The RSAC 2026 Conference commenced with a flurry of insights, discussions, and forecasts concerning the future of cybersecurity, emphasizing the dynamic role of artificial intelligence (AI). On the first day, Jamison Cush and Sabrina Polin from Informa TechTarget led several stimulating conversations with industry experts, including Alex Culafi, a senior news writer at a prominent cybersecurity publication. Culafi, an experienced attendee of RSAC, shared his observations about the increasing significance of AI in cybersecurity and the conspicuous lack of government representatives at the event.
Culafi pointed out the strong drive from vendors to promote AI-based solutions, a trend that has become more pronounced since 2023. The capabilities of AI have evolved, ranging from data analysis to functioning as automated threat intelligence agents. Vendors are now presenting more ambitious applications, such as agentic AI systems that aim to enhance or potentially replace traditional security operations centers (SOCs). However, this swift progression has ignited discussions among security leaders, with some expressing doubts about the scalability of involving humans in every AI decision; a notion termed "human in the loop." Culafi referenced Emma Smith, Vodafone's global CISO, who advocated for a transition to "human on the loop," where AI predominates and human intervention occurs only when necessary, a perspective that presents both opportunities and challenges.
In addition to AI, Culafi underscored significant trends in the threat landscape, such as the surge in sophisticated supply chain attacks aimed at open source ecosystems and the changing strategies of ransomware perpetrators. While there has been a decline in ransomware payments as organizations bolster their defenses, data theft continues to pose a major threat. Throughout the conference, Culafi's perspectives paved the way for more in-depth discussions regarding the delicate balance between innovation and risk in cybersecurity, illustrating that the industry is currently at a pivotal juncture.
Direct from RSAC 2026: "Human in the Loop" Won't Scale: Full Transcript
Jamison Cush: Welcome as we wrap up our live streaming coverage of day one from the RSAC Conference 2026. I am Jamison Cush with Informa TechTarget. Earlier, we spoke with thought leaders from WiCyS and ISACA, as well as Informa TechTarget's cybersecurity expert Sharon Shea. I have also been conversing with my co-host from the news desk, Informa TechTarget's senior managing editor Sabrina Polin. Thank you once again for being here.
Sabrina Polin: Absolutely.
JC: It has been a pleasure. I also enjoyed my discussions with Rob and Jenai; they shared many intriguing insights. Was there anything that particularly stood out to you?
SP: Definitely. We inquired with Rob and Jenai from ISACA about a recent survey on AI, and I asked, "Are you at all concerned about how rapidly the AI landscape is evolving?" Rob responded, "No. This is the most excited I have been since the advent of the Internet," which I found to be a fascinating observation. It reflects the current climate; things are exciting, changing, and intense.
JC: Yes, there is a lot of excitement at the desk, especially since we are now joined by a familiar guest, a senior news writer at a prominent cybersecurity publication. Thank you for joining us again, Alex.
Alex Culafi: Yes. I won’t claim to be saving the best for last, but I am ending day one on a strong note.
SP: A very diplomatic way to put it.
JC: Absolutely. Alex, I want to give you the floor. Though the show floor has not opened yet, you have already participated in some sessions and received numerous pitches. What do you anticipate for RSAC? What are you hearing from CISOs and other experts?
AC: This is my sixth RSAC conference. I appreciate attending each year as it gives me insight into what businesses are focusing on. While there is still plenty of research, it is a vendor-centric event, allowing me to see what people are marketing. AI is undoubtedly at the forefront. I am sure every conversation today and tomorrow will mention it at some point. I have never seen AI being promoted as aggressively as it has been since 2023 when products began to emerge.
I do not have a complete assessment yet, but I find it surprising that the show floor is still closed while billboards and many sessions are dominated by AI-themed vendors. In 2023 and 2024, I thought it was the year of AI and pondered what would come next, but here we are again; it's still AI, but now with a more agentic focus. The second significant observation is the noticeable absence of government representatives this year. Typically, agencies like CISA and the FBI have a presence, but CISA announced in January that they would not attend. Moreover, with some DHS employees furloughed and Kristi Noem's first and likely last RSAC occurring last year, the lack of governmental engagement feels odd. I am not a staunch government supporter, but their presence is crucial to the security ecosystem. Thus, these two aspects; the aggressive promotion of AI and the absence of government attendees; stand out to me.
SP: I recall you mentioning two years ago that three key takeaways from RSAC 2024 were "AI, AI, and more AI."
JC: Yes, it was all about hyping, selling, and marketing AI.
AC: I believe I mentioned both themes previously, and I expected a different narrative this year, but I do not have one. Since 2023, there has been a focus on products related to AI in the security sector. In 2024 and 2025, it began to mature, and now in 2026, the conversation is about agentic AI and more ambitious use cases, with selling becoming even more pronounced. Despite attempts to shift the conversation, AI has consistently remained a focal point as we understand it today.
SP: Are there any notable differences in the offerings compared to previous years? Are they still superficial, or are we seeing more practical applications? Is it a shift from GenAI to agentic AI? Are there overarching themes, or is it still a matter of throwing AI at the wall to see what sticks?
AC: I do not believe they are merely throwing it at the wall. The use cases have become more sophisticated. Back in 2023, they marketed AI as a tool for data analysis and automated threat intelligence. That is still true now.
AI is still about data analysis and producing human-readable reports for executives. Now with agentic AI, organizations aim to either implement, augment, or replace traditional SOCs, depending on their audience. An interesting development is that some organizations have begun using these products over the past few years, leading to varied responses. Eric Geller from a cybersecurity publication recently discussed the mixed feedback these early product waves received. It is a complex space now. While it has matured significantly, I expected the sales aspect to recede, yet AI seems to dominate everywhere, even on billboards.
JC: Shifting gears from AI, I assume you are reluctant to do so.
AC: Would you like to discuss the government?
JC: No; let's talk about the threat landscape instead. We discussed this last year, focusing on potential threats such as satellite hacking and attacks on infrastructure. How has the threat landscape shifted since last year? Are we still facing the same threats, or are there new challenges due to emerging AI?
AC: I can share one concerning development and one positive one.
JC: Exactly what I am looking for.
AC: The concerning issue is the brutal state of open source code development environments. Groups like Shai Hadud and Glassworm have targeted npm and other open source platforms with aggressive information-stealing supply chain attacks, infecting not only components used in development but also those used in downstream components. Supply chain attacks remain a significant threat. For more information on this topic, see AI safety.
On a positive note, ransomware appears to be showing improvement overall. Organizations are paying less frequently as they become better at recovering from attacks, leveraging backups, working with incident response teams, and enhancing their defensive strategies. Although many organizations still struggle with basic practices, there is promising data indicating that ransomware is on a positive trajectory. Excluding extreme payments, the average and median ransomware payments seem to be decreasing over time. While there are positive developments, threat actors are increasingly focused on data theft rather than encryption.
SP: What is the alarming aspect?
AC: The alarming aspect is the emergence of malware worms targeting the open source supply chain ecosystem. I am struggling to think of something more thrilling to report.
JC: That sounds quite concerning.
SP: I apologize; I was simply trying to dig deeper.
AC: Well, they are still hacking satellites. I'm unsure how to top that.
JC: You previously wrote about the median ransomware price and how it is not as lucrative as a business model. Where are these threat actors shifting their focus? Are we improving our recovery capabilities, and does that put other elements, like infrastructure, at greater risk? Is the threat landscape expanding or moving toward more lucrative targets?
AC: The behavior of threat actors remains consistent; they will always seek the easiest way into systems. In this regard, there has been some change. Threat actors still exploit vulnerabilities and utilize familiar tactics to gain entry. However, we are also observing an increase in "living off the land" tactics, leveraging PowerShell within organizations and using their own drivers while employing tools to neutralize antivirus systems. Essentially, they are adopting strategies to remain stealthy, as EDR and antivirus solutions continue to improve. They are less reliant on tools like Cobalt Strike Beacon, and even the use of Mimikatz has decreased due to antivirus systems detecting them swiftly. They are becoming more strategic in their approach. While ransomware shows some positive trends, data theft remains a pressing concern, and information stealers are still aggressive. It seems that the focus has shifted from encryption to outright data theft.
JC: You attended a session earlier today that I believe you have written about.
AC: It is currently published on a prominent cybersecurity website.
JC: Great. It was a panel titled "From Threat to Strategy: The CISO's Playbook for the AI Revolution." Sorry to bring the discussion back to AI, but that sounds like a significant topic.
AC: The title has changed to "CISOs Debate Human Role and AI-Powered Security."
JC: Can you share insights from that debate? How are CISOs adapting to the AI landscape in terms of security?
AC: I was part of an intriguing panel today featuring three security executives: Emma Smith from Vodafone, Francis deSouza, Google Cloud's chief operating officer and president of security products, and Shaun Khalfan, senior VP and CISO at PayPal. They discussed how to navigate the AI landscape. One aspect of the discussion that resonated with me was the debate over human involvement in AI decision-making. Emma Smith emphasized that having a human involved in every AI decision is not scalable for larger organizations, especially as attackers utilize agentic technology. She proposed a shift from "human in the loop," where humans are involved at every critical decision point, to "human on the loop," allowing for occasional human intervention based on insights from AI. This perspective is somewhat alarming as it suggests relinquishing control to AI at a time when AI-driven security threats are prevalent. While I understand her reasoning about the scaling capabilities of attackers, I remain skeptical about whether the technology is sufficiently reliable to reduce human involvement in decision-making. As a reporter, I may gain new insights in the coming days that could alter my perspective, but I found this topic noteworthy and worth exploring further in my articles.
SP: In a previous interview with Rob from ISACA, he mentioned the struggles of having enough personnel to verify and validate the work of humans, let alone the exponential tasks that AI agents undertake. Is there a point where we simply do not have enough humans to effectively oversee AI, creating more work than if we did not use AI agents at all?
AC: It is challenging to draw clear conclusions because I do not want to claim I have grown more cynical over time, though I have certainly become more questioning. I find it perplexing to see everyone promoting GenAI so aggressively. Some companies appear genuinely desperate, while it is unclear if this is a widespread trend. I question whether the push to remove humans from the loop is driven by a need to generate AI-related revenue or if it is a response to threats scaling with technology. What I can say is that AI is being marketed far more aggressively than before, prompting me to be more skeptical. I felt it was an important point to highlight during this first day of discussions.
JC: Is it day one or day zero? Day one.
SP: Day point five.
AC: As my day point five story, I thought it was significant that a leading security executive concurred with the Google representative about the scalability concerns surrounding human involvement in AI decisions. We are indeed in an interesting time.
JC: Excellent. What do you have planned for the remainder of the event? Any notable sessions or interviews?
AC: I will be speaking with representatives from ESET and Palo Alto Networks tomorrow. I am looking forward to that. Additionally, I have more sessions lined up. One I am particularly interested in, though I am unsure if it will become a story, is about threat actor attribution; how significant it is and, more importantly, how challenging it is, even for those of us who are somewhat familiar with the security industry. The topic of attribution is fascinating because while we may label it as "Salt Typhoon," the question remains: how important is that distinction when discussing a cluster of threats versus an individual actor? It is a thought-provoking area, though it may seem more semantic than vital for our current discussion.
JC: Excellent. We can find your articles on a prominent cybersecurity website?
AC: Yes, on a prominent cybersecurity website.
JC: Wonderful. Thank you, Alex. This is your fourth appearance. Perhaps we will see you five times next year or later this week before you catch your flight.
AC: I have an 8 a.m. flight on Wednesday.
SP: We will let that slide. We look forward to your next appearance.
AC: Thank you, Sabrina. Thank you, Jamison.
JC: Thank you for joining us. And thank you again, Sabrina. We appreciate your participation as we conclude day one.
