As attackers and defenders alike adopt AI, everyone seems to be confronting the same cybersecurity governance question: How do enterprise move quickly on agentic without outpacing the guardrails needed to secure it?

That tension was unavoidable at the RSAC 2026 Conference, where agents dominated every conversation. From Google LLC to Microsoft Corp., to cloud-native platform providers and offensive security startups, every company is clearly grappling with the dual challenge of governing AI development while using it to strengthen security. Yet a clear blueprint remains elusive, according to Jon Oltsik (pictured, left), principal analyst at theCUBE Research.

“The attack surface is going to grow like a weed. As a security professional, you have to anticipate that and get your arms around that,” Oltsik said. “The difficulty is we don’t know how fast that weed’s going to grow.”

Oltsik and Christophe Bertrand (right) delivered a closing analysis on day four of the RSAC 2026 Conference, during an exclusive broadcast on theCUBE. They discussed cybersecurity governance in the era of agentic AI, the widening attack surface and the practical steps enterprises should be taking before it’s too late. (* Disclosure below.)

Cybersecurity governance as the starting point for AI readiness

The urgency around cybersecurity governance reflects a broader shift underway across the industry. Unmanaged sprawl — fueled by agentic AI — is creating as-yet unseen operational, compliance and security concerns. That reality was easy to spot across the RSAC show floor, Oltsik noted. Of course, the path forward may not be as poorly-marked as it first appears.

“It is the wild, wild west — but there’s things you can do,” he said. “The first thing that I would do is get all of the stakeholders in place, and if you don’t have strong governance, build strong governance.”

The challenge goes beyond writing policy and extends to how enterprises think about providers and platforms. Long-established suppliers may not ultimately offer the strongest fit for AI security, while newer players could emerge with more compelling approaches.

Organizations working inside more controlled platform environments, including ServiceNow Inc., are already seeing return on investment from agentic AI because they have structured processes and guardrails around data, Bertrand explained. But that progress comes with a caveat: In many cases, enterprises are still being forced to build and deploy in real time, even if that approach creates tension with security best practices.

“With ServiceNow, where clearly some of the customers in the ServiceNow environment are able to get ROI out of agentic AI, because they have controlled processes that they can deploy AI on,” he said. “I think in many ways, success for end users will come from being able, and it’s going to sound very weird, but if you don’t know how to build the plane as you fly it, you may not be very successful in AI as a business. I think that’s what we’re doing now, we’re asking customers to do, but it could be the new way of doing things now for security. That’s not necessarily the best advice.”

Stay tuned for the complete day four wrap, part of SiliconANGLE’s and theCUBE’s coverage of the RSAC 2026 Conference.

(* Disclosure: TheCUBE is a paid media partner for the RSAC 2026 Conference. Sponsors of theCUBE’s event coverage do not have editorial control over content on theCUBE or SiliconANGLE.)

Photo: SiliconANGLE