This is likely one of the extra consequential shifts on show at RSAC this 12 months. Governance, lengthy handled as friction, is being reframed as infrastructure, one thing that should be automated if AI-driven improvement is to scale.
The trade-off is complexity. Chainloop’s mannequin requires organizations to assume when it comes to methods, provenance, and coverage frameworks, not simply instruments. However for groups already grappling with software program provide chain danger, that abstraction could also be precisely what’s wanted.
FireTail: Gaining visibility into AI utilization throughout the group
Described as an end-to-end AI safety platform, FireTail takes a step again to reply a broader query: who’s utilizing AI, and the way.
This will likely appear fundamental, however it isn’t a solved downside. As AI instruments proliferate, utilization typically spreads past improvement groups to incorporate product managers, analysts, and different enterprise features. In lots of instances, organizations lack a transparent stock of which instruments are in use, what information is being shared, and the place dangers could also be launched.
FireTail focuses on offering that visibility.
The platform screens each worker utilization, similar to interactions with instruments like ChatGPT, and application-level utilization, similar to brokers constructed on cloud AI companies. It aggregates this exercise into unified log streams, the place it could possibly detect potential points like information leakage, coverage violations, or anomalous conduct.
“The primary use case for each buyer is understanding who’s utilizing what AI service,” FireTail founder Jeremy Snyder mentioned. From there, organizations can outline insurance policies and, in some instances, implement them, notably on the endpoint or browser stage.
This can be a completely different sort of management level. It’s much less about imposing conduct inside the pipeline and extra about establishing baseline visibility and governance throughout the group. That distinction makes FireTail each broadly helpful and considerably peripheral to the core improvement life cycle. Visibility is a prerequisite for management, however enforcement requires further measures.
Nonetheless, as AI adoption expands past engineering, that visibility could turn into a essential first step, particularly for organizations attempting to grasp their publicity earlier than deciding the right way to handle it.
Raven: Implementing belief the place code runs
On the far finish of the software program life cycle, Raven represents a unique sort of shift. As an alternative of specializing in code earlier than it runs, Raven focuses on what occurs when it does.
We described Raven final 12 months as a runtime platform targeted on prioritization and detection. This 12 months, the emphasis has modified. The corporate is now pushing towards runtime prevention, with a extra aggressive stance on what issues and what doesn’t.
The core thought is easy. Static evaluation produces giant volumes of vulnerabilities, a lot of that are by no means exercised in manufacturing. On the similar time, AI is lowering the time it takes to find and exploit actual weaknesses. Because of this, the normal mannequin of scanning for identified points and prioritizing them based mostly on CVEs is shedding relevance.
Raven’s response is to give attention to conduct at runtime, slightly than signatures or identified vulnerabilities. By observing how code executes inside the applying, the platform makes an attempt to establish and cease exploit exercise instantly, no matter whether or not a vulnerability has been cataloged. As Raven co-founder and CEO Roi Abitboul put it, “We cease counting on CVEs and take a look at what the applying is definitely doing.”
That could be a robust declare, nevertheless it displays a broader development.
The corporate makes use of a kernel-level method to watch software conduct with out injecting code or modifying the runtime surroundings, with the objective of minimizing efficiency influence. From that vantage level, it could possibly establish anomalous conduct in libraries or features and block execution in actual time.
That is additionally the place Raven diverges from a lot of the present AI narrative. Whereas many distributors emphasize AI-driven detection, Raven argues that AI is just too sluggish for real-time prevention and as an alternative makes use of it selectively for evaluation and prioritization duties. The result’s a mannequin that treats runtime as the final word management level. If earlier phases fail or are bypassed, enforcement nonetheless occurs the place the code executes.
That place is just not new in precept, however the context is. As AI accelerates each improvement and exploit era, the hole between vulnerability discovery and exploitation continues to shrink. In that surroundings, runtime enforcement turns into much less of a fallback and extra of a major protection.
Seezo: Securing what will get constructed, earlier than code exists
Probably the most dramatic shifts in data safety is occurring on the very begin of the event life cycle.
In earlier years, software safety distributors targeted on scanning code after it was written. Seezo is betting that, in an AI-driven world, that’s already too late. The corporate focuses on producing safety necessities earlier than code is written, shaping how each builders and AI brokers construct methods from the outset. The premise is easy: if AI is producing giant volumes of code, then controlling what will get constructed turns into extra vital than analyzing what was constructed after the very fact.
As Seezo co-founder and CEO Sandesh Mysore Anand put it, “The price of producing code has gone to zero, whereas the price of reviewing code remains to be very excessive.”
That imbalance is driving a quiet however vital change. As an alternative of interrupting builders with scans and findings, Seezo inserts safety into the necessities layer, the one place each people and AI methods depend on to grasp intent.
This isn’t only a shift-left story. It’s a recognition that when AI brokers are writing code, they’re additionally studying directions. If these directions embody safety constraints, the ensuing code improves earlier than it ever hits a pipeline.
The trade-off is clear. This method is determined by organizations adopting a extra disciplined necessities course of, one thing many groups have traditionally resisted. However as AI will increase output, that self-discipline could turn into much less non-compulsory.
TestifySec: Turning compliance right into a steady management
Promising to show the event pipeline right into a “stay audit feed,” TestifySec is tackling a cussed bottleneck: compliance as a gating operate.
In conventional environments, proving that software program meets regulatory or safety necessities is sluggish, handbook, and infrequently disconnected from how code is definitely constructed. That lag turns into an actual downside when improvement accelerates, particularly when AI brokers are producing adjustments quicker than groups can assessment them.
To reply this problem, TestifySec strikes compliance into the pipeline itself, utilizing an evidence-based mannequin. As an alternative of counting on documentation and handbook audits, the platform maps code, check outcomes, and artifacts on to safety controls and evaluates them repeatedly.
“Organizations can now write software program quick, however we will’t ship it any quicker as a result of we will’t measure it,” TestifySec co-founder and CEO Cole Kennedy mentioned. That measurement hole is what TestifySec is attempting to shut.
The platform makes use of AI brokers to investigate what proof ought to exist for a given management, then seems to be for that proof throughout the codebase, pipeline outputs, and supporting artifacts. In apply, which means builders can get suggestions on compliance earlier than code is merged, slightly than ready for a downstream audit cycle.
This can be a delicate however vital shift. Compliance strikes from being a put up hoc validation step to a steady sign inside CI/CD.
The problem is belief. Automated compliance has been promised earlier than, and organizations are usually cautious about changing human validation with machine-generated assessments. However as improvement pace will increase, the choice could also be worse: a rising backlog of software program that can’t be shipped as a result of it can’t be licensed.
Each path directly
If there was a single takeaway from RSAC 2026, it’s that the trade is now not arguing about whether or not AI will change software program improvement. It already has.
What remains to be being labored out is the place safety belongs when the boundaries between improvement, deployment, and execution now not maintain. The distributors highlighted right here are usually not converging on a single reply. As an alternative, they’re redefining management factors throughout your entire life cycle, from necessities and toolchains to pipelines, runtime, and workflows.
A few of these approaches will show extra sturdy than others. Not each new layer will turn into a class, and never each declare will maintain up underneath real-world strain. However the path is obvious. As AI compresses the software program improvement life cycle and accelerates each improvement and exploitation, safety can now not depend on remoted checkpoints.
Belief needs to be enforced repeatedly, and in additional locations than earlier than.
The problem for organizations is not only adopting new instruments, however deciding the place these management factors ought to reside of their environments. The reply will differ, however the underlying shift is similar: safety is now not a stage. It’s a part of the system itself.
