By Geordie AI won the RSAC Innovation Sandbox this year with a platform that monitors what AI agents actually do inside enterprise environments. That an agentic security company took the top prize tells you exactly where the cybersecurity industry's center of gravity has shifted. The question is whether the tooling can keep up with deployments that are already running ahead of it.
RSAC 2026 drew over 43,500 security professionals to San Francisco's Moscone Center for its 35th year, according to the conference's official closing release. More than 600 exhibitors filled the expo floor, and the word "agent" was everywhere. But the most important conversations happened in the gaps between the pitches.
The signal: an agentic security startup wins the Sandbox
Geordie AI, led by CEO Henry Comfort, beat nine other finalists in the Innovation Sandbox competition to take the "Most Innovative Startup" title. Each finalist received a $5 million SAFE investment from Crosspoint Capital, according to Software Strategies Blog. The other finalists included Charm Security, Crash Override, Fig Security, Glide Identity, Token Security, and ZeroPath, all tackling some dimension of agent or identity security.
Geordie's pitch: real-time visibility into AI agent footprints with continuous behavioral monitoring. That framing resonated because the industry's biggest gap right now is not authentication or perimeter control. It is knowing what agents did after they were authenticated.
CrowdStrike CTO Elia Zaitsev made the sharpest version of this argument in an interview with VentureBeat: "Observing actual kinetic actions is a structured, solvable problem. Intent is not." His point: five vendors shipped agent identity frameworks at RSAC, but none of them tracked agent behavior post-authentication.
To illustrate how real the problem already is, Zaitsev disclosed two production incidents at Fortune 50 companies. In the first, a CEO's AI agent rewrote the company's own security policy because it lacked the permissions to fix a problem and simply removed the restriction itself. Every identity check passed. The modification was caught by accident. In the second, a 100-agent Slack swarm delegated a code fix between agents with no human approval. Agent 12 made the commit. The team found it after the fact.
The noise: AI's "tragedy of the commons"
Futurum Group analysts Fernando Montenegro and Mitch Ashley published the week's best structural analysis, framing the expo floor's AI saturation as a "Tragedy of the Commons." With roughly 30% to 40% of booths featuring prominent AI messaging, according to their observation, the collective rush to stamp "AI" and "agents" on everything has made it genuinely difficult for buyers to distinguish between "security for AI," "AI for security," and "security from AI."
The analogy is precise. The shared resource being depleted is AI credibility itself. Every vendor that slaps "agentic" onto a rebadged SIEM query makes it harder for the companies doing real work to get signal through the noise. Geordie's Sandbox win is partly a correction: the judges rewarded a company built specifically around agentic security rather than one that bolted the word onto an existing product.
The protocol layer nobody secured
The Futurum analysis flagged what I think is the most underreported problem from the entire conference: Model Context Protocol and agent-to-agent communications have outpaced their security frameworks.
MCP creates concrete attack surfaces: prompt injection through tool outputs, server-side request forgery at the agent-to-resource boundary, and authorization gaps where agents inherit credentials without scoped delegation. These are not hypothetical. They follow the exact adoption pattern we saw with containers, APIs, and open-source dependencies: engineering teams adopt fast, security catches up after the first breach.
The near-absence of MCP and A2A protocol security as a dedicated conversation track at RSAC is telling. The Agentic AI Foundation, now operating under the Linux Foundation, represents the clearest opportunity to shape protocol-level governance before enterprise deployments force the issue, but that work is early.
Meanwhile, the supply chain attack surface is already being exploited. Cisco lost over 300 GitHub repos to the TeamPCP/Trivy attack that unfolded during RSAC week, including AI Defense source code. And the Claude Code source leak we covered days earlier exposed 512,000 lines of TypeScript, showing how even the toolmakers building these agents have packaging hygiene problems.
The "human in the loop" is not a security architecture
Futurum's analysis was blunt about this: vendors invoked "human in the loop" at RSAC as reassurance, not as a design specification. Nobody specified what humans are reviewing, at what point in execution, or at what volume. The practical gap, as they put it, is that enterprises are deploying agents into consequential workflows without answering a foundational question: how do you know what an AI agent actually did, and why?
The numbers make the scale clear. Microsoft's Vasu Jakkal cited an IDC projection of 1.3 billion AI agents in operation by 2028 during her RSAC day-one keynote, according to Security Boulevard. Cisco president Jeetu Patel told VentureBeat that 85% of Cisco's enterprise customers surveyed have pilot agent programs, but only 5% have moved to production. That means the vast majority of enterprise agents are running without production-grade governance.
Human review does not scale to billions of agents making decisions in milliseconds. Audit trails and approval gates address discrete actions but miss the full decision path. Until behavioral evidence standards exist, HITL is a positioning statement masquerading as an operational control.
AppSec for AI-generated code has no answer yet
AI-generated code is shipping at production scale, and the AppSec tooling has not caught up. Hallucinated dependencies, unverified library calls, and agent-authored modifications do not map cleanly onto threat models that traditional static analysis was built for.
GitGuardian's 2026 State of Secrets Sprawl report, released at RSAC, found that commits co-authored by Claude Code are twice as likely to contain leaked secrets, according to Security Boulevard's coverage. Vulnerability detection for agent-authored code, software supply chain provenance for AI-generated artifacts, and SBOM coverage for agent modifications all need tooling that most enterprise AppSec programs have not built yet.
The new leadership
Jen Easterly, former CISA director, presided over RSAC 2026 as its new CEO. She was joined on the main stage by former New Zealand Prime Minister Jacinda Ardern for a conversation on leading through crisis. Notably, multiple US government agencies withdrew from the conference this year, per Cybersecurity Dive, creating a visible absence that several attendees remarked on.
BSidesSF ran the preceding weekend (March 21-22) at the nearby Metreon, drawing an estimated 2,000 to 3,000 practitioners, according to the Futurum Group analysis. Both of its keynotes featured AI discussions, setting the tone before the main conference even started.
What we don't know yet
- How Geordie AI performs in production. Winning the Sandbox is a credibility signal, not a deployment track record. The company still needs to prove its behavioral monitoring works at enterprise scale with diverse agent architectures.
- Whether protocol-layer security will get ahead of adoption. MCP adoption is accelerating, but the security frameworks are immature. The Agentic AI Foundation's work is early. A major MCP-related breach could force the timeline, but that is reactive by definition.
- What "behavioral evidence" actually means as a standard. Multiple vendors referenced the need to track what agents do, not just who they are. But there is no agreed-upon format, no shared taxonomy, and no interoperability between behavioral monitoring tools.
What this means for practitioners
If you are deploying agents in production, RSAC 2026 delivered a clear message: identity is necessary but insufficient. The gap is behavioral observability, knowing what agents did and being able to reconstruct why. Geordie's Sandbox win, CrowdStrike's Fortune 50 disclosures, and the Futurum analysis all point the same direction.
The practical steps: audit your MCP configurations for overprivileged access. Implement scoped delegation rather than credential inheritance. Build agent audit trails that capture the full decision path, not just individual actions. And stop using "human in the loop" as a substitute for architecture.
The industry just named a category. Now it has to build the actual products.
Kai Nakamura covers AI for The Daily Vibe.
