The anticipation leading up to the RSAC Conference is always exciting, leaving everyone with questions like: Who will win the Innovation Sandbox competition? What new capabilities will companies announce?
Before you know it, the week is up, and it feels like there was so much value packed into a few short days. It’s easy to forget the details when looking back at your experience, which is why we wanted to catch our Identity Security experts fresh out of the event while their conversations and learnings were top-of-mind.
In this blog, I sat down with Abbas Kudrati, Chief Identity Security Advisor (APJ) and former Chief Cybersecurity Advisor for Microsoft. I asked him to share his unfiltered, insider scoop details on what happened at the event related to Identity Security. His answers didn’t disappoint.
Q&A with Abbas on the evolving Identity Security conversations at RSAC
What long-held belief about identity’s role in cybersecurity is starting to shift?
Abbas: For years, companies have been trying to gain visibility into what’s happening in their environments. What identities exist? What does each identity do in the environment? What can they access?
We’re now moving to the next phase: enforcement. Visibility has improved, but what do we do with that visibility? Control is what still needs work.
Once you’ve turned the lights on, deciding what to do with the information becomes the hard part. This is where an identity-first approach is critical, because traditional security models were never designed for entities like AI agents or NHIs that spin up, act, and then disappear in seconds.
Cybersecurity teams have realized that if you control identity, you control risk. Being able to evaluate access requests before an identity can act is the biggest shift.
What assumptions around Privileged Access Management are changing, if anything?
Abbas: What’s changing in PAM is quite fundamental. The long-held assumption that privileged access is mostly about human admins is no longer true—today, the majority of privileged entities are non-human identities and increasingly AI-driven.
At the same time, relying on vaults as the core control is proving insufficient, because securing credentials doesn’t address how privileged access is actually used in real time.
We’re also seeing that privilege is no longer confined to Tier-0 assets; it’s everywhere across hybrid environments, making selective coverage ineffective. This is where the concept of Vaultless PAM, which Silverfort is leading, comes in—shifting the focus to enforcing security inline at authentication and access time, without vaults or agents, and enabling scalable, real-time protection across all identities.
What signals did you see that indicate where Identity Security is headed in the next 12-18 months?
Abbas: One theme clearly dominated the conversation: AI Agent Security. AI agents aren’t “tools”; they’re “virtual employees” that act independently, make decisions, and execute tasks. They’re forcing all of us to rethink everything we know about cybersecurity.
In the next year, cybersecurity teams are going to focus their efforts on how to balance speed with secure agent access. Gartner research explains it plainly: “Through 2028, at least 80% of unauthorized AI agent transactions will be caused by internal violations of enterprise policies concerning information oversharing, unacceptable use or misguided AI behavior rather than from malicious attacks” (Gartner Market Guide for Guardian Agents).
Organizations that succeed will prioritize three initiatives in the next year: defining acceptable AI agent usage, educating their human workforce on those policies, and evaluating identity-first AI Agent Security solutions to empower the security team with the tools they need to enforce the policies.
3 takeaways to remember from RSAC Conference 2026
Identity is no longer on the sidelines in cybersecurity: it’s the focus, the point of control, and the metaphorical key to your kingdom. After RSAC Conference this year, it’s become clear that the definition of “identity” has evolved, and therefore security must evolve with it.
To summarize, these are the three takeaways we saw this year at the conference that impact Identity Security:
- The landscape is shifting from choosing solutions that mainly provide visibility to ones that can also enable real-time enforcement.
- How organizations define and secure privileged access is in flux—vaulting alone isn’t going to ensure privileged accounts are secure.
- Teams that get ahead of AI Agent governance, policy, and security will be in a strong position to keep up with the pace of changes that occur in an AI-driven workforce.
Curious to learn more about how to secure every identity in the hybrid era? Watch our recent webinar here.
