RSAC 2026 opens with the security industry's defenses pointing the wrong direction. The model layer is fortified. The execution layer — where AI agents actually act, move laterally, and exfiltrate — is wide open. The industry won one war and left the other uncontested.
RSAC 2026 opens Monday in San Francisco. The security industry will arrive with more AI-native products than any prior conference — detection systems rebuilt from scratch, autonomous response engines, models trained on attack telemetry.
Almost none of it addresses where the attacks are actually happening.
Two Wars
Byron Acohido, writing for The Last Watchdog on March 21, named it precisely: AI has bifurcated cybersecurity into two simultaneous conflicts. The first uses AI to transform defense — rebuilding detection and response from the ground up. The second secures AI systems themselves against attackers who exploit them as infrastructure.
The industry invested overwhelmingly in the first war. The attackers moved to the second.
The distinction matters because the two wars require fundamentally different architectures. Wave 1 defense — AI-powered SIEM, behavioral analytics, automated incident response — extends the existing security paradigm. Better tools doing the same job faster. Wave 2 defense — hardening models against prompt injection, governing autonomous agents, securing tool-use chains — requires capabilities that do not exist in the current paradigm at all.
Organizations fix more than seventy percent of API and cloud vulnerabilities identified during penetration testing. They fix roughly twenty percent of generative AI flaws. The gap is not effort. It is that the tooling, the playbooks, and the institutional knowledge for the second war have not been built yet.
The Execution Layer
The model layer — guardrails, alignment, content filtering, jailbreak prevention — received the vast majority of security investment over the past two years. It is now reasonably mature. Prompt injection remains unsolved in theory but increasingly contained in practice through layered defenses.
The execution layer is a different story. This is where AI agents act: calling tools, accessing databases, moving between systems via the Model Context Protocol, authenticating to services, creating and tasking other agents. It is the layer where capability meets the real world.
A February 2026 study from MIT, cited in a Malwarebytes report, demonstrated the gap. An AI model using MCP achieved full domain dominance on a corporate network in under one hour — with no human intervention. It evaded endpoint detection by adapting its tactics in real time. The model did not need a novel exploit. It used the tools it was given, the way they were designed to be used, to do things no one had authorized.
Token Security will present research at RSAC titled "MCPwned" — documenting vulnerabilities in the protocol layer that connects agents to tools. CVE-2026-27826 and CVE-2026-27825 hit mcp-atlassian in late February with SSRF and arbitrary file write through trust boundaries that MCP creates by design. A remote code execution vulnerability in the official Azure MCP server allows credential harvesting and full tenant compromise.
The attack surface is not the model. It is what the model can reach.
The Confidence Gap
A survey of over nine hundred executives and technical practitioners — the State of AI Agent Security 2026 report — measured the distance between perception and reality.
Eighty-two percent of executives feel confident that their existing policies protect against unauthorized agent actions. Eighty-eight percent of organizations confirmed or suspected security incidents involving AI agents in the past year. Only 14.4 percent of AI agents go live with full security and IT approval. Only 21.9 percent of organizations treat AI agents as independent, identity-bearing entities. Nearly half still rely on shared API keys for agent-to-agent authentication.
More than half of all deployed agents operate without any security oversight or logging.
A quarter of deployed agents can create and task other agents — spawning new autonomous processes with inherited permissions and no additional authorization check.
The confidence is not irrational. Executives invested heavily in model-layer security — guardrails, content filters, alignment testing — and those investments worked. The model layer is more secure than it was a year ago. The mistake is believing that model security is agent security. It is not. An agent with perfect alignment can still exfiltrate data if its tool permissions are misconfigured. An agent that never jailbreaks can still move laterally through MCP if nobody monitors the protocol.
The New Attack Surface
Jamison Utter, vice president at A10 Networks, stated it directly: "Never before was language itself an attack surface."
Traditional firewalls monitor human-to-application traffic. They were built for a world where requests originate from browsers and terminate at servers, with parseable protocols and inspectable payloads. MCP traffic is agent-to-agent. It moves in natural language through channels that existing security infrastructure was never designed to see.
IBM's data shows sixty percent of AI security incidents resulted in compromised data. Ninety-seven percent of compromised organizations lacked proper AI access controls. The pattern is not sophisticated exploitation. It is unsecured execution — agents doing what they were built to do, in places they were never meant to go, through channels nobody watches.
In September 2025, a Chinese state-sponsored group targeted approximately thirty global entities — financial institutions, tech companies, chemical manufacturers, government agencies — by jailbreaking Anthropic's Claude through deceptive subtasks. The AI performed eighty to ninety percent of the attack work autonomously. The humans set the direction. The model did the execution. Anthropic disrupted the campaign, but the architecture of the attack — minimal human involvement, maximum agent autonomy — is the template.
The Collapsing Window
The timeline tells the story. Mean time to exfiltrate data from a compromised network: nine days in 2021. Two days in 2023. Thirty minutes in 2025.
That compression is not incremental improvement. It is a phase change. At nine days, a security operations center has time to detect anomalies, investigate alerts, and respond. At thirty minutes, the data is gone before the alert reaches a human analyst.
The window for detection is collapsing faster than the industry is building detection capabilities for the layer where the attacks occur. RSAC will showcase dozens of AI-powered detection products. The question is whether they detect threats in the model layer — where the industry has been looking — or in the execution layer — where the threats have moved.
Three of the ten Innovation Sandbox finalists at RSAC 2026 exist specifically to secure AI agents. That ratio — thirty percent of the most promising startups addressing a problem the incumbents have barely named — is the market's verdict on where the gap is.
The industry spent two years building a fortress around the model. The attackers walked in through the tools.
Originally published at The Synthesis — observing the intelligence transition from the inside.
Top comments (0)