lot of vendors talked about data masking, tokenization, format-preserving encryption, policy-based access and fine-grained disclosure controls. And honestly, that makes sense.
If AI agents are going to touch business workflows, then enterprises need ways to make sure that PII, PHI, PCI, and other sensitive records are not blindly exposed to models, copilots, or external inference services.
I feel, RSA 2026 reinforced something important: The AI era is not replacing core data security. It is making it more relevant.
The winners here will not just be “AI-native” companies. They will also be the vendors who can make classic security controls work cleanly inside AI-driven workflows.
That is a big opportunity for encryption, key management, confidential processing, and policy enforcement — provided they are made usable enough to fit modern AI architectures.
Identity - the most important AI security problem!
If AI was the loudest theme at RSA 2026, identity was probably the most structurally important one.
Because once AI agents start doing real work, they stop behaving like software features and start behaving more like actors: they authenticate to retrieve data, they invoke tools to trigger workflows, they act on behalf of users or systems and act like them. Translates - they create identity problems.
This is where I think the industry is heading very quickly: the next identity explosion will not be human. It will be machine, workload, service, and agent identity.
That showed up clearly in the broader 2026 security conversation, where organizations are increasingly being told to inventory, govern, and secure AI agents as first-class identities. Identity-centric breach data is also moving in the wrong direction, reinforcing why this category is getting so much attention.
So, if I had to call one area that felt less like a temporary RSA theme and more like a multi-year architectural shift, it would be - AI is accelerating the transition from human-centric IAM to identity fabric for humans, machines, services, and agents. That is not a cosmetic change. That is a platform shift.
Hardware still matters
One of the subtle but important impressions from RSA 2026 was that while the event was heavily software- and AI-driven, there was still meaningful attention on hardware-backed trust, acceleration, and cryptographic anchoring.
As AI systems become more autonomous and more deeply integrated into enterprise workflows, organizations are going to need stronger answers to questions like
- where are the keys?
- who controls cryptographic policy?
- how do we prove trust?
- how do we separate tenants, workloads, or trust domains?
- and how do we secure high-value operations outside of general-purpose software boundaries?
I think AI may increase the long-term importance of HSMs, Key management systems, secure enclaves / confidential compute, accelerators with trust boundaries and cryptographic control planes for data and identity.
My own view is that the AI security stack cannot be entirely software-defined. At some point, enterprises will want parts of trust, key custody, attestation, and policy enforcement to sit on stronger foundations than application logic alone.
Discover Utimaco’s AI- and future-ready Solutions
Combining hardware-rooted key protection with centralized cryptographic governance, Utimaco’s solutions to enable your AI security strategy.
Discover how we support you in securing your entire AI lifecycle against today’s AI threats and tomorrow’s quantum risks.
Utimaco’s General Purpose Hardware Security Modules (GP HSMs) provide the foundation for enforcing cryptographic trust across AI systems. Discover our u.trust General Purpose HSM Se-Series and CSe-Series as on-premises solutions and our cloud-enabled subscription-based General Purpose Hardware Security Module as a Service as Root of Trust for your AI environment.
Our Key Management Systems enable you to manage encryption keys consistently across applications, infrastructure components, and AI pipelines; either on-premises with Enterprise Secure Key Manager as the most interoperable Key Manager in the Market, or as fully managed Service through Enterprise Key Manager as a Service.
Prêt à assurer votre avenir numérique ?
Rejoignez plus de 500 entreprises mondiales et institutions gouvernementales qui font confiance à Utimaco pour leur infrastructure de sécurité critique.
Contacter le service des ventesYour download request(s):
Your download request(s):
About Utimaco's Downloads
Visit our Downloads section and select from resources such as brochures, data sheets, white papers and much more. You can view and save almost all of them directly (by clicking the download button).
For some documents, your e-mail address needs to be verified. The button contains an e-mail icon.
A click on such a button opens an online form which we kindly ask you to fill and submit. You can collect several downloads of this type and receive the links via e-mail by simply submitting one form for all of them. Your current collection is empty.