This is among the extra consequential shifts on show at RSAC this 12 months. Governance, lengthy handled as friction, is being reframed as infrastructure, one thing that should be automated if AI-driven improvement is to scale.
The trade-off is complexity. Chainloop’s mannequin requires organizations to suppose when it comes to programs, provenance, and coverage frameworks, not simply instruments. However for groups already grappling with software program provide chain danger, that abstraction could also be precisely what’s wanted.
FireTail: Gaining visibility into AI utilization throughout the group
Described as an end-to-end AI safety platform, FireTail takes a step again to reply a broader query: who’s utilizing AI, and the way.
This will likely appear primary, however it’s not a solved drawback. As AI instruments proliferate, utilization usually spreads past improvement groups to incorporate product managers, analysts, and different enterprise capabilities. In lots of circumstances, organizations lack a transparent stock of which instruments are in use, what information is being shared, and the place dangers could also be launched.
FireTail focuses on offering that visibility.
The platform displays each worker utilization, comparable to interactions with instruments like ChatGPT, and application-level utilization, comparable to brokers constructed on cloud AI companies. It aggregates this exercise into unified log streams, the place it might detect potential points like information leakage, coverage violations, or anomalous conduct.
“The primary use case for each buyer is realizing who’s utilizing what AI service,” FireTail founder Jeremy Snyder stated. From there, organizations can outline insurance policies and, in some circumstances, implement them, notably on the endpoint or browser degree.
It is a totally different sort of management level. It’s much less about implementing conduct inside the pipeline and extra about establishing baseline visibility and governance throughout the group. That distinction makes FireTail each broadly helpful and considerably peripheral to the core improvement life cycle. Visibility is a prerequisite for management, however enforcement requires extra measures.
Nonetheless, as AI adoption expands past engineering, that visibility might turn into a obligatory first step, particularly for organizations making an attempt to grasp their publicity earlier than deciding methods to handle it.
Raven: Implementing belief the place code runs
On the far finish of the software program life cycle, Raven represents a unique sort of shift. As a substitute of specializing in code earlier than it runs, Raven focuses on what occurs when it does.
We described Raven final 12 months as a runtime platform centered on prioritization and detection. This 12 months, the emphasis has modified. The corporate is now pushing towards runtime prevention, with a extra aggressive stance on what issues and what doesn’t.
The core thought is easy. Static evaluation produces giant volumes of vulnerabilities, lots of that are by no means exercised in manufacturing. On the similar time, AI is lowering the time it takes to find and exploit actual weaknesses. Consequently, the normal mannequin of scanning for identified points and prioritizing them based mostly on CVEs is shedding relevance.
Raven’s response is to give attention to conduct at runtime, slightly than signatures or identified vulnerabilities. By observing how code executes inside the applying, the platform makes an attempt to establish and cease exploit exercise straight, no matter whether or not a vulnerability has been cataloged. As Raven co-founder and CEO Roi Abitboul put it, “We cease counting on CVEs and have a look at what the applying is definitely doing.”
That could be a sturdy declare, however it displays a broader pattern.
The corporate makes use of a kernel-level strategy to watch software conduct with out injecting code or modifying the runtime atmosphere, with the purpose of minimizing efficiency affect. From that vantage level, it might establish anomalous conduct in libraries or capabilities and block execution in actual time.
That is additionally the place Raven diverges from a lot of the present AI narrative. Whereas many distributors emphasize AI-driven detection, Raven argues that AI is simply too sluggish for real-time prevention and as an alternative makes use of it selectively for evaluation and prioritization duties. The result’s a mannequin that treats runtime as the last word management level. If earlier phases fail or are bypassed, enforcement nonetheless occurs the place the code executes.
That place will not be new in precept, however the context is. As AI accelerates each improvement and exploit technology, the hole between vulnerability discovery and exploitation continues to shrink. In that atmosphere, runtime enforcement turns into much less of a fallback and extra of a main protection.
Seezo: Securing what will get constructed, earlier than code exists
One of the crucial dramatic shifts in data safety is going on on the very begin of the event life cycle.
In earlier years, software safety distributors centered on scanning code after it was written. Seezo is betting that, in an AI-driven world, that’s already too late. The corporate focuses on producing safety necessities earlier than code is written, shaping how each builders and AI brokers construct programs from the outset. The premise is straightforward: if AI is producing giant volumes of code, then controlling what will get constructed turns into extra necessary than analyzing what was constructed after the actual fact.
As Seezo co-founder and CEO Sandesh Mysore Anand put it, “The price of producing code has gone to zero, whereas the price of reviewing code remains to be very excessive.”
That imbalance is driving a quiet however necessary change. As a substitute of interrupting builders with scans and findings, Seezo inserts safety into the necessities layer, the one place each people and AI programs depend on to grasp intent.
This isn’t only a shift-left story. It’s a recognition that when AI brokers are writing code, they’re additionally studying directions. If these directions embody safety constraints, the ensuing code improves earlier than it ever hits a pipeline.
The trade-off is apparent. This strategy is dependent upon organizations adopting a extra disciplined necessities course of, one thing many groups have traditionally resisted. However as AI will increase output, that self-discipline might turn into much less elective.
TestifySec: Turning compliance right into a steady management
Promising to show the event pipeline right into a “reside audit feed,” TestifySec is tackling a cussed bottleneck: compliance as a gating perform.
In conventional environments, proving that software program meets regulatory or safety necessities is sluggish, handbook, and infrequently disconnected from how code is definitely constructed. That lag turns into an actual drawback when improvement accelerates, particularly when AI brokers are producing adjustments sooner than groups can assessment them.
To reply this problem, TestifySec strikes compliance into the pipeline itself, utilizing an evidence-based mannequin. As a substitute of counting on documentation and handbook audits, the platform maps code, take a look at outcomes, and artifacts on to safety controls and evaluates them constantly.
“Organizations can now write software program quick, however we will’t ship it any sooner as a result of we will’t measure it,” TestifySec co-founder and CEO Cole Kennedy stated. That measurement hole is what TestifySec is making an attempt to shut.
The platform makes use of AI brokers to research what proof ought to exist for a given management, then seems to be for that proof throughout the codebase, pipeline outputs, and supporting artifacts. In follow, which means builders can get suggestions on compliance earlier than code is merged, slightly than ready for a downstream audit cycle.
It is a delicate however necessary shift. Compliance strikes from being a submit hoc validation step to a steady sign inside CI/CD.
The problem is belief. Automated compliance has been promised earlier than, and organizations are usually cautious about changing human validation with machine-generated assessments. However as improvement pace will increase, the choice could also be worse: a rising backlog of software program that can’t be shipped as a result of it can’t be licensed.
Each course directly
If there was a single takeaway from RSAC 2026, it’s that the trade is now not arguing about whether or not AI will change software program improvement. It already has.
What remains to be being labored out is the place safety belongs when the boundaries between improvement, deployment, and execution now not maintain. The distributors highlighted right here are usually not converging on a single reply. As a substitute, they’re redefining management factors throughout the whole life cycle, from necessities and toolchains to pipelines, runtime, and workflows.
A few of these approaches will show extra sturdy than others. Not each new layer will turn into a class, and never each declare will maintain up beneath real-world strain. However the course is evident. As AI compresses the software program improvement life cycle and accelerates each improvement and exploitation, safety can now not depend on remoted checkpoints.
Belief needs to be enforced constantly, and in additional locations than earlier than.
The problem for organizations is not only adopting new instruments, however deciding the place these management factors ought to reside of their environments. The reply will range, however the underlying shift is similar: safety is now not a stage. It’s a part of the system itself.