RSA Conference 2026 arrives at a significant inflection point for the cybersecurity industry — one that will see its more than 43,000 attendees and 600-plus exhibitors navigating an agenda that has fundamentally shifted in character.
For the first time, “AI” is not a track at RSAC. It is the event.
Of the 450-plus sessions across four days, approximately 40% of the entire agenda is AI-weighted. Only two of 29 tracks are explicitly labeled as being dedicated to “AI,” but that understates the penetration entirely. AI is now embedded as a core component across every other track: Identity, Cloud Security, CISO Insights, the Human Element, and Threat Intelligence alike.
This is not a trend. It is a structural shift in what cybersecurity leadership means and speaks to the largest gap in knowledge that the CISO is trying to address personally.
The CISO’s defining tension at RSAC 2026
The CISO arrives at RSAC this year in the wake of many FOMO conversations involving their board and management. The competitive pressure to adopt AI, in products and operations, is real and accelerating.
Each CISO sits at the center of that pressure, navigating a dual mandate that has no easy resolution:
- Enable AI adoption fast enough to stay competitive.
- Secure the enterprise against a threat landscape that AI itself is creating.
These are not sequential problems, unfortunately; they are parallel ones. I’d argue that RSAC 2026 is your best opportunity this year as a security leader to close the knowledge gap.
AI prioritised Learning Framework
RSAC can be overwhelming. And while CISOs are accustomed to working in environments where demand for their attention exceeds supply, prioritizing where to focus your learning investment at the conference in order of strategic return is essential.
Following are my suggestions in priority order. If you are attending with a team, then I suggest you “divide and conquer” across these domains rather than clustering around the same keynotes and sessions.
1. Technical priority: Securing the AI stack
RAG workflows, LLM data pipelines, vector databases, and model APIs have introduced an attack surface that most security teams are not yet equipped to defend. Prompt injection, training data poisoning, and model inversion attacks are no longer theoretical.
The technical sessions at RSAC 2026 on AI infrastructure security are essential viewing for any CISO whose organizations are moving AI initiatives from pilot to production.
2. Compliance priority: AI governance and policy
The EU AI Act is no longer theoretical. Boards are beginning to ask whether the organization has a defensible “licence to operate” framework for AI deployment. Most don’t. RSAC offers the most concentrated set of sessions on AI governance, regulatory compliance, and policy architecture available anywhere in 2026.
Getting clarity on AI governance posture is vital for the CISO.
3. Operational priority: Non-human identity
The explosion of AI agents, autonomous bots, and service accounts has created an identity management problem of a different order of magnitude. Non-human identities now routinely outnumber human ones in enterprise environments.
NHI governance is rapidly becoming one of the most consequential operational gaps in enterprise security. RSAC 2026 treats it seriously for the first time at scale.
4. Risk priority: Shadow AI and vibe coding
AI-assisted development by non-technical staff is on the rise. Product managers are building automations, marketers are writing code with AI assistance, and executives are prompting their way to data analysis at many organizations today, largely invisible to security teams.
Unsanctioned AI tool usage and inadvertent data exfiltration through consumer AI platforms is a real risk. Then we have AI-generated code moving into production without security review. CISOs need to be on top of these surging risk categories.
5. Strategic priority: SOC autonomous remediation
The AI-native SOC, where detection, triage, and remediation operate with meaningful autonomy is now moving from aspiration to early reality. What can be done to prepare the SOC for AI and agentic systems is a high strategic priority for many security leaders.
The underlying message
RSAC has always been the industry’s annual calibration point. In 2026 it is something more specific than that: It is the moment where the cybersecurity profession collectively confronts what it means to lead security in an AI-native world.
Every CISO who leaves San Francisco with a clearer governance framework and a more honest assessment of their AI stack exposure will be measurably better positioned than those who attended the same event and just collected vendor swag.
The AI knowledge gap for the CISO is real. RSAC 2026 is your window to start closing it.