This is without doubt one of the extra consequential shifts on show at RSAC this yr. Governance, lengthy handled as friction, is being reframed as infrastructure, one thing that have to be automated if AI-driven growth is to scale.
The trade-off is complexity. Chainloop’s mannequin requires organizations to suppose by way of programs, provenance, and coverage frameworks, not simply instruments. However for groups already grappling with software program provide chain threat, that abstraction could also be precisely what’s wanted.
FireTail: Gaining visibility into AI utilization throughout the group
Described as an end-to-end AI safety platform, FireTail takes a step again to reply a broader query: who’s utilizing AI, and the way.
This may increasingly appear fundamental, however it isn’t a solved drawback. As AI instruments proliferate, utilization usually spreads past growth groups to incorporate product managers, analysts, and different enterprise features. In lots of instances, organizations lack a transparent stock of which instruments are in use, what information is being shared, and the place dangers could also be launched.
FireTail focuses on offering that visibility.
The platform displays each worker utilization, reminiscent of interactions with instruments like ChatGPT, and application-level utilization, reminiscent of brokers constructed on cloud AI providers. It aggregates this exercise into unified log streams, the place it may possibly detect potential points like information leakage, coverage violations, or anomalous conduct.
“The primary use case for each buyer is realizing who’s utilizing what AI service,” FireTail founder Jeremy Snyder stated. From there, organizations can outline insurance policies and, in some instances, implement them, notably on the endpoint or browser degree.
It is a completely different sort of management level. It’s much less about imposing conduct throughout the pipeline and extra about establishing baseline visibility and governance throughout the group. That distinction makes FireTail each broadly helpful and considerably peripheral to the core growth life cycle. Visibility is a prerequisite for management, however enforcement requires extra measures.
Nonetheless, as AI adoption expands past engineering, that visibility might turn out to be a crucial first step, particularly for organizations attempting to grasp their publicity earlier than deciding methods to handle it.
Raven: Imposing belief the place code runs
On the far finish of the software program life cycle, Raven represents a special sort of shift. As an alternative of specializing in code earlier than it runs, Raven focuses on what occurs when it does.
We described Raven final yr as a runtime platform centered on prioritization and detection. This yr, the emphasis has modified. The corporate is now pushing towards runtime prevention, with a extra aggressive stance on what issues and what doesn’t.
The core concept is simple. Static evaluation produces giant volumes of vulnerabilities, lots of that are by no means exercised in manufacturing. On the similar time, AI is decreasing the time it takes to find and exploit actual weaknesses. Because of this, the standard mannequin of scanning for recognized points and prioritizing them primarily based on CVEs is dropping relevance.
Raven’s response is to deal with conduct at runtime, fairly than signatures or recognized vulnerabilities. By observing how code executes inside the appliance, the platform makes an attempt to determine and cease exploit exercise straight, no matter whether or not a vulnerability has been cataloged. As Raven co-founder and CEO Roi Abitboul put it, “We cease counting on CVEs and have a look at what the appliance is definitely doing.”
That could be a sturdy declare, nevertheless it displays a broader pattern.
The corporate makes use of a kernel-level method to look at software conduct with out injecting code or modifying the runtime atmosphere, with the aim of minimizing efficiency impression. From that vantage level, it may possibly determine anomalous conduct in libraries or features and block execution in actual time.
That is additionally the place Raven diverges from a lot of the present AI narrative. Whereas many distributors emphasize AI-driven detection, Raven argues that AI is just too sluggish for real-time prevention and as a substitute makes use of it selectively for evaluation and prioritization duties. The result’s a mannequin that treats runtime as the last word management level. If earlier phases fail or are bypassed, enforcement nonetheless occurs the place the code executes.
That place is just not new in precept, however the context is. As AI accelerates each growth and exploit technology, the hole between vulnerability discovery and exploitation continues to shrink. In that atmosphere, runtime enforcement turns into much less of a fallback and extra of a main protection.
Seezo: Securing what will get constructed, earlier than code exists
One of the vital dramatic shifts in info safety is occurring on the very begin of the event life cycle.
In earlier years, software safety distributors centered on scanning code after it was written. Seezo is betting that, in an AI-driven world, that’s already too late. The corporate focuses on producing safety necessities earlier than code is written, shaping how each builders and AI brokers construct programs from the outset. The premise is straightforward: if AI is producing giant volumes of code, then controlling what will get constructed turns into extra vital than analyzing what was constructed after the very fact.
As Seezo co-founder and CEO Sandesh Mysore Anand put it, “The price of producing code has gone to zero, whereas the price of reviewing code remains to be very excessive.”
That imbalance is driving a quiet however vital change. As an alternative of interrupting builders with scans and findings, Seezo inserts safety into the necessities layer, the one place each people and AI programs depend on to grasp intent.
This isn’t only a shift-left story. It’s a recognition that when AI brokers are writing code, they’re additionally studying directions. If these directions embody safety constraints, the ensuing code improves earlier than it ever hits a pipeline.
The trade-off is apparent. This method is determined by organizations adopting a extra disciplined necessities course of, one thing many groups have traditionally resisted. However as AI will increase output, that self-discipline might turn out to be much less elective.
TestifySec: Turning compliance right into a steady management
Promising to show the event pipeline right into a “dwell audit feed,” TestifySec is tackling a cussed bottleneck: compliance as a gating perform.
In conventional environments, proving that software program meets regulatory or safety necessities is sluggish, handbook, and sometimes disconnected from how code is definitely constructed. That lag turns into an actual drawback when growth accelerates, particularly when AI brokers are producing adjustments quicker than groups can evaluate them.
To reply this problem, TestifySec strikes compliance into the pipeline itself, utilizing an evidence-based mannequin. As an alternative of counting on documentation and handbook audits, the platform maps code, check outcomes, and artifacts on to safety controls and evaluates them repeatedly.
“Organizations can now write software program quick, however we will’t ship it any quicker as a result of we will’t measure it,” TestifySec co-founder and CEO Cole Kennedy stated. That measurement hole is what TestifySec is attempting to shut.
The platform makes use of AI brokers to research what proof ought to exist for a given management, then appears for that proof throughout the codebase, pipeline outputs, and supporting artifacts. In observe, which means builders can get suggestions on compliance earlier than code is merged, fairly than ready for a downstream audit cycle.
It is a refined however vital shift. Compliance strikes from being a publish hoc validation step to a steady sign inside CI/CD.
The problem is belief. Automated compliance has been promised earlier than, and organizations are typically cautious about changing human validation with machine-generated assessments. However as growth pace will increase, the choice could also be worse: a rising backlog of software program that can not be shipped as a result of it can’t be licensed.
Each course without delay
If there was a single takeaway from RSAC 2026, it’s that the trade is now not arguing about whether or not AI will change software program growth. It already has.
What remains to be being labored out is the place safety belongs when the boundaries between growth, deployment, and execution now not maintain. The distributors highlighted right here should not converging on a single reply. As an alternative, they’re redefining management factors throughout the complete life cycle, from necessities and toolchains to pipelines, runtime, and workflows.
A few of these approaches will show extra sturdy than others. Not each new layer will turn out to be a class, and never each declare will maintain up beneath real-world strain. However the course is evident. As AI compresses the software program growth life cycle and accelerates each growth and exploitation, safety can now not depend on remoted checkpoints.
Belief needs to be enforced repeatedly, and in additional locations than earlier than.
The problem for organizations is not only adopting new instruments, however deciding the place these management factors ought to reside of their environments. The reply will differ, however the underlying shift is identical: safety is now not a stage. It’s a part of the system itself.
