Key Takeaways
- The conversation at the biggest cybersecurity conference of the year shifted from "Should we use AI?” to “How do we stay in control of it?”
- Google's Sandra Joyce reported that speed of the threat has officially outpaced the speed of the response.
- Security leaders at RSA 2026 agreed that AI-informed, human-led is the model that works.
When 43,000 security professionals descended on San Francisco’s Moscone Center last week for the 35th annual RSA Conference, they agreed — as they do every time — that this is the year everything changes.
Every year, they’re right. And every year, they leave with a little more urgency than they arrived with.
Attendees, speakers, vendors, analysts, and a conspicuous number of people in branded hoodies all agreed on one thing: AI had evolved in the past year, and people were eager to catch up and talk about it.
The direction, though, was a bit more…damage-controlling.
“The industry is converging on a new model: autonomous attackers, agentic defenses, and unified platforms that integrate detection, response, and remediation,” said Kara Sprague, the CEO of HackerOne.
Has the human, once the irreplaceable checkpoint in every workflow, been promoted out of the process altogether? Whether the industry fully intended this is debatable.
(Although the most celebrated startup of the week was a tool built to monitor other tools — so make of that what you will.)
Eight Hours to 22 Seconds
Ask Richard Bird from Singulr AI, an AI data governance platform, and he will say this concern all comes down to a lack of control over AI. In fact, research from IBM found that about 13% of organizations have already experienced an AI-related data breach.
“Most teams still can’t answer basic questions about how AI is being used, what data it’s touching, or who is ultimately responsible for its actions,” Bird said. “We’re seeing the conversation continue to shift from ‘should we use AI’ to ‘how do we stay in control of it.'”
At the conference, even Google’s Sandra Joyce talked about exactly this. Apparently, the time between initial attacker access and hand-off has collapsed from eight hours in 2022 to 22 seconds in 2025.
That’s a big difference. But it’s also as David Stuart from Sentra explained it: “AI does not create new risk. It amplifies existing exposure and access problems at scale.”
A year ago, AI was the eager intern: flagging alerts, suggesting fixes, waiting patiently for a human to press the button. Go back further and it was recommending what to watch on Netflix, nudging your Amazon cart, a mirror for your own preferences.
Basically, it looked like:
notice behavior > recommend fix > user decides what to do
Now, it’s:
notice behavior > fix behavior without user
Not to say that this means AI will start buying stuff for you on Amazon, but it’s quite a stark awakening when you realize everybody suddenly has their personal assistants that are smarter than them.
The Case for the Human in the Loop
The gap between how quickly agentic AI is being adopted and how well companies can secure it is, to put it plainly, a mishap waiting to happen — like the Titanic’s bow pointing skyward before the inevitable.
Jay Bavisi from EC-Council, the cybersecurity certification body behind the Certified Ethical Hacker program, described AI as inviting something that influences decisions without understanding what will happen.
“Security teams cannot rely on legacy thinking,” Bavisi said. “This moment calls for a more deliberate approach: One that looks at how AI is brought into the organization.”
Deliberate thinking may look like something with a human touch, suggests Jay Martin of cloud service provider Blue Mantis. We’ve heard this time and again, and anyone who says it isn’t wrong; the human touch is, in fact, still very necessary and needed when it comes to working with AI.
HackerOne’s own research says that humans remain the first, last, and every line of defense in between: Security testers using AI assistance consistently surfaced more legitimate vulnerabilities than either humans or AI working alone.
It is the best of both worlds, Martin suggested: “It leads to an AI-informed, human-led approach to security, using AI to enhance insight and speed while keeping humans firmly in the loop and in charge of judgment and accountability.”
Though the conference only lasted three days, the event closed out with a massive 35th anniversary celebration — featuring the one and only Hugh Jackman, who joined the stage with RSAC Executive Chairman, Dr. Hugh Thompson.
Two Hughs, one stage, 43,000 security professionals. Some things, at least, remain unpredictable.
