Several ISACA members attended the 2025 RSA Conference in San Francisco, California
Read the top takeaways members gathered from the conference, especially on industry trends involving AI.
Gaëlle Koanda, CISM, CISA
While AI’s technical potential was widely celebrated at RSA, the conversations about ethical deployment and governance left the greatest impression. From enterprise leaders to policymakers, there was consensus: we must act now to establish robust oversight mechanisms for AI systems. These mechanisms must address not only data integrity and security, but also the long-term impact on human decision-making and societal trust. ISACA members are well-positioned to lead this charge. Our global community brings expertise in assurance, controls, audit, and risk — all essential to ensuring that AI serves the public good while aligning with enterprise strategy. RSA reinforced the urgency of embedding AI oversight into our governance frameworks today — not after the damage is done.
Another theme that resonated was the value of inclusive leadership, not just as a cultural asset, but as a business strength. Across panels, roundtables, and private forums, it became clear that teams who understand different environments, markets and lived experiences are better equipped to detect emerging risks, respond with agility and serve diverse stakeholders.
RSA affirmed that building strong, diverse teams is not an aspiration, but a strategic imperative for long-term success. RSA reminded me that while our tools and technologies are evolving rapidly, our core values — integrity, foresight, collaboration — must remain constant. For ISACA professionals, the message is clear: let us continue to lead with courage, act with clarity and expand the table so that excellence in cybersecurity is informed by all who have something to contribute.
Mary Carmichael, ISACA Vancouver Chapter President
As a first-time attendee at RSAC, I was struck by how the theme “One Community, Many Voices” came to life. I came expecting technical deep-dives and those were there, but what stood out even more was the range of perspectives represented. Cybersecurity is no longer a siloed discipline; it’s a multidisciplinary effort where startups, policymakers, governance leaders, academics and technologists all have a role to play. This diversity isn’t just refreshing; it’s essential. As the threat landscape evolves, so must our collaboration. From AI and quantum risks to cyber resilience and trust, the sessions revealed how expansive the conversation has become and reminded me that progress in cybersecurity depends on many voices working together.
Dooshima Dabo'Adzuana, Researcher, Boise State University
Attending RSA for the first time was an unforgettable experience, and Magic Johnson’s keynote truly set the tone. His insights on leadership stood out—he emphasized that competition sharpens excellence, mentors elevate growth and true leadership is about building up others. Success, he reminded us, is never a solo journey—it’s about the strength of the team you surround yourself with. Another compelling theme across the conference was the rise of cyber diplomacy. As digital threats transcend borders, nations are increasingly engaging in dialogue to shape norms around cybersecurity, internet governance and data privacy. This was particularly evident on the RSAC expo floor—Germany, Korea, Italy, and Saudi Arabia all showcased how government policies and regional services are aligning to meet global challenges in the digital era.
Jamie Norton, ISACA Board Director
I attended the annual Cryptographers' Panel, and this year the panel covered topics such as securing AI and cryptocurrency’s shortcomings, alongside an update on the current state of quantum computing. The debate echoed findings from ISACA’s recent Quantum Computing Pulse Poll, with the recommendation to start implementing post-quantum cryptography today.
Wickey Wang, ISACA Emerging Trends Working Group member
CISOs and tech experts from industry giants like OpenAI, Meta and Anthropic showcased their internal security applications at RSA, spanning blue teaming operations, supply chain security enhancements, automated ticket queues, code reviews and streamlined questionnaire processes. The evolution of tool functionalities, data integrations via protocols like MCP and A2A, and the continuous enhancement of self-reflective prompt generation are paving the way for a surge in diverse AI applications. The tech landscape underscores the significance of AI as a business enabler, emphasizing risk management and compliance adherence, while also highlighting the need for tailored solutions aligned with diverse business requisites.
As the conference came to a close, I walked away not just with new insights into the evolving threat landscape and cutting-edge technologies, but with deeper connections and renewed energy for the work ahead. RSA is a reminder that cybersecurity is not just about tools and frameworks — it’s about a global community solving complex problems together. I'm already looking forward to the next opportunity to learn, share and grow with this vibrant ecosystem.
Varun Prasad, CISA, CISM
Walking the expo floor gives you a good sense of the current trends in the industry and problems companies are trying to solve. These were the key categories of products that were displayed at the RSA expo:
- AI-powered SOC: AI-enabled threat detection and response seems to be a well ironed use case now that companies should look to implement.
- Asset and identity inventory management: There's a renewed focus on reducing the attack surface given the potent force of AI-powered cyber attacks. From an IAM perspective, it is important to catalog, manage and periodically review the non-human identities (NHI). The NHIs are often blind spots creating entry points for malicious users.
- Application code/security vulnerability management: This is a very crucial and must-have aspect in the era of vibe coding. As developers tend to rely more on AI-based tools for writing code, one must quickly realize that this leads to an increase in software vulnerabilities. Hence, it's all the more urgent to have a robust application security program to ensure that any code is appropriately scanned and applicable findings are addressed before being deployed to production systems.
- Increase in GRC platforms: As a digital trust professional, I was excited to see the focus on compliance and third-party attestation. Companies must look to leverage the various attestation standards or frameworks like SOC 2, ISO 27001 or ISO 42001 and get certified to demonstrate their strong risk and security posture to their customers and prospects.
Editor’s note: ISACA members Mary Carmichael and Dooshima Dabo'Adzuana presented a session at RSA Conference, “Vendor Vulnerability: Get Ahead of Third-Party AI Risk.” Read a recap of the session here. For additional AI resources from ISACA, including the new Advanced in AI Audit certification, visit www.isaca.org/ai.