RSAC 2025 Conference: Identity security highlights
RSAC 2025 Conference was abuzz with talk about agentic AI and tool convergence. Analyst Todd Thiemann shares how these trends affect identity security.
As RSAC 2025 recedes in the rearview mirror, I wanted to share some of the identity security and data security insights I gained from hanging out with around 44,000 of my closest cybersecurity friends in San Francisco. It was four days of speaking to security practitioners, vendors, investors and other industry analysts to gain insight on effective strategies to deal with sprawling identities and data.
Following are the themes and noteworthy innovations in identity security at the big show. If you couldn't attend, here's a flavor of the deluge of cybersecurity innovation showcased at RSAC.
Identity security continues to garner interest and investment
Identity security has many unsolved problems and plenty of room for efficiency gains, and investors are powering innovation to deliver better identity security outcomes.
Identity continues to attract significant venture investment. Look at recent funding highlights: Persona received $200 million for identity verification, Push Security $30 million for identity threat detection and response (ITDR) and Veza $108 million for identity governance and administration.
As recent research from Enterprise Strategy Group, now part of Omdia, has shown, identity security technology investments continue to grow relative to other areas of cybersecurity investment.
Security for agentic AI: The emerging challenge
The buzzword at RSAC was agentic AI -- a form of nonhuman identity in which agents can reason, plan, learn and adapt.
And if you don't know the acronym MCP, you're not part of the cool kids club. (For those who missed it, MCP stands for Model Context Protocol, a protocol that provides a universal way to securely connect and interact with external data sources, tools and environments.)
Vendors were talking about agentic AI for security -- applying agents to make their products better -- and security for agentic AI -- ensuring agents operate securely. Applying agentic AI to improve security streamlines processes and enables security teams to do more work.
At RSAC, many substantive uses of AI agents to improve security were highlighted, including Microsoft's Security Copilot agents and Google Cloud AI security agents.
One topic that emerged at the show was that even though agentic AI is a multilayered challenge, it is first and foremost an identity problem.
Agentic AI protocols are evolving at an amazingly fast pace. Anthropic introduced MCP in November 2024, Cisco-supported AGNTCY.org arrived in March 2025 and Google's Agent2Agent arrived in April 2025.
Protocol adoption is moving quickly as businesses see an opportunity for efficiency and growth. An agentic AI world will have agents calling agents calling agents. Standard protocols are essential to interoperability across tools, platforms and providers.
If you are operating within one vendor's walled garden -- for example, Salesforce Agentforce or Microsoft Security Copilot agents -- the security is relatively locked down, and authentication and authorization are well-understood. Things get interesting from an identity security perspective when crossing boundaries outside of walled gardens. This is where I expect the enterprise value from agentic AI will be unlocked. But when you start moving and working with valuable information, the opportunity arises for fraud and data compromise without guardrails and fine-grained authorization.
Orchestrating the AI agent ecosystem is a rapidly evolving space. Players are coming at the agentic AI identity security problem from many angles, including the following:
- AI agent access management -- for example, Natoma Labs and Silverfort.
- Identity governance and administration for AI agents -- for example, ConductorOne, Lumos, SailPoint Technologies, Saviynt and Veza.
- Securing AI and MCP server infrastructure -- for example, CyberArk and Teleport.
Enterprises are under pressure to show value from their generative AI investments, and agentic AI offers a clear path to value. The protocols are still being developed, and the threats will eventually materialize, but security leaders should be participating in enterprise conversations with their compliance, CIO and line-of-business colleagues to stay ahead of agentic AI security and deploy agents in a secure and compliant fashion.
Convergence and platforms: The long game
Solution convergence is prevalent across many domains in cybersecurity where there are clear centers of gravity, including endpoint, network security and cloud security. Identity security, in particular, has been a relatively fragmented space.
Most enterprises have one or more products in each of the areas that comprise identity security: identity governance and administration (IGA), access management, privileged access management, ITDR, identity security posture management (ISPM) and NHI security.
This is changing as vendors develop or acquire adjacent functionality. For example, CyberArk acquired Zilla for IGA, Saviynt added ISPM at RSAC, Okta and Microsoft rolled out IGA products, and many vendors have an element of NHI security in their products.
In speaking to practitioners at RSAC, it became clear that the convergence story is a long game. Practitioners have a heterogeneous identity stack today that has accumulated for many reasons. Most practitioners want to make certain they have the best identity technology stack possible now and in the future. The folks I spoke with said they were willing to consider converging with their existing vendors, but the prerequisite was having best-in-class functionality that would make it worth the cost of switching out an existing product. Such changes don't happen overnight -- they take years.
The identity technology convergence story being told is compelling, but it will take time to see fruition as identity teams methodically improve and evolve their identity technology stacks to solve today's and tomorrow's challenges.
While convergence rolls forward, the continued flux between platforms and best-of-breed continues. Innovative startups are focusing on significant identity problems. For example, Silverfort, Push Security, Breez, and Permiso Security with ITDR or Passbolt with secure collaboration and credential sharing. Such products will thrive by filling specific gaps that converged products cover inadequately or not at all.
Final thoughts
RSAC 2025 saw a huge volume of announcements, innovations and interesting talks. My research area includes both identity security and data security, but identity security saw so much action at RSAC that I focused this article exclusively on that topic. I highlight RSAC 2025 data security innovations in a separate article.
Something caught your eye at RSAC? Are you a vendor with an interesting product? Reach out to me on LinkedIn.
Todd Thiemann is a principal analyst covering identity access management and data security for Enterprise Strategy Group, now part of Omdia. He has more than 20 years of experience in cybersecurity marketing and strategy.
Enterprise Strategy Group is part of Omdia. Its analysts have business relationships with technology vendors.