I’ve been going to RSAC Conference more years than I’ve missed it.  

I still look forward to it every year — it’s a reunion and a reset all in one. But this year feels different.

There’s always a theme or two that dominates RSAC. This year, it’s AI. Full stop.

We’re about to see an explosion of AI across the show floor. AI startups. AI-powered platforms. And while some of it will be legitimate innovation, some of it will be hype. The trick, as always, is knowing the difference.

The AI hype machine is in overdrive

I expect every booth this year, from startups to cybersecurity staples, to be shouting about their new AI capabilities.  

Some will have partnered with an AI vendor, others will have built an LLM into their platform, and a few will pretend they invented the field altogether.

But the truth is that AI isn’t magic. It’s not a panacea. We’re still in the early innings of understanding how to use it effectively in cybersecurity.  

Used right, AI can help us get better insights into our telemetry and speed up security decision-making.  

Used wrong? It’s just a shiny object that leads us off course — or worse, introduces new risks we don’t yet understand.

AI needs Zero Trust. And Zero Trust can help AI.

I’ve been saying for years that Zero Trust is a strategy, not a product. It’s about defining the Protect Surface, limiting what attackers can do when they inevitably get in, and designing security for the future.

This year, I’m especially interested in how people are thinking about the intersection of Zero Trust and AI. There are a few key things I’ll be watching for:

• Protecting LLMs with Zero Trust: LLMs are fast becoming an attacker’s playground. Applying Zero Trust principles to protect these models isn’t optional. It’s necessary. This is done by considering your LLM as a DAAS (critical data, assets, application, and services) element, putting it inside a protect surface, and then enforcing access control based on Zero Trust principles. ‍
• Using AI to advance Zero Trust: Good AI can help us do Zero Trust better. It can highlight high-risk communication patterns, surface unusual behavior, and give security teams clearer priorities. But again, this only works if you’ve already built the foundation.

That’s why I’m excited about tools like Illumio Insights. It’s cybersecurity-specific AI built to improve observability, not distract from it. It doesn’t try to replace security teams. It makes their work smarter, faster, and more effective.

Let’s not forget the basics

Here’s my concern: in all the noise about AI, we can forget that good cybersecurity isn’t built on buzzwords. It’s built on doing the fundamentals well day after day.

We still need to segment our networks. We still need to patch systems. We still need to train our people and reduce human error. AI isn’t going to fix compliance. It won’t write your Zero Trust strategy. And it definitely won’t hit a magic button, so you never have to invest in security talent again.

If anything, AI might lull organizations into thinking they can delay action until the “perfect” solution arrives. That’s dangerous. Attackers aren’t waiting. Neither should we.

A look back (and ahead) at Zero Trust

I’m also co-presenting a session at RSAC this year on Zero Trust at 15: The Evolution of Cybersecurity's Defining Strategy on Tuesday, April 29 at 8:30 – 9:20 AM in the Moscone Center.

It’s going to be a look back at Zero Trust's origin story, where we are now, and where we go next.  

We’ll dig into:

• Why segmentation is still one of the most powerful tools in our arsenal
• How organizations can overcome barriers to Zero Trust adoption
• Why segmentation is the unsung hero of Zero Trust success

If you care about turning Zero Trust from buzzword into business value, you won’t want to miss it.

And if you want to chat more at RSAC, I’ll also be at the Cloud Security Alliance CISO Happy Hour today, April 28 at 6:30 – 8:30 PM at Fang Restaurant.

Final thought: keep your focus

If I could offer one piece of advice to anyone heading into RSAC this year, it’s this: Don’t get distracted by what might happen. Focus on what’s happening right now.

The future of cybersecurity will be shaped by AI, sure. But it’ll be built by people — leaders, builders, defenders — who stay grounded in reality and committed to doing the hard work.

See you in San Francisco.