RSAC 2026: Non-Human Identity Becomes the Platform War

◆ DEEP DIVES

1. 01

   Your AI Agent Infrastructure Has No Security Foundation — RSAC 2026 Just Made That Official

   <h3>The Category Just Crystallized</h3><p>RSAC 2026 wasn't a trade show this week — it was a coordinated industry admission that <strong>agentic AI has outrun its governance infrastructure</strong>. Google, Cisco, Palo Alto Networks, and the Cloud Security Alliance simultaneously launched AI agent security products and frameworks. Cisco's Duo Agentic Identity treats AI agents as full identities with policy enforcement. Palo Alto's Prisma AIRS 3.0 unifies agent security across identity, posture, and runtime. The CSA launched an entire nonprofit — CSAI — for the 'agentic control plane.' When four players converge on the same problem in the same week, you're watching a market category crystallize.</p><blockquote>Whoever owns your NHI governance layer will have a gravity pull on your broader security architecture. This is a platform decision masquerading as a security tool purchase.</blockquote><h3>The Protocol Layer Is Broken by Design</h3><p>The most alarming finding: <strong>MCP — Anthropic's Model Context Protocol</strong>, increasingly the standard for connecting AI agents to tools — has no versioning, content hashing, or approval-time snapshots. A malicious MCP server can silently rewrite a tool's description and behavior <em>between the moment a user approves it and the moment the agent executes it</em>. Neither Datadog nor LangSmith can detect this because they record what was called, not whether it matched what was authorized. This creates direct compliance gaps under HIPAA, SOC 2, and EU AI Act Article 12.</p><p>Compounding this, XM Cyber mapped <strong>eight validated attack vectors in AWS Bedrock</strong> where a single over-privileged identity can hijack agents, strip guardrails, poison prompts, and exfiltrate data — all without triggering a redeployment. The cloud AI security conversation needs to shift urgently from model security to <strong>permissions and integration security</strong>.</p><h3>Autonomous AI Bots Are Already Attacking Your Supply Chain</h3><p>Step Security revealed that an AI bot (<strong>'hackerbot-claw'</strong>) systematically compromised Trivy's CI/CD pipeline, stole Personal Access Tokens, and pushed malicious code to GitHub Actions, DockerHub images, and VS Code extensions — hitting Microsoft, DataDog, and CNCF projects simultaneously. Aqua Security detected the compromise and rotated secrets, but acknowledged the process <em>'wasn't atomic and attackers may have been privy to refreshed tokens.'</em> The attack recurred on March 19 and March 22.</p><p>Separately, a former deputy national security advisor confirmed that <strong>AI crossed from accelerating known attacks to generating novel exploits in 2026</strong> — new tactics and techniques that don't appear in any historical threat database. Sysdig's Langflow research showed a critical RCE was exploited within 25 hours of disclosure, with attackers building working exploits from the advisory description alone.</p><h3>The Social Engineering Threat Model Inverted</h3><p>Mandiant M-Trends data reveals a complete inversion: <strong>vishing now accounts for 11% of investigated incidents while email phishing collapsed from 22% (2022) to 6%</strong>. Organizations still over-indexed on email security are deploying capital against a shrinking threat. Meanwhile, a systemic Microsoft OAuth device authentication exploit is granting attackers <strong>90-day persistent access that bypasses MFA entirely</strong>, with hundreds of businesses already compromised.</p><hr><p>The connecting thread: your AI agent strategy and your security strategy <strong>must be unified under single executive governance this quarter</strong>. The NHI platform choice is being made now, and it will have the same gravity as your cloud platform choice had a decade ago.</p>

   Action items

   • Commission an NHI audit by end of Q2 — map every AI agent, service account, and non-human identity in your environment and assess governance gaps against RSAC frameworks
   • Mandate SHA-256 hashing at MCP approval time and pre-execution verification for all MCP-based agent deployments within 30 days
   • Establish sub-24-hour patching SLA for CVSS 9.0+ vulnerabilities with compensating controls within 4 hours of disclosure
   • Rebalance security budget from email-centric controls toward voice channel authentication and vishing detection by next budget cycle

   Sources:RSAC 2026 just declared AI agent identity the next platform war · AI bots are now autonomously breaching your open-source supply chain · AI is now generating novel cyber exploits · Microsoft's OAuth flow is broken at scale · MCP's zero-integrity design + AWS Bedrock's 8 attack vectors

2. 02

   Enterprise SaaS Is Splitting on AI Agent Access — And Anthropic Can Bypass Both Sides

   <h3>The New Competitive Axis</h3><p>A new fault line is dividing enterprise software: <strong>open vs. closed on AI agent access</strong>. The split is already visible across platforms you likely depend on:</p><table><thead><tr><th>Platform</th><th>Posture</th><th>Strategy</th></tr></thead><tbody><tr><td>GitHub</td><td>Open</td><td>Agent-friendliness drives adoption and ecosystem lock-in through usage</td></tr><tr><td>Figma</td><td>Open</td><td>Betting value transcends the interface layer</td></tr><tr><td>Slack/Salesforce</td><td>Curated</td><td>12 MCP partners (OpenAI, Anthropic, Cursor, Perplexity) with rate limits — the app store playbook</td></tr><tr><td>Workday</td><td>Monetized</td><td>Planning to charge for AI agent access — 'agent access as a product'</td></tr><tr><td>WhatsApp/LinkedIn</td><td>Closed</td><td>Security justification partially covers business model protection</td></tr></tbody></table><p>This is the most consequential enterprise software dynamics shift since the API economy. The 'security' justification for restriction is partially legitimate — Workday holds sensitive HR and financial data — but the pattern of <strong>restricting broad access while building first-party agent tools and planning to charge for third-party access</strong> reveals business model protection is equally motivating.</p><h3>The Computer-Use Wildcard</h3><p>Here's what should keep every SaaS CEO awake: <strong>Anthropic's computer-use Claude operates at the screen level</strong> — clicking buttons, navigating menus, reading data — exactly as a human contractor would. If Claude can operate any application through its GUI, then MCP restrictions, API rate limits, and curated partner programs become irrelevant. The agent simply <em>uses the software the way a human would</em>.</p><blockquote>Any monetization strategy premised on controlling a protocol-level chokepoint has a shrinking half-life when the alternative is a screen-level bypass.</blockquote><p>Anthropic shipped this from acquisition to product in <strong>four weeks</strong> via the Vercept deal — a velocity that compresses the window for competitors to respond. The strategic implication for enterprise SaaS: the smart play isn't gatekeeping, it's making your platform so valuable at the data and workflow layer that customers <em>want</em> to connect agents through official channels because the experience is dramatically better than screen-scraping.</p><h3>Procurement Implications Are Immediate</h3><p>The emerging pattern mirrors what happened with API availability a decade ago. Arcade.dev's ToolBench ranking — biased though it may be — is a leading indicator that <strong>'agent accessibility score' will appear on enterprise RFP checklists within a year</strong>. For your organization right now:</p><ul><li>Your vendor selection today determines your <strong>automation ceiling tomorrow</strong></li><li>Lock agent access terms into contracts <em>before</em> vendors like Workday finalize their pricing models</li><li>Evaluate computer-use agents (Claude, OpenClaw) as a hedge against platform gatekeeping</li><li>Products without clean, well-documented APIs become second-class citizens in an agent-orchestrated workflow</li></ul><p>The companies that audit their stack now, negotiate agent access terms into contracts, and build orchestration capabilities across open and closed platforms will have a <strong>decisive operational advantage</strong> over those that discover this dynamic in 2027.</p>

   Action items

   • Audit your enterprise software stack for AI agent openness by end of Q2 — map which critical systems are open, restricted, or closed, and identify workflow bottlenecks
   • Negotiate AI agent access terms into all enterprise software contracts during next renewal window
   • Evaluate Claude computer-use and similar capabilities as a hedging strategy against platform gatekeeping before Q3
   • If you operate a SaaS platform: convene a strategy session this month to define your agent access posture — open, curated, or monetized — before the market decides for you

   Sources:Enterprise SaaS is splitting into open vs. closed on AI agents · The agent platform war just went nuclear · OpenAI's ad pivot + Anthropic's agent leap · Apple's free enterprise platform, OpenAI-MSFT fracture, and AI agent autonomy

3. 03

   3.3% Copilot Penetration Just Killed the Distribution Thesis — Here's What OpenAI Is Building Instead

   <h3>The Number That Changes Everything</h3><p>The most devastating data point in AI this week: Microsoft has <strong>15 million Copilot paying seats on a 450 million commercial customer base — 3.3% penetration</strong>. Microsoft had every structural advantage: the install base, the enterprise relationships, the bundling power, the OpenAI partnership. <em>And it hasn't worked.</em> This is the strongest evidence yet that <strong>distribution moats do not transfer to AI products</strong>. Users adopt AI when it genuinely transforms their workflow, not when it's bundled. This is a product quality problem, not a distribution problem.</p><p>The consumer numbers tell the same story. ChatGPT's 440M DAU holds ~80% of the top-four market. <strong>Microsoft Copilot at 6M DAU has been surpassed by Claude at 9M</strong> — despite Claude being nowhere near a consumer-focused product. Meanwhile, Microsoft's Azure AI platform head (Eric Boyd) defected directly to Anthropic. This is not turnover; this is institutional decay in the divisions that matter most.</p><h3>OpenAI's Three-Pronged Response</h3><p>OpenAI is executing a rapid strategic pivot with three simultaneous moves:</p><ol><li><strong>Advertising:</strong> Hired Dave Dugan (10+ year Meta ad sales exec) as VP of Global Ad Solutions. Criteo partnership with $50K-$100K entry packages. Expanding ads to all US free-tier users imminently. ChatGPT has 900M weekly active users but only ~5% pay — the subscription ceiling is confirmed.</li><li><strong>PE financial engineering:</strong> Guaranteeing 17.5% minimum returns to PE firms (TPG, Advent) through JV structures, in exchange for deploying AI across portfolio companies. This bypasses the traditional enterprise sales motion entirely — AI stack decisions get made at the LP level, not the CTO level.</li><li><strong>Superapp consolidation:</strong> Fidji Simo's internal memo acknowledges too many products were degrading quality. ChatGPT, Codex, and Atlas are merging into a single desktop application — driven explicitly by Claude Code's competitive pressure on developer mindshare.</li></ol><blockquote>An ad-supported AI assistant has fundamentally different alignment than a subscription-supported one — the former optimizes for engagement, the latter for task completion. Enterprise buyers need to understand this distinction.</blockquote><h3>The Critical Vulnerability</h3><p>Early advertisers literally <strong>cannot prove ChatGPT ads work</strong>. Conversational AI is a fundamentally different advertising surface than feed-based social media or search. Intent signals are different. Attention patterns are different. OpenAI's expansion to all free-tier users addresses the impression volume problem but not the attribution problem. If OpenAI cracks conversational advertising, it creates a trillion-dollar category. If it can't, the $17B 2026 revenue target has a structural weakness.</p><p>Meanwhile, the PE JV terms raise questions. The analysis from multiple sources is blunt: <strong>no healthy business offers 17.5% guaranteed returns</strong>. Whether that assessment is fully fair or not, the signal is clear — OpenAI's capital needs are outrunning conventional sources. Combined with IPO risk disclosures that flag Microsoft dependency as material risk, this is a company whose strategic priorities are being reshaped by capital burn in ways that will affect product direction and pricing within quarters.</p><hr><p>For enterprises: any architecture that assumes OpenAI and Microsoft will remain aligned is building on a fault line. <strong>Multi-vendor AI strategies are now a fiduciary obligation</strong>, not a luxury.</p>

   Action items

   • Stress-test your AI GTM strategy against the 3.3% distribution failure — if you're bundling AI into existing products, model a scenario where penetration plateaus at 3-5% and build a response plan by Q3
   • Audit all OpenAI and Azure-OpenAI dependencies and develop multi-vendor contingency architecture by end of Q2
   • If in a PE portfolio, engage sponsors immediately on the OpenAI JV offer to negotiate terms or preserve AI vendor optionality
   • Monitor OpenAI ad product rollout and model competitive impact on your pricing if ChatGPT capabilities become ad-subsidized

   Sources:Microsoft's 3.3% Copilot penetration just killed the 'distribution wins in AI' thesis · OpenAI's moat just collapsed · OpenAI is becoming an ad platform · OpenAI's superapp pivot signals AI platform war entering consolidation phase · Software's 18-month survival window just opened · OpenAI's 17.5% PE guarantee signals capital desperation pre-IPO

4. 04

   AI Breaks Through to the Physical World — Edge Computing, Hardware Design, and the $100B Manufacturing Bet

   <h3>The Edge AI Memory Wall Just Fell</h3><p>Liquid AI published the most significant on-device AI result to date: a 1.2B-parameter model running at <strong>70 tokens/second on a Samsung Galaxy S25 CPU in just 719MB of total memory</strong>. For comparison, Meta's Llama 3.2 1B consumes 524MB in KV cache <em>alone</em> at the same context length — before loading model weights. At 128K tokens, Llama hits 2GB. On a phone, that's game over.</p><p>The model isn't the story. <strong>STAR — Liquid AI's automated architecture search system — is the strategic asset.</strong> STAR encodes neural network architectures as hierarchical genomes and evolves them using multi-objective optimization against <em>actual hardware performance on physical devices</em>. When Qualcomm ships a new Snapdragon, STAR re-evolves. This is a compounding capability, not a static product.</p><p>What STAR discovered is strategically uncomfortable: it <strong>completely rejected every state-space model variant</strong> (Mamba, S4, Mamba-2) for edge deployment. The SSM hype cycle, which positioned these as the transformer's successor, collides directly with the empirical result that boring depthwise convolutions paired with sparse attention outperform every SSM configuration on phone hardware.</p><blockquote>When capable models run on-device at zero marginal inference cost, the highest-volume API calls migrate to the edge — hollowing out the volume base that makes cloud inference economics work.</blockquote><h3>AI Foundation Models for Physics</h3><p>Arena Physica (Founders Fund-backed) is launching a foundation model for <strong>electromagnetic field design claiming 18,000x simulation speedups</strong> and 10x cost reduction for phased arrays. The US Navy reportedly lacks counter-drone radar at scale because Raytheon charges nearly a billion dollars per ship-based system. AI-generated hardware designs are producing 'alien geometries' that outperform human designs — the AlphaGo moment for physical engineering. Critically, analog silicon doesn't need bleeding-edge TSMC fabs, reducing geopolitical supply chain risk.</p><h3>Capital Is Following the Thesis</h3><p>Jeff Bezos raising <strong>$100B to buy and automate manufacturing companies</strong> is the strongest signal that the smart money believes AI's largest near-term value creation isn't in building new AI products but in making physical-world businesses dramatically more efficient. The SpaceX/Tesla/xAI TERAFAB joint venture — the largest chip fab ever at 1TW/year — creates a vertically integrated AI competitor (compute + distribution + connectivity + models) unlike anything the market has seen.</p><p>For strategic planning: the pattern of 'AI foundation model for [physics domain]' will repeat across fluid dynamics, thermodynamics, acoustics, and materials science. Organizations that build integration muscle for AI-generated physical designs now will compound that advantage. Those that wait will find themselves in the position of companies that dismissed cloud computing in 2008.</p>

   Action items

   • Reassess your cloud inference cost model this quarter — model the margin impact of capable on-device AI pulling routine queries off your API within 18 months
   • Evaluate Liquid AI as a strategic partner or acquisition target — STAR (the architecture search platform) is the asset, not any single model
   • Commission a competitive analysis of AI-for-physics opportunities in your domain if you operate in defense, telecom, semiconductors, or industrial manufacturing
   • Review your AI investment thesis for physical-world bias — ensure it isn't over-indexed on software productivity at the expense of manufacturing and infrastructure opportunities

   Sources:Liquid AI just broke the edge AI memory wall · AI foundation models are crossing from bits to atoms · Bezos's $100B AI-manufacturing play