John Z Black
Brunswick, ME • (207) 245-1010 • contact@johnzblack.com
The biggest story at RSAC 2026 was an absence. CISA, the FBI, and the NSA all pulled out of the nation’s premier cybersecurity conference. Officially: “reviewing stakeholder engagements.” Actually: RSAC hired former CISA director Jen Easterly as CEO, and the agencies bailed eight days later.
Great timing, considering Chinese hackers just breached FBI surveillance systems and Iranian wipers hit US healthcare companies. But sure, sit this one out.
AI was inescapable. Every vendor had an “agentic” something. Google shared a wild stat: attacker dwell time collapsed from eight hours in 2022 to 22 seconds in 2025. You can’t respond to that manually.
Facial recognition got demolished on stage. ESET’s Jake Moore created a fake identity, passed a biometric liveness check with AI-generated video, and opened a real bank account. Then he walked through London’s Waterloo Station looking like Tom Cruise to the CCTV facial recognition system. His point: the identity stack is broken and organizations adopted this tech too early.
OpenAI bumped its bug bounty to $100K and launched a separate Safety Bug Bounty for agentic risks, prompt injection, and data exfiltration. Jailbreaks that just make ChatGPT say rude things? Not in scope.
The “Doctor No” CISO problem. When security teams block every AI tool without offering alternatives, employees don’t stop using AI. They just use it in ways you can’t see or monitor. Shadow AI is the new shadow IT.