Last week saw over 40,000 people descend upon San Francisco for the annual RSAC Conference. Hundreds of sessions, over 600 vendors, plus the ever-growing innovation expo full of cutting edge startups all looking to solve some of today’s most complex security concerns.

The Cyber Hut was present as always to get briefings, walk the show floor looking for the “next big thing” (I found puppies and goats, more on that…), dive into one or two talks and cruise the evenings parties attempting to stay awake for as long as possible as the inevitable jet-lag started to take hold.

TLDR; AI Security is Hot

First up, we’ve solved the AI security issues right? Seemingly so. This year’s buzz topic undoubtedly was AI - either using it to solve some of our longstanding cyber issues, or placing security controls on top of the ever sprawling AI-landscape to help prevent data leaks, poisoning attacks, agentic-AI malicious behaviours and more. There were vendors doing it all - and some claiming both!

In episode 61 of The Analyst Brief podcast, myself and co-host David Mahdi discussed some predictions before the RSAC event and this was our numero uno topic. There is no doubt AI will be with us in every walk of life over the next 5-7 years, but being able to securely control the many facets of it will not be simple. To help support the community discussion, The Cyber Hut will be releasing some open source cheat sheets in the coming months looking at RAG Security, MCP, and Identity for Agentic-AI as three building block areas where IAM will play a huge role. More on that later in the year.

During the show, there were numerous areas where AI dominated. Absolutely, marketeers the world over have had a busy year since 2024’s event updating all their collateral with a find-and-replace moment to add in “AI-powered” as a minimum.

However there are some really mature solutions already emerging in this domain. Co-piloting, assistance, nudge-agents, recommendation systems and more are all now very common at several parts of the security and identity life cycle.

SoC-analyst assistance is common now to help reduce alert fatigue, accelerate forensics investigations and the like. In the IAM world, assistance in access request, access review, connector building and permissions analysis are all developing at a striking pace. Only last month The Cyber Hut did an industry webinar with Apono discussing this exact set of topics.

On the need for thinking about the protection of our AI-systems, Realm Labs did a talk on Tuesday which I managed to catch that provided some deep thinking around the need for stronger permissions design as it specifically pertains to RAG (Retrieval Augmented Generation) - where data is pulled in contextually and at runtime. They discussed some interesting pointers around pre and post filtering and the benefits and issues this can generate. Controls too early in the call chain can result in an ineffective subset of data being used; doing so afterwards can leak data. A correctly permissioned system of course is complex - requiring a shared responsibility model between permissions creation and enforcement processes (including the people and systems).

But organisations will get it wrong when it comes to AI. On Thursday morning I managed to hear some of the reasons why - mainly as organisations struggle with treat modelling - and in turn will struggle with threat modelling against their AI systems. Adam Shostack (author of Threat Modelling Designing for Security) and Tanya Janca discussed “Red Teaming AI: 50 Years of Failure, But This Time, For Sure!” - where they walked through the stages of threat modelling and applying that to AI. The rise of shadow AI, how AI can go wrong (extractions, inversions, interference…) coupled with issues in emerging protocols such as MCP can make AI an adversarial hotbed.

Early Stage Standouts

Whilst the RSAC show floor is the main attraction for many - often just on the swag hunt - the Early Stage Expo and sandbox competition provide some rich insights to where the industry as a whole may be heading.

The Early Stage area housed ~70 vendors covering a range of areas. Some interesting identity security vendors included Breez Security, TrustFour, AKA Identity, Keystrike, netarx and Opal Security amongst a vast array of AI-focused vendors.

Monday however also hosted the Innovation Sandbox “competition” - where 10 finalist vendors all deliver a 3-minute pitch to an audience - followed by 3 mins of questions from the esteemed RSAC selected panel. After deliberation a winner was announced as Project Discovery - a vulnerability management player with a focus on open source.

Of the vendors that presented a few others caught my eye however.

Twine Security were leveraging AI agents to help improve productivity and essentially create digital-twin-esque agents with specialist qualities.

Smallstep are aiming to deliver the “world’s first device identity platform” applying crypto-challenge-response to devices with TPM technology globally.

Knostic.AI is another vendor looking to secure our AI-world - with a focus on the over-permissioning issues associated with LLMs. The idea is to deliver a “need to know” model for LLMs, based on policy. The question then arises of course of how to manage those policies?

EQTY Lab presented a novel approach to AI-governance - focused on supply-chain lineage of your AI infrastructure. With a combination of trusted execution and governance, a more end to end view of AI assurance could be developed.

Identity Underground Executive Breakfast Panel

Wednesday gave me the honour to host a panel being held by The Identity Underground. This growing executive and practitioner community has a focus on great peer networking that helps to uncover solutions to some of today’s complex identity security issues.

I hosted a panel consisting of Jeff Farinich (CISO at New American Funding), Hed Kovetz (CEO at Silverfort) and Rishi Bhargava (Co-Founder at Descope) where we discussed the rise in importance of IAM - from being a tactical operational component a decade ago, to being a strategic enabler for productivity, security and revenue now. However that brings challenges - and we then moved on to how perhaps AI can improve some of the long standing issues within the B2E and B2C worlds.

We finished off with a fun giveaway of my latest book: IAM at 2035 A Future Guide to Identity Security. Congratulations to Chris Martin for being the winner - the question being how many times does “AI” appear in the book - the answer being 924. Chris was closest…

Show Floor Stoppers

RSAC wouldn’t be RSAC without some interesting gimmicks on the show flow. Whilst it has its critics for mainly a swag giveaway party, there are also some interesting signals and conversations to be had.

However, this year the attraction this year seemed to be non-humans. Not in the non-human identity life cycle management, credential rotation or behaviour monitoring kind of way. I am talking puppies and goats kind of way. You can go and Google which vendor had the goats. The smell needed some security applying to it.

Pick of the Parties

The parties as ever provide a great way to continue networking with new and old colleagues and acquaintances alike and this year was no different. A few party shout outs to Segura (who recently re-branded from Senhasegura), The CISO Society and C-Vision International, Permiso Security, Optiv (with a host of partners at Austin Music Hall), ConductorOne, Passwordless Party (Yubico, Axiad, FIDO Alliance, Silverfort..), and Saviynt amongst others.

Vendor Engagement List at RSA 2025

Great meeting with many vendors who provided updates and briefings on their current progress in identity security.

Acuvity.ai - Secure your GenAI adoption with confidence. Acuvity is the most comprehensive AI security and governance platform for your employees and applications.

Aembit - The Best Secrets Management? No Secrets at All. Replace manual and insecure access to non-human identities with our automated and secretless Workload IAM Platform.

Andromeda Security - Automate Permissions and Lifecycle for Human and Non-Human Identities. Defend Against Identity Breach. Using Context, Risk, and Behavioral Analysis

Apono - The Apono Cloud-Native Access Governance Platform enforces fast, self-serviced, just-in-time cloud access that’s right-sized with just-enough permissions using AI.

Axiad - Bring Clarity to Identity Chaos

Britive - Agent-Less Cloud PAM for Zero Standing Privilege

ColorTokens - Enterprise Microsegmentation Platform & Authentication Firewall

Delinea - Delinea makes you more secure by centralizing authorization to govern those interactions seamlessly. Delinea is pioneering how organizations apply context and intelligence throughout the identity lifecycle across cloud and traditional infrastructure, data, and SaaS applications to eliminate identity-related threats.

HYPR - Identity Security Starts Here. Stop Identity Fraud and Improve Productivity With Passwordless Identity Assurance

Oasis Security - Non Human Identity Management. See, secure, govern all NHIs

P0 Security - P0 Security is the first unified IGA and PAM platform for the cloud that governs and secures all forms of access for both human and machine identities.

Permiso Security - Monitor All Human and Non-Human Identities For All Environments. Detect and protect against human and non-human identity threats in real-time. Prevent credential compromise, account takeover and insider threat for all identities, across all environments.

Reveal Security - Attackers don't break in. They log in. Detect insider threats and identity-based attacks in applications and cloud.

SGNL - SGNL uses your existing systems to enforce policies in real-time for privileged access. Grant dynamic access to cloud infrastructure and customer data and then revoke access when context changes.

Token Security - Token is the new approach designed for the Non-Human Identity boom era.
Introducing Machine-First Identity Security.

Other Resources

• A review of RSA 2024 by The Cyber Hut