SAN FRANCISCO—The doors to the RSA Conference 2025 swing open here this week with two competing narratives.
On one side, JPMorgan Chase CISO Pat Opet published an open letter warning software-as-a-service suppliers that “convenience can no longer outpace control,” calling the current, OAuth-plumbed cloud model “single points of failure with potentially catastrophic systemwide consequences.”
On the other, venture-backed startups will take to the show floor with expensive demos, vowing that artificial intelligence is finally here to cure everything that ails enterprise cybersecurity defenses.
This tension between hard-edged risk realism and breathless AI evangelism sets an unmistakable tone for a bellwether conference where 40,000-plus gather to do business.
Opet’s missive, circulated just days before the conference, lands like a sobriety test. He argues that rushed releases and “read-only” permission scopes have collapsed decades-old security boundaries, and that a breach at one hyperscale provider can instantly ripple through global banking systems.
“Fierce competition among software providers has driven prioritization of rapid feature development over robust security. This often results in rushed product releases without comprehensive security built in or enabled by default, creating repeated opportunities for attackers to exploit weaknesses,” Opet declared.
“The pursuit of market share at the expense of security exposes entire customer ecosystems to significant risk and will result in an unsustainable situation for the economic system,” he warned bluntly.
The JP Morgan Chase security chief called on software vendors to prioritize secure-and-resilient-by-default architectures, provable controls and richer authorization models.
These words appear to be falling on deaf ears here at the Moscone Center where the gravitational pull of AI-powered hype is unmistakable on the show floor. “Agentic AI” has become a table-stakes bullet in booth graphics, and the unofficial competition is who can show off a chat-bot doing magical things to “transform the SOC” or provide “digital cyber employees.”
The conference itself, owned and run by an investment vehicle, has recast its role as king-maker. The long-running Innovation Sandbox startup contest will now feature an uncapped $5 million SAFE investment to each of the ten finalists the moment they step on stage.
The 2025 cohort is predictably AI-heavy. Aurascape and EQTY Lab are selling guardrails for autonomous agents; CalypsoAI and Knostic promise inference-layer policy enforcement; Command Zero pitches one-click incident reconstruction; Twine assigns an “AI employee” named Alex to identity chores; ProjectDiscovery weaponizes open-source scanning against cloud sprawl; Smallstep tries to tame device identity; MIND automates data-loss prevention; and Metalware ventures below the OS to fuzz firmware.
Expect two tribes on the floor. Platform heavyweights like Microsoft, Palo Alto Networks, CrowdStrike and Cisco will tout co-pilots that write detection rules and auto-close tickets, betting that adding AI to familiar consoles will feel safer to cost-conscious buyers.
Across the aisle, startups flush with VC cash will make the case that legacy data models can’t make the leap and that green-field architectures are the only way to unlock AI speed.
This year, it feels like the RSA Conference captures an industry mid-pivot, balancing market skepticism against stubborn optimism that machine learning might finally shift the odds from attacker to defender.
For anyone roaming the Expo floor, the question remains: which booths are selling real automation, and which are spinning one more turn of the hype cycle?
More importantly, will anyone listen and heed Opet’s call for discipline? Will a critical mass of Fortune 100 buyers start putting “show me your secure-by-default posture” language into master service agreements?
A multi-billion dollar industry has arrived in San Francisco looking for answers.
Related: RSA’s Innovation Sandbox: Finalists Must Accept $5 Million Investment
Related: Innovation Sandbox: Investors Pivot to Safeguarding AI Training Models
Related: RSA Conference 2025 – Pre-Event Announcements Summary (Part 3)
Related: RSA Conference 2025 – Pre-Event Announcements Summary (Part 2)
Related: RSA Conference 2025 – Pre-Event Announcements Summary (Part 1)
