John Z Black
Brunswick, ME • (207) 245-1010 • contact@johnzblack.com
Monday morning, tens of thousands of security professionals descend on Moscone Center in San Francisco for RSAC 2026. It’s the biggest gathering of the year in cybersecurity, and it tends to set the industry’s agenda in ways that ripple through the next twelve months.
This year feels different from recent ones.
“The Power of Community” Hits Different in 2026
RSA Conference’s theme is “The Power of Community.” On the surface it sounds like standard conference optimism, but there’s something real underneath it. The security community is staring down problems that genuinely can’t be solved by any single vendor.
AI agents are a real operational concern now. Security teams are figuring out, in real time, how to govern autonomous software that can take actions across enterprise environments without a human approving each step. The attack surface has expanded in ways that are hard to map. The threat actors are faster. And the industry’s response has been uneven at best.
“Community” in that context is less feel-good slogan and more strategic acknowledgment. You can’t buy your way out of this. You need shared frameworks, shared threat intelligence, and coordination that doesn’t stop at vendor boundaries.
Three Things Worth Watching
Agentic AI security goes from theoretical to actual. This is the dominant theme on the vendor floor and in technical sessions. A year ago, “AI security” mostly meant protecting models from adversarial inputs. Now it means something harder: how do you secure an agent that has credentials, can browse the web, call APIs, and make decisions you didn’t explicitly authorize?
Microsoft arrives with an “AI-first, end-to-end security platform” built around three pillars: securing your AI agents, securing the underlying models, and using agentic AI defensively. Booz Allen Hamilton brings something complementary – an agentic cyber product suite drawing from their government and defense work. Two major players showing up with agentic AI security products isn’t coincidence. It’s a market signal.
Psychological manipulation as a security problem. One keynote getting pre-conference attention is “Mental Malware: Why the Human OS Keeps Getting Hacked.” AI-generated phishing is becoming indistinguishable from legitimate email. Deepfake audio is being used in vishing attacks. Social engineering has gone from a craft to an automated production line. Technical controls don’t address manipulation. The human side has always been hard. AI made it harder.
Post-breach resilience as the new baseline. There’s a quiet shift in how mature security organizations talk about their goals. Less “prevent all breaches,” more “how do we function after one and how do we recover.” The implicit message in a lot of this year’s lineup: you’re going to get hit. What’s your story after that?
The Policy Backdrop
Two weeks before RSAC, the White House released its cybersecurity posture: a National Cyber Strategy and an executive order targeting cybercrime. It names specific sectors that need to get their act together – energy, financial systems, telecom, water utilities, hospitals, defense-adjacent vendors. That document will be in the background of every policy conversation this week.
When a vendor tells you their product supports the White House cyber strategy, it’s worth asking exactly which part.
What We’re Covering
We’ll be tracking announcements, keynote takeaways, and the conversations happening between sessions all week. RSAC is ultimately about what the industry is willing to invest in and argue about. The 2026 edition arrives at a moment when the problems are real, the stakes are high, and the easy solutions have mostly already been tried.
Should be a good week.