Enable AI adoption fast enough to stay competitive.Secure the enterprise against a threat landscape that AI itself is creating.These are not sequential problems, unfortunately; they are parallel ones. I’d argue that RSAC 2026 is your best opportunity this year as a security leader to close the knowledge gap.
AI prioritised Learning Framework: RSAC can be overwhelming. And while CISOs are accustomed to working in environments where demand for their attention exceeds supply, prioritizing where to focus your learning investment at the conference in order of strategic return is essential.Following are my suggestions in priority order. If you are attending with a team, then I suggest you “divide and conquer” across these domains rather than clustering around the same keynotes and sessions.
1. Technical priority: Securing the AI stack: RAG workflows, LLM data pipelines, vector databases, and model APIs have introduced an attack surface that most security teams are not yet equipped to defend. Prompt injection, training data poisoning, and model inversion attacks are no longer theoretical.The technical sessions at RSAC 2026 on AI infrastructure security are essential viewing for any CISO whose organizations are moving AI initiatives from pilot to production.
2. Compliance priority: AI governance and policy: The EU AI Act is no longer theoretical. Boards are beginning to ask whether the organization has a defensible “licence to operate” framework for AI deployment. Most don’t. RSAC offers the most concentrated set of sessions on AI governance, regulatory compliance, and policy architecture available anywhere in 2026.Getting clarity on AI governance posture is vital for the CISO.
3. Operational priority: Non-human identity: The explosion of AI agents, autonomous bots, and service accounts has created an identity management problem of a different order of magnitude. Non-human identities now routinely outnumber human ones in enterprise environments.NHI governance is rapidly becoming one of the most consequential operational gaps in enterprise security. RSAC 2026 treats it seriously for the first time at scale.
4. Risk priority: Shadow AI and vibe coding: AI-assisted development by non-technical staff is on the rise. Product managers are building automations, marketers are writing code with AI assistance, and executives are prompting their way to data analysis at many organizations today, largely invisible to security teams.Unsanctioned AI tool usage and inadvertent data exfiltration through consumer AI platforms is a real risk. Then we have AI-generated code moving into production without security review. CISOs need to be on top of these surging risk categories.
5. Strategic priority: SOC autonomous remediation: The AI-native SOC, where detection, triage, and remediation operate with meaningful autonomy is now moving from aspiration to early reality. What can be done to prepare the SOC for AI and agentic systems is a high strategic priority for many security leaders.
The underlying message: RSAC has always been the industry’s annual calibration point. In 2026 it is something more specific than that: It is the moment where the cybersecurity profession collectively confronts what it means to lead security in an AI-native world.Every CISO who leaves San Francisco with a clearer governance framework and a more honest assessment of their AI stack exposure will be measurably better positioned than those who attended the same event and just collected vendor swag.The AI knowledge gap for the CISO is real. RSAC 2026 is your window to start closing it.
2. Compliance priority: AI governance and policy: The EU AI Act is no longer theoretical. Boards are beginning to ask whether the organization has a defensible “licence to operate” framework for AI deployment. Most don’t. RSAC offers the most concentrated set of sessions on AI governance, regulatory compliance, and policy architecture available anywhere in 2026.Getting clarity on AI governance posture is vital for the CISO.
3. Operational priority: Non-human identity: The explosion of AI agents, autonomous bots, and service accounts has created an identity management problem of a different order of magnitude. Non-human identities now routinely outnumber human ones in enterprise environments.NHI governance is rapidly becoming one of the most consequential operational gaps in enterprise security. RSAC 2026 treats it seriously for the first time at scale.
4. Risk priority: Shadow AI and vibe coding: AI-assisted development by non-technical staff is on the rise. Product managers are building automations, marketers are writing code with AI assistance, and executives are prompting their way to data analysis at many organizations today, largely invisible to security teams.Unsanctioned AI tool usage and inadvertent data exfiltration through consumer AI platforms is a real risk. Then we have AI-generated code moving into production without security review. CISOs need to be on top of these surging risk categories.
5. Strategic priority: SOC autonomous remediation: The AI-native SOC, where detection, triage, and remediation operate with meaningful autonomy is now moving from aspiration to early reality. What can be done to prepare the SOC for AI and agentic systems is a high strategic priority for many security leaders.
The underlying message: RSAC has always been the industry’s annual calibration point. In 2026 it is something more specific than that: It is the moment where the cybersecurity profession collectively confronts what it means to lead security in an AI-native world.Every CISO who leaves San Francisco with a clearer governance framework and a more honest assessment of their AI stack exposure will be measurably better positioned than those who attended the same event and just collected vendor swag.The AI knowledge gap for the CISO is real. RSAC 2026 is your window to start closing it.
4. Risk priority: Shadow AI and vibe coding: AI-assisted development by non-technical staff is on the rise. Product managers are building automations, marketers are writing code with AI assistance, and executives are prompting their way to data analysis at many organizations today, largely invisible to security teams.Unsanctioned AI tool usage and inadvertent data exfiltration through consumer AI platforms is a real risk. Then we have AI-generated code moving into production without security review. CISOs need to be on top of these surging risk categories.
5. Strategic priority: SOC autonomous remediation: The AI-native SOC, where detection, triage, and remediation operate with meaningful autonomy is now moving from aspiration to early reality. What can be done to prepare the SOC for AI and agentic systems is a high strategic priority for many security leaders.
The underlying message: RSAC has always been the industry’s annual calibration point. In 2026 it is something more specific than that: It is the moment where the cybersecurity profession collectively confronts what it means to lead security in an AI-native world.Every CISO who leaves San Francisco with a clearer governance framework and a more honest assessment of their AI stack exposure will be measurably better positioned than those who attended the same event and just collected vendor swag.The AI knowledge gap for the CISO is real. RSAC 2026 is your window to start closing it.
The underlying message: RSAC has always been the industry’s annual calibration point. In 2026 it is something more specific than that: It is the moment where the cybersecurity profession collectively confronts what it means to lead security in an AI-native world.Every CISO who leaves San Francisco with a clearer governance framework and a more honest assessment of their AI stack exposure will be measurably better positioned than those who attended the same event and just collected vendor swag.The AI knowledge gap for the CISO is real. RSAC 2026 is your window to start closing it.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4146664/5-key-priorities-for-your-rsac-2026-agenda.html
