In this special insights segment from RSAC 2026, theCUBE analysts Dave Vellante and Jon Oltsik sit down to discuss why the cybersecurity industry's rush to showcase AI capabilities is outpacing its ability to articulate real business value. Oltsik highlights a growing disconnect on the RSAC exhibit floor, where vendors are fixated on the "how" of AI — model architectures, MCP servers — while practitioners need to understand the "why": how AI can accelerate security outcomes and improve efficacy. With business leaders already pushing aggressive AI adoption, security teams find themselves unable to say no, making executive-level governance not optional but essential.
The conversation also explores how risk assessment is evolving in an era of rapid AI development. Oltsik notes that roughly 70% of the challenge is rooted in strong foundational governance — no different from cloud or SaaS — while the remaining 30% demands specialized controls unique to AI. He emphasizes the need for cross-functional alignment among legal, compliance, IT and the board to build governance structures that scale without becoming human bottlenecks. Automated policy enforcement can handle routine oversight, but the structural decisions around regulations, legal exposure and acceptable risk still require executive ownership. Looking ahead, Oltsik argues that agentic AI will become the first line of defense, with autonomous agents monitoring behavior, enforcing policy and learning in real time. If that thesis holds, everything the security industry has built over the past two decades is poised for a rapid and fundamental transformation.
Forgot Password
Almost there!
We just sent you a verification email. Please verify your account to gain access to
RSAC 2026 Conference. If you don’t think you received an email check your
spam folder.
In order to sign in, enter the email address you used to registered for the event. Once completed, you will receive an email with a verification link. Open the link to automatically sign into the site.
Register for RSAC 2026 Conference
Please fill out the information below. You will receive an email with a verification link confirming your registration. Click the link to automatically sign into the site.
You’re almost there!
We just sent you a verification email. Please click the verification button in the email. Once your email address is verified, you will have full access to all event content for RSAC 2026 Conference.
I want my badge and interests to be visible to all attendees.
Checking this box will display your presense on the attendees list, view your profile and allow other attendees to contact you via 1-1 chat. Read the Privacy Policy. At any time, you can choose to disable this preference.
Select your Interests!
add
Upload your photo
Uploading..
OR
Connect via Twitter
Connect via Linkedin
EDIT PASSWORD
Share
Forgot Password
Almost there!
We just sent you a verification email. Please verify your account to gain access to
RSAC 2026 Conference. If you don’t think you received an email check your
spam folder.
In order to sign in, enter the email address you used to registered for the event. Once completed, you will receive an email with a verification link. Open the link to automatically sign into the site.
Sign in to gain access to RSAC 2026 Conference
Please sign in with LinkedIn to continue to RSAC 2026 Conference. Signing in with LinkedIn ensures a professional environment.
In this special insights segment from RSAC 2026, theCUBE analysts Dave Vellante and Jon Oltsik sit down to discuss why the cybersecurity industry's rush to showcase AI capabilities is outpacing its ability to articulate real business value. Oltsik highlights a growing disconnect on the RSAC exhibit floor, where vendors are fixated on the "how" of AI — model architectures, MCP servers — while practitioners need to understand the "why": how AI can accelerate security outcomes and improve efficacy. With business leaders already pushing aggressive AI adoption, se...Read more
exploreKeep Exploring
Why does industry/vendor messaging about AI (and related security solutions) sound the same and focus on how rather than explaining why it's important?add
How should organizations manage the risks of rapidly evolving AI technology, and what portion of that effort depends on general governance versus specialized controls?add
Is the premise that software agents will become the first line of defense in cybersecurity valid, and what are the implications of that for security teams?add
>> And we're back wrapping up day two, Tuesday at RSAC 2026. Our live coverage, wall-to-wall coverage, we're here all four days. My name is Dave Vellante. I'm here with Jon Oltsik. Christophe Bertrand I think is finally heading over to the exhibit hall. Jon, I haven't been over yet. It's been wall-to-wall CUBE, but you're like the reporter's notebook. What have you seen? Anything interesting? What's the buzz?
Jon Oltsik
>> AI.
Dave Vellante
>> Hey, really? Amazing.
Jon Oltsik
>> Are you a fan of the show Silicon Valley?
Dave Vellante
>> Of course. Oh, love that show. It sounds
Jon Oltsik
>> Like Silicon Valley to me. I'm hearing the same rhetoric and same line from every vendor. And that's a problem, Dave.
Dave Vellante
>> Russ Hanneman is out there, is he?
Jon Oltsik
>> He is raising money now. But that's a problem, because everything sounds the same. There's too much how, not enough why. So why is this important? And you and I know it's important because the business is going to change because there's the opportunity to change your whole security stack, not because you want to, because you need to. So the industry's got to do a better job of articulating this and show some value, show some uniqueness.
Dave Vellante
>> That's interesting, because a lot of times, I've seen criticisms of you tell me what, but you don't tell me how. And of course, Simon Sinek says start with why. You feel like the why is not well understood by the practitioner community?
Jon Oltsik
>> Well, maybe by the practitioners, but not by the vendors. The vendors are stuck on how. So the how is the what models are you using? MCP servers. Lots of other stuff. And that's maybe interesting to you and I from an intellectual perspective, but the why is what business value is this? How can this accelerate my security? How can it improve my efficacy? There's some of that, but not enough. I think everybody's in love with this technology. We all want to see what the technology can bring, but there's a reason why we want to see it. There needs to be more discussion on that.
Dave Vellante
>> We love baseball analogies. We talk, I don't know if you hear one of the earlier conversations. It might have been with you. If so, I apologize. But somebody was saying we're in the early innings. We're like the first inning.
Jon Oltsik
>> Yes.
Dave Vellante
>> And my comment was the technology industry is like in the third inning. Started in 2017 with diffusion models and transformer models. But the buyers are just getting started, right? And there's a gap.
Jon Oltsik
>> Yes.
Dave Vellante
>> And so you're saying what needs to be done to close that gap is a better understanding of the business value, the business case, how to balance the old and the new, how to bring those two worlds together.
Jon Oltsik
>> Yeah. Well, I'll take it a different way is the business leaders are all in. They've got the bases loaded. They're bringing up players from the miners. They're filling the stadium giving out hot dogs and security people have to deal with that. They can't say no. But the vendors have to understand that dynamic a little bit more. I mean, yes, we have to empower the security practitioners, but we have to do that in the context of protecting the business, and I'm just not hearing enough descriptions there.
Dave Vellante
>> Does the security team have ... You said they can't say no, but let me ask you, doesn't the security team have the ability to say no? Do they not have that authority and latitude at this point to say, "Whoa, this is a bad idea." What happens when they say that?
Jon Oltsik
>> Well, I would say they don't have that ability, and the only way they get that ability is to get buy-in from the executives. And what happens then is you build a governance model, you build processes, you standardize on tools, you train your people so that the UK division is doing it the same way as the division in California is doing it the same way as the division in Boston. And that way you have oversight, you can monitor things, you can improve on your skillsets, but without that, it's a Wild West, Dave. What space is loaded?
Dave Vellante
>> I like that. Let's keep on the ...
Jon Oltsik
>> Suicide bond, everything.
Dave Vellante
>> But if I'm the chairman of the board, I'm bringing my CISO in to converse at a high level, not the bits and bytes, but then I would put forth an edict to the organization that nothing goes out until this individual and their team blesses it. Is that just too constricting? But isn't it a mandate that, that happens before you start just letting the dogs loose?
Jon Oltsik
>> Well, it should be, but I would argue that the CISO is not the gatekeeper. The executives have to put the right governance model in place with the board to mitigate risk, to minimize risk.
Dave Vellante
>> Otherwise, it won't scale.
Jon Oltsik
>> Yeah. And so the first thing is you have to understand that risk, which may be the CISO's job to explain that risk and then give the executive team some options. We could mitigate that risk, we can transfer that risk, we can accept that risk. That's the CISO's job, but the board is responsible ultimately. The board is the one who's going to get sued. The board is the one who has to disclose to the SEC. So, yeah, they've got to be on board.
Dave Vellante
>> I mean, this industry is in the risk mitigation business, obviously.
Jon Oltsik
>> Yes.
Dave Vellante
>> My question to you is, how is risk assessment changing? I mean, I think about my home insurance and how it's going up like crazy because of all the hurricanes and all the risks down in Florida and other parts. Now, it's sort of rippling through the rest of the country because of the unforeseen risk. So of course, the insurers have to raise their prices, but we understand that dynamic. Do we understand the risks well enough to be able to sort of price in the value of mitigation?
Jon Oltsik
>> We understand most of the risk, but there is a dynamic because this technology is new and it's changing so quickly. So you have to put the right guardrails in place from the start, but then you have to be on top of, well, what's changing in the industry? What's changing in AI development and the infrastructure underneath so that you can make informed decisions? I remember this was about two years ago, I was talking with some CISOs and they said 70% of this is just a strong governance infrastructure or foundation, and that's true. And that's not different than what we did with cloud or what we do with SaaS or anything else, but that other 30% is going to be specialized. And that's the challenge right now, assuming you have the 70% at least managed well, getting your arms around that 30%, putting the right governance structure and putting the right controls, monitoring risk, all that's the challenge.
Dave Vellante
>> How do you put in a governance structure that's not like a big human bottleneck? Can you automate that? How much can you automate?
Jon Oltsik
>> Well, it has to be foundational. So, yes, you can automate policy enforcement and policy monitoring, but ultimately it comes down to, "Here's what we can do, here's what we can't do, here's our limitations based on regulations, here's our limitations based on legal considerations." So all that is structural. Now, it's not different than any other governance in theory, or at least at a high level, but there are going to be some nuances because of AI.
Dave Vellante
>> What are the constituencies in the organization that are critical? I mean, I guess it's everybody's line of business, it's audit, it's everybody else, IT. How has that evolved in terms of the ... Because if you're going to make this foundational, the whole organization needs to be involved.
Jon Oltsik
>> True.
Dave Vellante
>> Who are the stakeholders? Let's say I'm responsible for governance or I've got a stake in it, like the CISO. Who are the people that I need at the table in order to pull this up? Do I need the CFO there? I mean, obviously I need a top down mandate. Do I need audit there? Do I need IT? What's my relationship with the CIO? What's the organizational construct that is a framework for success of governance?
Jon Oltsik
>> For governance. Well, you need the executive team. So you would need legal, you would need IT, obviously, you would need, if there's a chief risk officer, and then you'd need CEO and board. But when you get into building the governance structure, then a chief risk officer, chief compliance officer, CISO. I mean, the first thing you'd say is, "What do we want to do here? What are the business benefits that we're seeking here? And what's the plan for development around that?" And if you know that, then you can start to assess the risk. If you don't establish that and line of business managers start doing their own thing, that's where there's going to be a tremendous exposure to the organization.
Dave Vellante
>> I was saying earlier, again, I apologize if you were on this, it all blends together. And each successive wave, we change the sort of way we talk about the industry. I remember the PC era, we talked about PC printers and PC networks and PC storage and the internet. It was all about internet commerce and the cloud was about cloud native, and cloud security. Mobile was about mobile apps, and now AI. I feel like in the cloud, the cloud was the first line of defense. And then audit was the last line of defense. And in between, you had developers being asked to sort of shift left and take on a lot more. And then the industry matured, you got more tooling, the vendor community became cloud friendly. Now, AI comes in and it's a whole new, everything's AI native now and we're talking about AI security here all week. I'm not sure where the first line of defense is. It's like cloud, on-prem, the edge, that first line of defense is everywhere, is expanding. First of all, is that a valid premise? What does it mean to the security teams?
Jon Oltsik
>> I would argue, and really based on conversations the last couple of days, but research before that, that the first line of defense is going to be agents. That the agents will be monitoring behavior. The agents will be monitoring data access and other things too, but the agents will learn behavior, they'll report on anomalous activity, they'll enforce policy, and they'll do that on behalf of users. They'll be customizable. Some of it'll be standard based and then you can customize on top of that. That's where things are going. And if that's true, and I believe it's true, everything around here within RSA, everything that we've done in security over the past 20 years is going to change and it's going to change quickly, so that's the urgency that I'm feeling here.
Dave Vellante
>> That's profound. I mean, it's a total do-over and you're right. I mean, when we went from on-prem to the cloud, people were very concerned about cloud security and then it turned out, wow, cloud actually, these guys are pretty good at security. Now, agents, they're not that good at security at this point, are they? They need to mature, they need to harden.
Jon Oltsik
>> Well, they will be. I mean, what I'm hearing from a lot of vendors that I respect their technology chops is they've spent the last two years building the foundation, and then on top of that will be the agentic layer. And so that to me is the recipe for success is if you are just gluing on agents that doesn't scale, and you're still relying on legacy code that was built in the '90s, by the way, or the early 2000s. But if you build the foundation and the agents, you teach the agents what you want them to do, you give them the ability to learn and be customized, that's the future of this industry.
Dave Vellante
>> Well, that is a great setup for tomorrow, Jon. We're beyond halfway, I guess we're halfway through, beyond halfway in theCUBE.
Jon Oltsik
>> Halfway.
Dave Vellante
>> We'll be back here tomorrow, full day tomorrow. I mean, the schedule tomorrow looks unbelievable. We continue with our CEO series. We got G2, Patel coming on. We got Art Gilliland is coming on from Delinea. We've got folks from Commvault, Fortinet. It's going to be a big day. Eric Bradley's coming on from ETR. He's going to bring all the data.
Jon Oltsik
>> It's an all star game.
Dave Vellante
>> It's an all star game. And of course, Jon Oltsik will be here with myself and Christophe Bertrand. So tune in tomorrow to thecube.net. Go to siliconangle.com for all the news, the cuberesearch.com for all the deep dives. Thanks for watching. Oh, check out thecubeai.com, cubeai.com and ask what's going on at RSA. You'll see some interesting results. Thanks for watching. We'll see you tomorrow.
