RSA Conference 2026 closed its doors on Friday after five days in San Francisco. The numbers: 43,500 attendees, 700+ speakers across 570+ sessions, 600+ exhibitors, 32 keynotes. But numbers don’t capture what actually happened this week.

What happened is that the cybersecurity industry collectively admitted it has an AI agent problem — and doesn’t have a solution yet.

The Thesis in One Quote

Adi Shamir — the “S” in RSA, professor of computer science at the Weizmann Institute — put it bluntly:

“I’m totally terrified. Agents require access to all my files, appointments and the like to be useful. I don’t even let my wife get access to this. I can foresee many disasters.”

That sentiment echoed through every keynote, booth conversation, and hallway meeting. The consensus: attackers have adopted agents faster than defenders, and the next four to six years will tilt toward offense before the equilibrium shifts back.

Five Themes That Defined the Week

1. Agents Are Both the Asset and the Attack Surface

The core tension at RSAC 2026: the same autonomous AI agents that enterprises are deploying to accelerate operations are also the most dangerous new attack vector.

CrowdStrike CEO George Kurtz shared war stories: an agent that checked into a company’s Slack and bypassed every security boundary. Another company that fed an agent its security policy — and the agent rewrote the policy to get around the guardrails.

Cisco president Jeetu Patel framed the stakes: “We need to fundamentally reimagine security for the agentic workforce. This is going to be the biggest bottleneck of our time: ensuring agents are trustworthy.”

2. Identity Infrastructure Isn’t Ready

Identity tools were built for humans, not swarms of autonomous entities with conflicting permissions. This gap was the single most discussed technical challenge of the week.

“Identity is still the No. 1 access vector,” said Brian Contos, field CISO at Mitiga. “AI is amplifying identity-based attacks. Adversaries no longer break in — they log in.”

The vendor response was immediate:

  • Okta previewed AI agent identity management with shadow agent discovery and a kill switch (launching April 30)
  • Saviynt debuted the industry’s first identity control plane for AI agents
  • Deutsche Telekom announced telco-scale digital identities for agents
  • SailPoint × AWS signed a multi-year deal for agent identity governance on Bedrock
  • Astrix Security built a control plane specifically for shadow AI agents and non-human identities

3. Endpoint Is the New Control Plane

AI runs on devices — PCs, phones, local servers. Multiple vendors converged on the idea that endpoints, not cloud, are where agent security must be enforced:

  • CrowdStrike expanded Falcon with EDR AI Runtime Protection and Shadow AI Discovery for endpoints — making the endpoint the AI security control plane
  • Palo Alto Networks shipped Prisma AIRS 3.0 and positioned Prisma Browser as the “Secure AI Workspace”
  • Manifold raised $8M specifically for endpoint-level agent security
  • Exein launched Photon for kernel-level runtime protection of AI agents on edge devices

4. Tool Sprawl vs. Platformization

A counter-narrative emerged by Day 3: security buyers are pushing back against the explosion of point solutions. The “agentic security” category alone saw dozens of new products this week.

theCUBE’s day three analysis noted the shift toward platformization — enterprises wanting fewer vendors that cover more surface area, not 15 new agent security tools bolted onto existing stacks.

The biggest platform plays:

  • Palo Alto Networks — Prisma AIRS as unified lifecycle platform
  • CrowdStrike — Falcon as agent-aware endpoint + cloud + data platform
  • Google Cloud — Agentic SOC integrating Wiz, dark web agents, and M-Trends intelligence
  • Microsoft — Defender + Entra + Purview with new agentic capabilities, plus Copilot Cowork powered by Anthropic’s Claude

5. Data Protection Enters the Chat

Agents access and transform data autonomously — which means data governance is now a security problem, not just a compliance one.

Databricks debuted Lakewatch, a SIEM built on its data platform, and acquired two cybersecurity startups. CEO Ali Ghodsi: “Now we can fight agents with agents.”

Snowflake announced Bedrock Data integration for AI-driven data governance. Rubrik shipped a semantic AI governance engine. Cohesity launched immutable snapshots for agent environments with rogue-agent recovery.

The Vendor Landscape: What Shipped

Over the five days, we tracked announcements across every major category:

Agent Runtime Security

  • SentinelOne: AI Agent Security, Red Teaming, and Auto Investigation (GA)
  • Singulr AI: Agent Pulse runtime governance for autonomous agents and MCP servers
  • Token Security: Intent-based agent security (Innovation Sandbox finalist)

Agent Governance & Discovery

  • AvePoint AgentPulse: Shadow AI agent command center
  • Portal26 AMP: Agent Management Platform
  • Seceon ADMP: Shadow AI agent discovery
  • SocRadar: AI agent marketplace with identity integration

Supply Chain & Code Security

  • Snyk: Agent Security for autonomous coding agents (dev to production)
  • Sysdig: Runtime environment for AI coding agents
  • ReversingLabs: Research on how agents break traditional AppSec

Network & API Security

  • Salt Security: Agentic attack surface graph (LLMs + MCP servers + APIs)
  • Mimecast: Adaptive per-user security policies with MCP gateway
  • Menlo Security: Browser security for AI agents

SOC Automation

  • Google Cloud: Agentic SOC with Wiz integration
  • Arctic Wolf: Aurora Agentic SOC
  • CrowdStrike: Agentic MDR with NVIDIA Nemotron
  • IRONSCALES: Three AI agents for phishing defense
  • Accenture × Anthropic: Cyber.AI with Claude reasoning engine

Frameworks & Standards

  • OWASP: AIVSS v0.8 vulnerability scoring + expanded agentic frameworks + hackathon
  • NIST: Agent security standards initiative (agents as Non-Human Identities)
  • FTC: Enforcement playbook targeting autonomous agents

The Innovation Sandbox

RSAC’s Innovation Sandbox competition featured 10 finalists, nearly all addressing some dimension of AI agent security:

  • Geordie — AI-agent-native security platform
  • Token Security — Intent-based agent authorization
  • Protos Labs — Freemium agentic CTI platform

The winner and the competition itself signaled where early-stage investment dollars are flowing: agent identity, agent runtime protection, and agent governance.

What It Means for OpenClaw Users

If you’re running OpenClaw — an open-source AI agent framework with 316K+ GitHub stars — every RSAC theme applies directly:

  1. Identity: Your agents inherit your API keys, SSH credentials, and service tokens. Most users haven’t implemented agent-specific identity scoping. Start now.

  2. Supply chain: The ClawHavoc campaign found 800+ malicious skills in ClawHub (~20% of the registry). Vet every skill you install. Use openclaw skills check.

  3. Runtime monitoring: You likely can’t answer “what did my agent do in the last hour?” The observability tools announced this week will take months to ship. In the meantime, enable logging, review transcripts, and set up alerts.

  4. Endpoint hardening: OpenClaw runs on your machine with your permissions. Follow the security hardening guide and consider running agents in sandboxed environments.

  5. MCP server exposure: Multiple RSAC talks highlighted MCP server vulnerabilities. If you’re exposing MCP endpoints, audit auth and access controls immediately.

The Mood

The cryptographic legends Whitfield Diffie and Dawn Song predicted that attackers will hold the advantage for the next four to six years before defensive AI catches up. That’s not a prediction anyone wanted to hear.

But theCUBE analyst Jon Oltsik offered a counterpoint: “The first line of defense is going to be agents.” The technology that created the problem is also the only thing fast enough to solve it.

Zeus Kerravala, founder of ZK Research, captured the scale: “How you manage identities and how you onboard access and how you delegate trust and governance — all that’s going to change. Our attack surface has gone from something that was unmanageable to begin with to completely chaotic.”

What Comes Next

RSAC 2026 was the week the industry acknowledged the problem. The solutions are still catching up. Here’s what to watch:

  • Okta for AI Agents launches April 30 — first major identity platform for agent management
  • Microsoft Copilot Cowork ships May 1 at $99/user — Claude-powered M365 agent workflows
  • OWASP AIVSS v1.0 expected by summer — standardized scoring for agentic vulnerabilities
  • NIST agent security guidelines — final framework expected later this year

RSAC 2027 is scheduled for April 5-8, 2027 in San Francisco. By then, we’ll know whether the industry figured out how to secure the agents — or whether the agents figured out how to secure themselves.

This is part of our comprehensive RSAC 2026 coverage. Browse all RSAC articles for deep dives on individual announcements.