RSA 2026: Control Points, Not Categories
Positioning for the Agentic Security Stack
The 2026 RSA Conference marks a structural turning point for cybersecurity. While 2025 introduced AI as a feature, 2026 reflects the emergence of an agentic ecosystem—where autonomous software entities act as users, applications and attack vectors simultaneously.
For both private equity investors and security companies evaluating strategic alternatives, the key question is no longer whether AI matters, but where value accrues in an agent-driven architecture. The answer is increasingly clear: value concentrates at control points embedded in real-time decision loops, not across fragmented point solutions.
Below are five core takeaways shaping the investment and M&A landscape.
1. AI Expands the Attack Surface — Value Accrues at Control Points
Agentic AI is driving a step-function increase in machine-speed traffic, non-human identities, and continuous permission and policy decisions, fundamentally multiplying interactions across identity, network, and data layers. This is not incremental workload expansion but a structural shift toward always-on, machine-driven environments where decisions are made in real time. As AI extends into industrial and operational environments, the attack surface also expands to include Operational Technology (OT) systems and physical processes, further increasing the scope and consequences of security failures. As a result, the security stack is re-centering around platforms embedded directly in the decision loop—specifically identity, data governance, data discovery and securing data (including DSPM), external threat intelligence inputs, traffic inspection and policy enforcement—rather than fragmented point solutions. Security is increasingly becoming the control plane for AI systems, reinforcing its strategic importance as software proliferation accelerates. Within this, proprietary data—particularly threat intelligence and telemetry—becomes a key differentiator, as vendors with unique visibility into attacker behavior gain structural advantages in detection and prevention.
Implications: Focus on assets embedded in enforcement and decision paths where switching costs are high and usage scales with activity.
M&A Considerations: Strategic acquirers are prioritizing assets that embed into identity, data and network control layers, with consolidation likely around platforms that own enforcement and decisioning rather than peripheral tooling.
2. Control Before Scale — Near-Term Spend Is Focused on Guardrails
Enterprise adoption of AI is driving immediate demand for visibility and control rather than full automation. Buyers are prioritizing solutions that provide insight into shadow AI usage, govern prompt and data flows and enforce identity-based permissions. This increasingly includes securing training data, managing data lineage and ensuring sensitive data is not exposed through model interactions. The core challenge today is not automating security operations, but understanding what AI systems are doing, what they can access and how to constrain their behavior. While the vision of an autonomous Security Operations Center (SOC) is gaining traction—particularly for Tier-1 triage and response—most enterprises remain cautious, requiring auditability, explainability and policy boundaries before expanding automation. In parallel, Continuous Threat Exposure Management (CTEM) is gaining traction as organizations shift toward continuous validation of their security posture in dynamic, AI-driven environments, alongside increased interest in cyber training and simulation platforms that enable organizations to test readiness, validate controls and simulate real-world attack scenarios. This reflects a broader “control before scale” phase, where governance and enforcement must be established before broader AI deployment accelerates.
Implications: Near-term growth is concentrated in governance, visibility and enforcement layers tied directly to AI adoption, with selective adoption of AI within SOC workflows (e.g., triage and response) rather than full autonomy.
M&A Considerations: Buyers are targeting companies that enable AI governance, visibility and policy enforcement, particularly those that integrate cleanly into existing enterprise workflows.
3. Identity Is the Foundational Layer of the Agentic Stack
The rapid proliferation of non-human identities — including copilots, service agents and automated workflows—is emerging as the primary gating factor for AI adoption. These identities function simultaneously as users, applications and potential attack vectors, significantly increasing the complexity of access management and policy enforcement. At the same time, the rapid expansion of identities increases the attack surface, as more credentials, tokens and machine identities can be compromised or misused, further elevating the importance of continuous verification and monitoring. As a result, identity is evolving into the foundational layer security stack, underpinning real-time authorization decisions and least-privilege enforcement across dynamic environments. Organizations are increasingly forced to reassess their identity governance and privileged access frameworks to manage this expanding surface area.
Implications: Identity platforms represent a durable control point with clear expansion paths, particularly those enabling real-time authorization and management of non-human identities at scale.
M&A Considerations: Identity remains the highest-priority acquisition category, particularly across Identity Governance and Administration (IGA), Privileged Access Management (PAM) and emerging Non-human Identiy (NHI)-focused platforms, as strategic buyers look to build and govern the agentic stack.
4. Architecture Shift: North-South to East-West Traffic (and Why It Matters)
Security architecture is undergoing a fundamental shift from north-south traffic (users accessing applications across a perimeter) to east-west traffic (machine-to-machine, agent-to-agent and model-to-data interactions within environments). In an agentic world, most activity happens inside the organization, not at the edge, with continuous, high-frequency interactions that require real-time inspection and enforcement. At the same time, the importance of external threat intelligence is increasing, as organizations require real-time visibility into emerging threats, attacker behavior and compromised identities outside the perimeter, which must then be correlated with internal activity. Increasingly, differentiated vendors are those with proprietary data assets and unique telemetry that can be correlated with internal activity in real time. This shift increases the importance of securing data flows, model interactions and internal communication pathways, particularly as training and inference workloads expand. It also reinforces the need for continuous validation approaches such as CTEM, where organizations are constantly testing and validating their exposure across dynamic environments. Security is therefore becoming more deeply embedded within infrastructure and data paths.
Implications: Prioritize platforms embedded in east-west traffic that enforce decisions at machine speed, as security shifts from perimeter control to internal, high-frequency interaction management.
M&A Considerations: Strategic interest is building around infrastructure-embedded security, including network-layer enforcement, observability, data security and proprietary threat intelligence platforms with differentiated data assets and telemetry, alongside runtime policy engines capable of handling high-volume internal traffic flows.
5. IT/OT Convergence and the Rise of “Physical AI”
The convergence of IT and OT is emerging as a consequential extension of the agentic paradigm, as AI systems increasingly interact with physical environments through industrial automation, robotics and digital twin simulations. What was historically a segmented, compliance-driven OT security market is being pulled into the broader AI stack as enterprises deploy AI across manufacturing, energy and critical infrastructure. This introduces a new class of risk where vulnerabilities in models, simulation layers or control systems can translate into real-world operational disruption. While this theme is earlier from a spending perspective, it represents a meaningful expansion of the cybersecurity scope into physical systems.
Implications: IT/OT convergence represents a longer-duration adjacency with meaningful upside as AI expands into physical environments, though adoption will lag core IT domains.
M&A Considerations: Strategic buyers are expected to increasingly target OT security, industrial simulation security and platforms bridging IT and OT environments, with both cybersecurity vendors and industrial players emerging as potential acquirers.
Bottom Line
RSA 2026 reinforces a critical shift: cybersecurity is re-centralizing around control points that govern machine-speed decisions. Value accrues to platforms embedded in identity, data and policy governance layers, where real-time decisions are made and enforced. Near-term spend is focused on control and visibility, while longer-term upside expands into infrastructure and physical systems.
For private equity investors, the opportunity lies in backing platforms that sit in the decision path and scale with activity. For sellers, the opportunity is to position assets as part of these control points—where strategic buyers are actively consolidating and paying premium valuations.
Baird’s Cybersecurity team has extensive experience advising across the sector. Our sector expertise covers network and endpoint security, security operations, identity and access management, security awareness training, threat intelligence, data security, application security and managed security services. We welcome the opportunity to discuss these themes and how they may impact your business or future strategy.
