RSAC 2026: Shadow AI, Agentic Governance, and What They Signal for Security Teams

As the world’s biggest cybersecurity conference comes to a close, we’re taking a look at the key themes and trends the appeared in conversations, keynotes, and announcements.

Published on Mar 26, 2026

Written by Joel Witts

Share

RSAC 2026: Shadow AI, Agentic Governance, and the Themes That Defined the Show

The two words I heard most at RSAC this year were Shadow AI. Followed closely by Agentic AI governance.

Proofpoint’s Molly McLain Sterling described her walk of the show floor in two words: “Agentic everything.”

It’s true to say AI is moving faster than any technology we have seen before, and as a Google Cloud leader told me, the pace is only likely to increase from here.

Amid the chaos of RSAC this year, these trends came up again and again.

Securing AI Agents Is A Top CISO Priority

Everyone is a developer now. Or at least, everyone has the capacity to set agents in motion installing skills, browsing data, and building applications.

Adoption is moving so quickly that most of the time a security team does not know these agents exist, let alone have the ability to properly govern them.

This is not a problem security leaders can afford to ponder for too long.

The pace of AI adoption inside organizations is unlike anything we’ve seen before. In a reversal of the usual dynamic, when it comes to AI, CEOs are pushing new technology adoption onto security teams, rather than the other way around.

Vanta’s Khush Kashyap warned that “shadow AI is exponentially bigger than shadow IT ever was.” The difference is speed: an employee can spin up an AI agent, connect it to company data, and have it making decisions in minutes. Kashyap also described what she called the “CISO burnout paradox”: the technology that is supposed to ease the burden on security leaders is, for now, making it heavier.

Human Oversight Cannot Keep Up

At the same time, the threat landscape is shifting rapidly, with attackers now able to launch AI-assisted attacks, compromising vulnerabilities in seconds rather than minutes. With this in mind, micromanaging AI tools is not viable when organizations are running hundreds or thousands of agents or facing hundreds or thousands of AI-powered attacks. By the time a human reviews the output, the damage is done.

“There will be a point where humans will support agents, not the other way around,” Google Cloud’s Jon Ramsey told Expert Insights.

The governance and guardrails need to be baked into AI deployments. The organizations that figure that out first will be the ones that can utilize AI successfully, without compromising security.

Explore More

Google Cloud’s Anton Chuvakin: AI Will Favor Defenders in the Long Run

Google Cloud's Dr. Anton Chuvakin explains how shadow AI governance has evolved, the human-in-the-loop debate, and why in the long run, AI will ultimately favor defenders

Joel Witts Last updated on Mar 26, 2026

Read Now

Written By

Joel Witts Content Director

Joel is the Director of Content and a co-founder at Expert Insights; a rapidly growing media company focussed on covering cybersecurity solutions.

He’s an experienced journalist and editor with 8 years’ experience covering the cybersecurity space. He’s reviewed hundreds of cybersecurity solutions, interviewed hundreds of industry experts and produced dozens of industry reports read by thousands of CISOs and security professionals in topics like IAM, MFA, zero trust, email security, DevSecOps and more.

He also hosts the Expert Insights Podcast and co-writes the weekly newsletter, Decrypted. Joel is driven to share his team’s expertise with cybersecurity leaders to help them create more secure business foundations.