“AI is rapidly changing everything around us. It’s changing everything, it’s forcing us to rethink how we [keep information safe].” — RSAC executive chairman Hugh Thompson
Rising risk: the World Economic Forum’s 2025 signal
At the 13th Annual RSA Public Sector Day and throughout the RSAC 2026 Conference, government and industry speakers framed the present moment not as a lull in cyber threats but as an intensification. The World Economic Forum’s Global Cybersecurity Outlook (GCO) 2025 survey, cited repeatedly at the conference, found that 72 percent of organizations reported an increase in cyber risks, with ransomware remaining a top concern. That statistic provided the empirical backdrop for discussions that moved beyond traditional risk matrices toward practical changes in how organizations build, ship, and defend software.
Agentic development: application security at a turning point
Speakers described a clear inflection point in application security driven by what they term agentic development — AI systems that do more than assist humans and instead build, test, and remediate code. Eran Kinsbruner, Vice President of Product Marketing at Checkmarx, said RSAC 26 marked “one of these moments…not a gradual step forward, but a leap.” The conference record notes that open-source components, third-party interactions, and AI-generated outputs are now standard parts of software lifecycles, meaning teams are often working with code they did not fully write or control.
That shift creates complexity for traditional AppSec. As Kinsbruner observed, “traditional AppSec approaches were not designed for an agentic development lifecycle.” Public sector organizations at RSAC offered a corresponding shift: embedding AI-driven security directly into development workflows so detection, prioritization, and remediation occur continuously as code is written.
CISOs and AppSec teams: alignment under pressure
One of the conference’s practical takeaways was less about new tooling and more about organizational shape: a strengthening partnership between CISOs and AppSec teams. As agentic outputs and third-party components multiply, the sessions made clear that siloed approaches are becoming ineffective. The source material states that CISO and AppSec teams are “increasingly working in tandem to make shared decisions about risk, prioritization, and deployment.”
Speakers emphasized the operational needs behind that alignment: shared visibility, aligned priorities, and real-time collaboration across development, security, and operations. Those connections are presented not as optional efficiencies but as requirements to keep pace with mission demands while preserving security and trust.
AI as both risk and remedy
Conference voices framed AI as a dual-edged phenomenon: a source of new vulnerabilities and at the same time a force multiplier for defense. Fred Frey, Software Engineer for Splunk, a Cisco Company, described the paradox plainly in his session “Lessons from the Agentic Frontier: How the SOC is Winning in the AI Era,” saying, “AI is entering that realm of essential and a threat, and just like we do with everything else, we have to create the constructs and the processes to mitigate those threats.”
Complementing that view, Kinsbruner urged that organizations “must secure AI systems including LLMs, agents, and MCPs, while simultaneously using AI to secure software and pipelines.” He added that “agents are moving from copilots to decision-makers who can investigate, triage, and act,” and that “the industry is transitioning from human-paced workflows to machine-speed security operations.” In practice, the conference highlighted approaches that embed intelligence into pipelines so vulnerabilities are identified earlier, prioritized more effectively, and remediated with reduced manual friction.
How technologists, government agencies, and CISO–AppSec teams are responding
- Technologists and security teams: pushing agentic application security that embeds continuous detection and remediation into developer workflows, aligning security tools with the speed and scale of modern development.
- Government agencies: confronting a shrinking window between vulnerability and exploitation by rethinking defense postures and attempting to reconcile mission-speed delivery with secure practices.
- CISOs and AppSec teams: deepening collaboration to make shared risk decisions, prioritize findings in real time, and integrate across development, security, and operations to avoid the pitfalls of siloed responses.
The refrain at RSAC 2026 was not a new set of tools but a recalibration of priorities: acceleration and connection. Acceleration captures the imperative to deliver capabilities at mission speed without surrendering trust; connection captures the organizational and technical integrations required to manage a software ecosystem that now includes agentic AI outputs and extensive third-party components. Together, conference speakers argued, those two words define the next era of application security — one in which speed and security must be designed to move together, not in opposition.




