RSAC 2026 brought over 43,500 attendees, 700 speakers and 600 exhibitors to San Francisco’s Moscone Center for what has become the cybersecurity industry’s most important annual gathering.

The 35th edition of the conference carried the theme The Power of Community — a deliberately human-centered message, at a moment when the industry is consumed by questions about machines.

Through the event, three headlines dominated the main stage:

1. AI was no longer a track, it was the entire conference, accounting for roughly 40% of the agenda across every domain. The tone, however, has matured. The conversations were no longer about whether to adopt AI; but how to apply it responsibly, what’s needed to secure the already wide-spread enterprise deployments and where it delivers measurable security outcomes. 
2. Identity has now firmly displaced the traditional perimeter as the primary security boundary, driven by the explosion of cloud environments, remote workforces and now AI agents that operate across enterprise systems without a physical network perimeter to contain them.
3. Resilience displaced prevention as the defining organizational posture with leaders accepting that breaches will happen and that they are competing on how fast they can respond. Protecting critical data underpins operational continuity, trust, and regulatory compliance. RSAC 2026 also underscored a deeper shift: cybersecurity is becoming inseparable from enterprise resilience.

These themes were impossible to miss.

They appeared across the main stage, the exhibition floor and nearly every vendor briefing throughout the week. A great deal has already been written about AI, identity and resilience as the dominant RSAC 2026 storylines. The more useful exercise now is to focus on the less visible signals that emerged around them, and what they mean for enterprise security leaders planning the next 12 to 18 months.

As with many industry events, the most valuable insights often emerge beyond the keynote stage, in executive forums, practitioner exchanges and candid discussions between sessions. That is where a different set of themes came into sharper focus: less heavily covered in standard conference recaps, but arguably more consequential for organizations trying to strengthen security, resilience and governance in a rapidly shifting environment.

Five such themes stood out, each with practical implications for security leaders and clear actions to consider now. They also point to areas where HCLTech’s security capabilities can help organizations respond with greater speed, structure and resilience.

1. The CVE program is under structural strain

Much of the post-conference coverage focused on AI. Far fewer discussions highlighted something more foundational: the vulnerability tracking infrastructure that underpins most enterprise security programs is under increasing stress.

At RSAC, Katie Noble, CVE Board Member and Director of PSIRT at Intel, was direct about the challenge: “I don’t think we can afford to continue at the pace and with the tools that we currently have in order to make real progress. We’re just going to be left in the dust.”

The issue is not only funding instability. At GitHub, the number of vulnerability reports received over the prior 90 days was 224% higher than the previous period. Madison Ficorilli, Senior Security Manager at GitHub, described the quality of AI-generated reports as “a huge, huge concern.”

Noble also described CVE as “the oxygen that we breathe” in cyber defense, while acknowledging the need to confront whether a better or fundamentally different system may now be required.

The underlying issue is straightforward: enterprise vulnerability management programs still depend heavily on CVE as a foundational data source. If that source becomes less reliable, so do the triage and prioritization models built on top of it.

Next action: Audit the vulnerability management toolchain for CVE dependency. Begin evaluating alternative sources, including EUVD, and ask security vendors to declare their contingency plans if CVE reliability degrades further.

How HCLTech can help: HCLTech’s VERITY framework, combined with its AI Force platform, operationalizes Continuous Threat Exposure Management (CTEM) by translating adversarial-intelligence-driven vulnerability priorities from leading industry partners into accelerated remediation workflows. The service provides real-time visibility across endpoints, cloud environments, identity systems, applications and data, continuously identifying, prioritizing and remediating vulnerabilities in a structured, time-bound manner that reduces dependence on manual CVE-driven triage. The focus is to reduce system fragility, making organizations more robust against cascading failures.

For organizations concerned about CVE fragmentation, CTEM offers a path toward intelligence-led exposure management that is not solely dependent on any single vulnerability catalog. HCLTech and CrowdStrike recently launched joint CTEM services, combining CrowdStrike’s AI-native Falcon platform with HCLTech’s VERITY offerings.

2. Deepfakes are becoming an operational identity risk

The deepfake conversation at RSAC moved from theoretical discussion into practical concern. A session titled Facing Reality: Hacking Facial Recognition showed just how fragile many enterprise identity verification systems have become.

The presenter warned that current identity verification systems are not prepared for this threat. Many still assume a camera feed is genuine, while basic active liveness checks such as blinking and head turns no longer offer meaningful protection. The conclusion was simple: seeing is no longer believing, and enterprise identity systems must evolve quickly.

The social engineering implications were equally clear. At a CISO panel, Pindrop’s CEO and Co-Founder Vijay Balasubramaniyan told attendees: “By now, you’ve interviewed a deepfake. You just haven’t caught them yet.”

A CISO from a large bank confirmed that the organization had extended three to four job offers to candidates who later turned out to be deepfakes. The alerts were reaching security teams, while the hiring decisions remained in HR, with no expectation that recruiters should be equipped to identify this kind of threat.

Conference data reinforced the scale of the challenge. Deepfake industrialization has contributed to a 442% increase in vishing (voice phishing) and impersonation attacks, with attackers now combining AI-generated executive voice clones with role-specific emails that mirror internal corporate tone.

Next action: Run a live deepfake simulation against finance and IT help desk teams, rather than relying solely on phishing email tests. Establish out-of-band verification protocols such as callback codes or video confirmation for any request involving money movement or credential resets. Bring HR and business-facing customer support staff into the threat awareness program, because they are increasingly part of the frontline attack surface.

How HCLTech can help: HCLTech’s CyberSecurity Consulting practice includes dedicated security awareness and workforce education capabilities. Its Risk Management programs can be scoped to run deepfake and vishing simulations tailored to high-risk roles such as HR, finance, customer support and the IT help desk, turning RSAC’s warnings into measurable training outcomes.

HCLTech’s identity-first Zero Trust security model, spanning workforce identity, user-device context and SASE, can also be extended to enforce multi-signal verification controls in real time, moving organizations beyond facial and voice checks towards device-anchored identity assurance.

3. Non-human identities are becoming the least-governed part of the perimeter

Identity is now widely recognized as the primary security boundary. What remains less well governed is which identities matter most, particularly as non-human identities begin to outnumber human ones across many enterprise environments.

Cisco President and Chief Product Officer Jeetu Patel used his RSAC keynote to reframe how leaders should think about AI agents: “We should not think of these agents as tools. They are more like digital co-workers.” He also warned about what he called “the oops phase” — the period in which autonomous agents can take wrong actions before governance mechanisms have caught up.

That governance gap was visible across practitioner discussions. Last year, organizations were asking what AI agents could do. This year, the question had shifted to what they should be allowed to do, particularly in terms of what they can access, how they are monitored and how their permissions are restricted.

Forrester’s analysis of the Innovation Sandbox reflected the same pattern: 50% of organizations are now piloting Agentic AI and 24% have it in production, while governance and identity controls continue to lag behind deployment velocity.

Next action: Commission an inventory of all non-human identities within 90 days. Apply least-privilege principles to service accounts and AI agents in the same way as privileged human users. If the current IGA or PAM solution cannot govern agent identities, evaluate whether it remains fit for purpose.

How HCLTech can help: HCLTech delivers Managed Identity as a Service (MiDaaS), covering Workforce Identity, Machine Identity, Privileged Access Management, Consumer IAM and role-based access solutions aligned to Zero Trust architecture. These services are now being extended to support non-human identity governance and AI agent access controls, including newer capabilities such as intent-based access.

Its IGA as a Service offering, built on SailPoint’s Identity Security Cloud platform with HCLTech’s delivery expertise, automates the identity lifecycle and can be scoped to include AI agent provisioning, access certification and deprovisioning workflows.

4. The velocity gap is putting traditional SOC models under strain

This issue may not have dominated the keynotes, but it surfaced repeatedly in closed-door discussions and practitioner conversations. The speed gap between AI-enabled attackers and human-paced defenders is now large enough to challenge the viability of the traditional SOC operating model.

Google Mandiant’s M-Trends 2026 report, released during the conference, showed that the median time between initial access and handoff to secondary threat actions had collapsed from eight hours in 2022 to just 22 seconds. Francis deSouza, COO at Google Cloud, stated: “It’s not possible to mount a human-only defense against an AI attack.”

Kevin Mandia, founder of Armadin, was equally clear: “You’re not going to have time to call Mandiant on a Thursday afternoon, get people in, sign a contract. You’re going to have to be able to respond at machine speed.” His co-panellist Morgan Adamski, former Executive Director of US Cyber Command, added: “AI is going to potentially make us pay for the sins of yesterday.”

Practitioner-side data made the same point. Phishing volume has increased multifold, growing at an exponential rate, while the cost for attackers has fallen by 95%. The result is a widening velocity gap, with human analysts overwhelmed by manual queues while automated attack systems operate continuously.

Next action: Audit the SOC’s alert-to-action ratio. If analysts are spending more than 40% of their time on triage rather than investigation, the issue is structural, not simply a headcount challenge. Pilot agentic automation for first-tier triage before the next budget cycle, and position it internally to reduce cognitive load rather than replace analysts.

How HCLTech can help: HCLTech’s Universal Managed Detection and Response (UMDR) solution provides adaptive data security, threat detection, proactive threat hunting and round-the-clock expert support.

For organizations moving toward the agentic SOC model now emerging as necessary, HCLTech’s UMDR and Total Resilience offerings combine AI-powered threat detection, analytics and automated incident response across IT, cloud and OT environments. This enables cyber incidents to be managed as controlled recovery events rather than cascading operational failures. UMDR can serve as the operational bridge between today’s human-heavy SOC and the machine-speed response posture that RSAC discussions made clear is now required.

5. Legacy GRC platforms are struggling to meet modern governance demands

The governance, risk and compliance conversation at RSAC took on a more candid tone than in previous years. The frustration was not with the concept of GRC itself, but with the tools many organizations have been asked to use to deliver it.

Jay Bavisi, CEO of EC-Council, offered one of the clearest governance framings of the week: “Our attitude as a community has been shoot first, ask questions later. But what we should be doing is ask questions first, shoot later.” He supported this with a broader context: 84% of Fortune 500 companies now reference AI implementation in their 10-K filings, while governance maturity has not kept pace.

He went further: “We are living in an era where AI agents already have a social media community of their own. We live in an era where humans are being threatened and blackmailed and we still haven’t figured out how we’re going to implement Responsible AI governance and ethics.”

Practitioner feedback was more operational, but no less direct. Enterprises that had spent heavily on legacy GRC platforms reported finding themselves back in spreadsheets, suggesting that the era of feature-heavy, over-promised governance platforms may be reaching its limit. Buyers are now asking for usability, multi-entity risk visibility and better support for AI governance, rather than simply more functionality.

Constellation Research’s floor analysis reinforced this point. Buyers have moved beyond curiosity about AI governance and are now focused on how these technologies fit into day-to-day security operations and how accountability can be managed in practice.

Next action: Run a utilization audit on the current GRC platform. If adoption across business units is below 60%, the tool is not strengthening the risk program; it is weakening it. Issue a formal RFI to at least two modern GRC vendors before the next audit cycle, with usability, AI governance support and multi-entity coverage as primary criteria.

How HCLTech can help: HCLTech’s GRACE solution provides continuous compliance monitoring, unified regulatory alignment and control assurance across industries and geographies, designed so that audits do not slow the business. Its GRC practice also includes enterprise-wide and third-party risk assessment services that translate technical exposure into business risk, helping leaders prioritize what matters most to continuity, compliance and trust.

For the AI governance gap highlighted at RSAC, HCLTech’s TRiBe framework and AI governance capabilities embed ethics, regulation and operational controls directly into AI adoption journeys, giving compliance teams defensible frameworks for governing AI deployment rather than retrofitting legacy tools never designed for this purpose. HCLTech’s partnership with ServiceNow is also enabling enterprise-scale GRC platform transformation programs.

Closing perspective

The most important message from RSAC 2026 was not simply that AI is changing cybersecurity. It was that several quieter structural weaknesses in vulnerability infrastructure, identity governance, analyst capacity, resilience and compliance tooling are widening faster than many security programs are moving to address them.

As Kevin Mandia put it, the next two years are going to be “insane.”

The organizations that act on these signals now and align with partners already building for this next phase, will be better positioned by RSAC 2027 not only to defend more effectively, but to operate with greater confidence in a faster and more complex threat environment.