I recently attended the RSA Conference 2026 (RSAC 2026) in San Francisco. I have been attending and speaking at RSAC for a long time, and every year I try to figure out what actually changed versus what just looks new. This year felt different, but not in the way the expo floor would suggest.
The Core Debate at RSAC 2026: Is GenAI Creating or Revealing Risk?
I moderated a panel on GenAI in the SDLC, and it ended up being one of the more honest conversations I had all week. The session brought together people who are actually building and breaking things, not just marketing them. The core tension we kept coming back to was simple. Is GenAI for writing code introducing fundamentally new risk, or is it GenAI security testing just accelerating the discovery of problems that were already there?
My view, and one shared by a lot of people in the room, is that we are compressing time. Years of latent technical debt are now being surfaced in months. That changes how organizations experience risk, even if the root cause is not new. It feels like a step function increase, but it is really an exposure function. This is coming at a time when most organizations are struggling to remediate the code security issues they already have as evidenced in the 2026 Veracode State of Software Security report.
The Quiet Advantage of the Prepared
Another theme was whether some organizations are quietly advantaged right now. The ones that already invested in fast iteration, solid CI/CD, and well-documented systems are not scrambling. They have good processes that can adapt to AI coding and testing. They have the muscle memory to absorb this shift. Everyone else is discovering just how much undocumented complexity they have been carrying.
The Rise of Vibe Coding: Speed vs. Understanding
We also talked about what people are now calling “vibe coding.” Idea to prompt to code to production with minimal friction. It is powerful, but it raises a basic question. At what point does the developer stop understanding the system they are shipping?
Technical Team Member at OpenAI, Dave Aitel, had the best line of the panel when he said developers have never really understood the systems they were shipping. That got a laugh, but it also landed. The difference now is scale and speed. Lack of understanding used to be bounded. Now it can propagate much faster.
The Expo Floor: AI Hype and Placeholder Solutions
Outside the session rooms, the expo floor told a very different story. Everything is AI. AI security, AI protection, agentic AI. With a few exceptions, most of it felt like a placeholder. The industry knows something big is happening, but we have not settled on what the real solutions look like yet.
It felt more performative than usual. Vendors are acting like they have the answers. Attendees are acting like they believe them. Underneath that, most people are still trying to figure out what problems they actually need to solve first.
The Vulnpocalypse: A Reckoning for Security Debt
The more interesting conversations were happening off the floor. In smaller rooms with CISOs and government policy folks, there was a lot of discussion about what some people are calling a coming “vulnpocalypse.” The idea is that LLMs will systematically uncover vulnerabilities that have been sitting in codebases for years. Not new bugs, just newly visible ones. If that plays out, 2026 could be the year a lot of accumulated security debt comes due all at once.
Collaboration Gaps: Public and Private Sectors in AI Security
One of the keynotes reinforced how early we are. A panel of former NSA chiefs talked about the need for stronger public and private collaboration on AI security. What stood out just as much was who was not there. There was a noticeable absence of current federal government voices in that conversation. That gap matters given how quickly this space is moving.
Shifting Focus: From Vulnerabilities to Business Risk
On a more positive note, it was great to see Veracode recognized with the 2026 SC Award for Best Application Security Solution for Veracode Risk Manager. The reason that matters is not just the award. It reflects a shift in how people are thinking about application security. Less focus on raw vulnerability counts and more focus on business risk. That aligns with what I was hearing all week. People are overwhelmed with findings and are looking for ways to prioritize what actually matters.
The Transition Point: Messaging vs. Reality in AI Security
Stepping back, RSA this year felt like a transition point. The technology is moving fast, faster than most organizations are comfortable with. The messaging is ahead of the reality. The real work is just starting.
The Fundamentals Still Matter: Lessons from RSAC 2026
If there was one takeaway for me, it is this. The fundamentals still matter. Knowing your systems, understanding your dependencies, having disciplined engineering practices. AI is not replacing that. It is exposing where it is missing.
That is what this moment feels like. Less about new problems and more about finally seeing the ones we already had.
