Every year, security leaders leave RSA with a notebook full of themes and a calendar full of follow-ups that never happen.

The 2026 theme — "The Power of Community" — captures something real. The hallway conversations, peer dinners, and practitioner sessions at Moscone contain more operational intelligence than most teams can absorb in a week. But intelligence without action is just awareness. And awareness doesn't stop breaches.

Here are the five trends the 2026 agenda is actually spotlighting, what the sessions are saying, and what's worth taking back to the office.

AI Agents Are Attacking You. Is Your SOC Ready?

The 2026 track Securing MCP: Mitigating New Threats in Agentic AI Deployments marks a shift in how we think about adversaries. Attackers are deploying AI agents to automate multi-stage breaches — moving through environments faster than any human analyst can triage. Traditional triage assumes a human is on the other side of the alert. Agentic attacks don't wait.

Most SOC architectures weren't built for this. Alert queues designed for human-speed threats collapse under machine-speed attack chains. The response has to be equally automated, correlating signals across Cloud, Identity, and Network before the chain compounds.

What to take away from RSA: When a vendor says "AI-powered," ask where the automation actually lives. Detection, triage, or just the marketing deck?

Sessions to catch:

Your IT and OT Networks Are Already Converged. Your Defenses Probably Aren't.

Sessions like WWII Code-Breaking and Modern ICS/OT Security aren't just historical curiosity. They're pointing at a structural problem: critical infrastructure organizations have already experienced IT/OT convergence. The defensive architecture just hasn't caught up.

An attacker who enters through a phishing email on the enterprise network and pivots toward a programmable logic controller doesn't cross a visible boundary. The lateral movement is invisible unless both environments feed into a single operations view — and most MDR providers still don't cross the threshold between the carpeted office and the plant floor.

Unified kill-chain visibility across IT and OT isn't a future-state architecture. It's a current requirement. Containment decisions made with partial visibility aren't really containment decisions.

What to take away from RSA: Walk the North Hall. Ask every IT/OT security vendor where their monitoring stops. Most have a clear answer. It's usually not where you need it to stop.

Sessions to catch:

You Deployed MFA. You're Still Exposed.

The security industry has been celebrating MFA as a perimeter for the better part of a decade. The 2026 RSAC theme of Identity as the "Illusion of Done" names the problem clearly: MFA stops password sprays. It doesn't stop session hijacking, impossible travel, or token theft.

Organizations that deployed MFA five years ago now operate with a false confidence that credential-based attacks can't touch them. They can. Session hijacking, impossible travel, and token theft all operate above the authentication layer MFA protects. Identity has to be treated as a primary telemetry source — not a checkbox — with behavioral anomaly detection that fires before a traditional alert would.

What to take away from RSA: Ask every identity vendor what their platform does after the alert fires. If the answer involves a ticket, you're still on the hook.

Session to catch:

Your Board Wants Evidence. Your Audit Team Wants Evidence. Stop Building It From Scratch Every Time.

Digital Sovereignty and Compliance as a Strategic Differentiator dominate the 2026 regulatory track because the ask has changed. Policies and frameworks aren't sufficient anymore. Boards and regulators want continuous, auditable proof that the controls are actually working — not a quarterly reconstruction from disconnected data sources.

Most organizations still build compliance evidence the way they always have: manually, in the weeks before an audit, under pressure. The security programs pulling ahead are the ones where compliance evidence flows directly from live defense operations, already assembled when the auditors arrive.

What to take away from RSA: The audit fire drill is an operational problem, not just a compliance problem. The security program that eliminates it has a structural advantage.

Session to catch:

You Can't Know If Your Controls Work Without Testing Them

Disrupting Cybercrime at Scale is a key 2026 theme, and it implies something most security programs resist: the attackers are testing your defenses continuously. The only meaningful response is to test them first.

A one-time penetration test or an annual red team exercise doesn't reflect how attackers actually operate. Continuous offensive validation — calibrated to real-world attack techniques and active ransomware strains — surfaces the gap between what your tools are supposed to do and what they're actually doing. That gap is usually larger than anyone is comfortable admitting.

The security budget most organizations carry is substantial. The tools are deployed. The question is whether they're configured to work.

What to take away from RSA: Ask vendors how often their customers actually validate that the product is doing its job. Then ask yourself the same question.

Session to catch:

 

RSA 2026 runs through Friday. The conversations worth having this week aren't in the keynotes — they're in the practitioner sessions, the peer dinners, and the moments when someone admits what actually happened to their environment last quarter.

The five problems above aren't abstract conference themes. They're operational gaps with a cost. The teams that leave RSA with a clear answer to each one are the teams that spend the rest of the year ahead of the threats rather than behind them.

 

DeepSeas addresses each of these areas directly. If you want to see how your current program maps against them, visit DeepSeas.com.