RSAC 2026 Insights: AI Skepticism, IT Estate Control, and the Risk of Constant Change
March 27, 2026
3 min read
March 27, 2026
3 min read
The RSA Conference 2026 brought together more than 40,000 leaders across risk, security, compliance, and technology, offering a clear view into how organizations are approaching security in an increasingly complex landscape.
Across sessions, one theme stood out: security leaders are moving beyond theory and asking harder questions about execution. Discussions ranged from AI governance and fraud prevention architectures to how CISOs build internal consensus and what a meaningful security assessment should actually deliver. The focus is shifting from frameworks and concepts to outcomes — what works, what doesn’t, and what it takes to operationalize security effectively.
On the expo floor, the dominance of AI was unmistakable. But the tone has evolved. The early excitement has given way to a more measured and, at times, skeptical perspective. Organizations are no longer asking what AI could do; they are asking what it actually delivers. Clear value, defined use cases, and a realistic understanding of risk are now expected.
The topic of AI dominated at RSAC, but the tone of the conversation around it has changed. As adoption accelerates, so does the scrutiny. Organizations are looking beyond broad promises and focusing on where AI delivers measurable value — and where it introduces new risk.
Emerging threats are accelerating faster than policy or governance can keep up with. As one forum noted, “Offensive AI is breaching networks and OT systems at machine speed, while policy struggles to keep pace.” The message across sessions was consistent: clear value, defined use cases, and a realistic understanding of risk are now essential.
One forum set out to “cut through the AI noise, reveal where the real potential lies, and explore the exit paths redefining the security market.” While these conversations raised concerns, they also reflected a clear shift toward real outcomes.
Conversations with cybersecurity experts, CISOs, and technology leaders brought a number of underlying trends into sharp focus. While much of the discussion centered on AI, a broader issue emerged: many organizations have been too quick to hand over control of critical elements of their IT estates to software OEMs and their timelines. They are now seeing the consequences in security, cost, and their ability to manage change.
Being tied too closely to OEM roadmaps limits their ability to innovate and respond quickly to new challenges. Forced upgrades and unnecessary changes consume resources that could otherwise support strategic initiatives. The financial impact is significant, but the operational impact is often more immediate, disrupting stability and slowing response to emerging threats.
In some cases, this lack of control leaves organizations exposed to emerging threats that OEMs did not anticipate. When vulnerabilities emerge, response timelines are often dictated externally, creating a gap between risk and resolution that is increasingly difficult to manage.
Control over the IT estate determines how and when change occurs, whether security measures are implemented proactively or in response to external pressure, and whether disruption is introduced unnecessarily.
In many environments, change is not driven by business need, but by vendor timelines that are dictated by upgrade cycles, end-of-support deadlines, and shifting requirements. This introduces complexity, increases operational risk, and diverts resources away from strategic priorities.
When organizations retain control, that dynamic shifts. Change can be aligned to business priorities, security decisions can be made on the organization’s terms, and responses to emerging threats are not constrained by external dependencies.
In an unpredictable landscape, this level of control and adaptability is essential to maintaining security, compliance, and long-term stability.
Some of the most valuable insights at RSAC came from smaller, more focused forums. These sessions brought together leaders for candid discussions about the challenges they are actively facing and the concerns shaping their decisions.
A consistent theme across these forums was the reality of managing long-standing, mission-critical systems. Legacy software — often positioned as a problem to eliminate — remains a constant that must be governed effectively. Discussions reinforced the importance of clear upgrade strategies, strong governance, and maintaining control over how these environments evolve.
Other forums focused on building trust and confidence across assessors, internal teams, and third-party developers. These conversations highlighted the growing importance of transparency, alignment, and accountability in modern security programs.
RSAC 2026 reinforced a clear shift in how organizations are thinking about security, navigating risk, and meeting regulatory requirements in a rapidly changing environment. The challenge is no longer limited to protecting systems. It extends to managing how those systems evolve over time.
In many cases, the greatest source of disruption is not a single failure, but the cumulative effect of constant, externally driven change. Organizations that can reduce that pressure — taking a more deliberate, controlled approach to their software strategy — will be better positioned to manage risk, maintain stability, and create space for meaningful innovation.
Gain insight into industry-only news, access to webinars, tips and tricks, blog posts, podcasts, and guides, surrounding topics like cybersecurity, reducing software support and maintenance costs and much more, all delivered to your inbox each month.
LEARN MORE
