These reflections were written a short time after the RSAC 2026 Conference once there was enough distance to separate signal from noise. This is not a full conference recap but a set of patterns and questions that stayed with me after the rush faded.
AI Governance Is a Headline, Not a Single Conversation
One of the most important clarifications for me this year was that we are really having two different conversations about governance, and too often, we blur them together.
The first and most urgent is the demand for governing artificial intelligence (AI) itself: how we establish trust, accountability, and control for systems that reason, generate, and act in ways that are fundamentally different from earlier technologies. This is where uncertainty is highest and where old assumptions about determinism, predictability, and even explainability start to break down. AI is likely to force us to rethink what we mean by confidence in technology at a very basic level.
Running in parallel is a second conversation: the use of AI to improve traditional governance-risk management workflows, compliance processes, policy interpretation, and control monitoring. This market is active and in some cases quite mature. But it deserves a more skeptical eye.
Applying AI to governance does not automatically make governance better. In some cases, it risks simply “paving the cow paths” — using sophisticated tools to accelerate processes that are themselves outdated or misaligned. Increasing speed or scale doesn’t help if we’re optimizing the wrong decisions.
Separating these two conversations matters. They call for different guarantees, different assurance mechanisms, and different measures of success.
Trust Still Has to Start Somewhere
Across both discussions, one theme came through clearly: trust must have an anchor.
No matter how trust is generated-through AI assistance, automation, analytics, or orchestration, it has to start from known components with understood security properties. Systems don’t become trustworthy by assertion or automation alone.
This is where CIS’s work continues to resonate. The CIS Critical Security Controls® (CIS Controls®), the CIS Benchmarks®, and assessment models matter not because they are new but because they are deliberately unglamorous: familiar, transparent, and operationally grounded. They give practitioners something solid to stand on.
As AI reshapes governance, these artifacts increasingly function as “trust anchors” — stable reference points in an otherwise fast-moving landscape. However trust evolves, it still needs a place to start.
GRC Is Where Talk Turns Into Action
Another shift that stood out at RSAC 2026 Conference was how often governance, risk, and compliance became the entry point, not the afterthought.
Attendees are increasingly looking for decision-ready outcomes and ways to translate complexity into prioritization and action. They are less interested in new abstractions and more interested in what to do next.
That’s where products from the Center for Internet Security® (CIS®) consistently moved conversations forward. Not because they answered every question but because they supported judgment. In an environment saturated with data, the ability to help someone decide matters more than exhaustive coverage.
Reputation Helps, but It Isn’t Inherited Forever
CIS continues to be widely regarded as a trusted voice, and that recognition was stronger at RSAC than at many other industry events. At the same time, familiarity is uneven.
Many newer practitioners know the artifacts but not always the organization, mission, or community behind them. That’s not a criticism. It’s a reminder. Reputation decays unless it is exercised.
Trust has to be renewed with each generation. Outreach to emerging professionals isn’t optional if we expect confidence in shared foundations to persist.
Visibility Is a Strategic Signal
One quiet lesson reinforced this year: showing up still matters.
Presence at flagship events like RSAC signals stability, confidence, and continued engagement, especially amid rapid change and external scrutiny. That signal is amplified when senior leadership is visible. Conversations become more substantive and less transactional.
In complex ecosystems, silence is often interpreted as retreat.
Partnership as a Force Multiplier
A steady undercurrent throughout RSAC was recognition that no single organization will define the future of AI-enabled security or governance.
Integration, co-builds, and aligned narratives are how smaller organizations remain relevant without losing independence. For CIS, partnerships that align with AI-native security and governance offer a way to extend impact while preserving neutrality.
Done well, partnerships allow us to punch above our weight without becoming just another loud voice in an already crowded market.
Some Quieter Moments that Mattered
Not everything important happens on the agenda.
There was a renewed sense of energy this year. Less performative, more purposeful. I had opportunities to reconnect with long-time allies, explore partnership ideas ranging from national strategy to specific implementation details, and personally thank volunteers whose work underpins CIS products.
As always, I missed more sessions than I attended. That’s fine. The real value often shows up later, in reading, reflection, and follow up.
A Final Thought
If I had to distill RSAC 2026 into a single takeaway, it would be this: we are shifting from searching for breakthroughs to building endurance.
There are no clean end states coming; no final architectures, no permanent fixes. What matters now is building systems that can govern responsibly, adapt thoughtfully and rapidly, and sustain effort over time.
I was proud to be there as part of the CIS team, representing the breadth of our work and the seriousness of our intent. The work isn’t finished, but it is clearly underway. And we are right in the middle of it.
About the Author
Tony Sager
Senior Vice President and Chief Evangelist
Tony Sager is a Senior VP & Chief Evangelist for the Center for Internet Security® (CIS®). He is involved in a wide variety of strategic, partnership, and outreach activities. He led the work which later became known as the CIS Critical Security Controls® — an independent, volunteer-developed, cyber defense best practices program which is used throughout the industry. Tony has led numerous other activities to develop, share, scale, and sustain effective defensive cyber practices for worldwide adoption.
In addition to his duties at CIS, Tony is a volunteer in numerous cyber community service activities: an inaugural member of the DHS/CISA Cyber Safety Review Board; Advisor to the Minnesota Cyber Summit; Advisory Boards for several local schools and colleges; formerly a member of the National Academy of Sciences Cyber Resilience Forum and serves on numerous national-level study groups and advisory panels.
Tony retired from the National Security Agency in 2012 after 34 years as a mathematician, computer scientist, and executive manager. As one of the Agency’s first Software Vulnerability Analysts, he helped create and led two premier NSA cyber defense organizations (the System and Network Attack Center, and the Vulnerability Analysis and Operations Group). In 2001, he led the release of NSA security guidance to the public and expanded NSA’s role in the development of open standards for security. Tony’s awards and commendations at NSA include: the Presidential Rank Award at the Meritorious Level (twice) and the NSA Exceptional Civilian Service Award. The groups he led at NSA were recognized inside government and across industry for mission excellence with awards from numerous sources, including: the SANS Institute, SC Magazine, and Government Executive Magazine.
