This is among the extra consequential shifts on show at RSAC this 12 months. Governance, lengthy handled as friction, is being reframed as infrastructure, one thing that should be automated if AI-driven growth is to scale.
The trade-off is complexity. Chainloop’s mannequin requires organizations to assume when it comes to methods, provenance, and coverage frameworks, not simply instruments. However for groups already grappling with software program provide chain threat, that abstraction could also be precisely what’s wanted.
FireTail: Gaining visibility into AI utilization throughout the group
Described as an end-to-end AI safety platform, FireTail takes a step again to reply a broader query: who’s utilizing AI, and the way.
This will likely appear fundamental, however it isn’t a solved drawback. As AI instruments proliferate, utilization usually spreads past growth groups to incorporate product managers, analysts, and different enterprise capabilities. In lots of circumstances, organizations lack a transparent stock of which instruments are in use, what knowledge is being shared, and the place dangers could also be launched.
FireTail focuses on offering that visibility.
The platform displays each worker utilization, comparable to interactions with instruments like ChatGPT, and application-level utilization, comparable to brokers constructed on cloud AI providers. It aggregates this exercise into unified log streams, the place it could actually detect potential points like knowledge leakage, coverage violations, or anomalous conduct.
“The primary use case for each buyer is figuring out who’s utilizing what AI service,” FireTail founder Jeremy Snyder mentioned. From there, organizations can outline insurance policies and, in some circumstances, implement them, notably on the endpoint or browser stage.
It is a totally different type of management level. It’s much less about imposing conduct inside the pipeline and extra about establishing baseline visibility and governance throughout the group. That distinction makes FireTail each broadly helpful and considerably peripheral to the core growth life cycle. Visibility is a prerequisite for management, however enforcement requires further measures.
Nonetheless, as AI adoption expands past engineering, that visibility might grow to be a vital first step, particularly for organizations making an attempt to know their publicity earlier than deciding learn how to handle it.
Raven: Implementing belief the place code runs
On the far finish of the software program life cycle, Raven represents a special type of shift. As an alternative of specializing in code earlier than it runs, Raven focuses on what occurs when it does.
We described Raven final 12 months as a runtime platform targeted on prioritization and detection. This 12 months, the emphasis has modified. The corporate is now pushing towards runtime prevention, with a extra aggressive stance on what issues and what doesn’t.
The core concept is simple. Static evaluation produces giant volumes of vulnerabilities, a lot of that are by no means exercised in manufacturing. On the similar time, AI is lowering the time it takes to find and exploit actual weaknesses. Consequently, the normal mannequin of scanning for recognized points and prioritizing them based mostly on CVEs is dropping relevance.
Raven’s response is to concentrate on conduct at runtime, reasonably than signatures or recognized vulnerabilities. By observing how code executes inside the appliance, the platform makes an attempt to determine and cease exploit exercise instantly, no matter whether or not a vulnerability has been cataloged. As Raven co-founder and CEO Roi Abitboul put it, “We cease counting on CVEs and take a look at what the appliance is definitely doing.”
That could be a robust declare, however it displays a broader pattern.
The corporate makes use of a kernel-level strategy to look at software conduct with out injecting code or modifying the runtime surroundings, with the objective of minimizing efficiency affect. From that vantage level, it could actually determine anomalous conduct in libraries or capabilities and block execution in actual time.
That is additionally the place Raven diverges from a lot of the present AI narrative. Whereas many distributors emphasize AI-driven detection, Raven argues that AI is simply too gradual for real-time prevention and as an alternative makes use of it selectively for evaluation and prioritization duties. The result’s a mannequin that treats runtime as the last word management level. If earlier levels fail or are bypassed, enforcement nonetheless occurs the place the code executes.
That place will not be new in precept, however the context is. As AI accelerates each growth and exploit technology, the hole between vulnerability discovery and exploitation continues to shrink. In that surroundings, runtime enforcement turns into much less of a fallback and extra of a major protection.
Seezo: Securing what will get constructed, earlier than code exists
Some of the dramatic shifts in info safety is occurring on the very begin of the event life cycle.
In earlier years, software safety distributors targeted on scanning code after it was written. Seezo is betting that, in an AI-driven world, that’s already too late. The corporate focuses on producing safety necessities earlier than code is written, shaping how each builders and AI brokers construct methods from the outset. The premise is easy: if AI is producing giant volumes of code, then controlling what will get constructed turns into extra vital than analyzing what was constructed after the very fact.
As Seezo co-founder and CEO Sandesh Mysore Anand put it, “The price of producing code has gone to zero, whereas the price of reviewing code remains to be very excessive.”
That imbalance is driving a quiet however vital change. As an alternative of interrupting builders with scans and findings, Seezo inserts safety into the necessities layer, the one place each people and AI methods depend on to know intent.
This isn’t only a shift-left story. It’s a recognition that when AI brokers are writing code, they’re additionally studying directions. If these directions embrace safety constraints, the ensuing code improves earlier than it ever hits a pipeline.
The trade-off is apparent. This strategy will depend on organizations adopting a extra disciplined necessities course of, one thing many groups have traditionally resisted. However as AI will increase output, that self-discipline might grow to be much less non-compulsory.
TestifySec: Turning compliance right into a steady management
Promising to show the event pipeline right into a “stay audit feed,” TestifySec is tackling a cussed bottleneck: compliance as a gating operate.
In conventional environments, proving that software program meets regulatory or safety necessities is gradual, guide, and infrequently disconnected from how code is definitely constructed. That lag turns into an actual drawback when growth accelerates, particularly when AI brokers are producing modifications sooner than groups can evaluate them.
To reply this problem, TestifySec strikes compliance into the pipeline itself, utilizing an evidence-based mannequin. As an alternative of counting on documentation and guide audits, the platform maps code, check outcomes, and artifacts on to safety controls and evaluates them constantly.
“Organizations can now write software program quick, however we are able to’t ship it any sooner as a result of we are able to’t measure it,” TestifySec co-founder and CEO Cole Kennedy mentioned. That measurement hole is what TestifySec is making an attempt to shut.
The platform makes use of AI brokers to research what proof ought to exist for a given management, then seems for that proof throughout the codebase, pipeline outputs, and supporting artifacts. In apply, meaning builders can get suggestions on compliance earlier than code is merged, reasonably than ready for a downstream audit cycle.
It is a refined however vital shift. Compliance strikes from being a submit hoc validation step to a steady sign inside CI/CD.
The problem is belief. Automated compliance has been promised earlier than, and organizations are typically cautious about changing human validation with machine-generated assessments. However as growth velocity will increase, the choice could also be worse: a rising backlog of software program that can not be shipped as a result of it can’t be licensed.
Each course directly
If there was a single takeaway from RSAC 2026, it’s that the trade is now not arguing about whether or not AI will change software program growth. It already has.
What remains to be being labored out is the place safety belongs when the boundaries between growth, deployment, and execution now not maintain. The distributors highlighted right here usually are not converging on a single reply. As an alternative, they’re redefining management factors throughout the complete life cycle, from necessities and toolchains to pipelines, runtime, and workflows.
A few of these approaches will show extra sturdy than others. Not each new layer will grow to be a class, and never each declare will maintain up below real-world strain. However the course is evident. As AI compresses the software program growth life cycle and accelerates each growth and exploitation, safety can now not depend on remoted checkpoints.
Belief must be enforced constantly, and in additional locations than earlier than.
The problem for organizations isn’t just adopting new instruments, however deciding the place these management factors ought to reside of their environments. The reply will fluctuate, however the underlying shift is similar: safety is now not a stage. It’s a part of the system itself.