RSAC 2026 handed the top innovation award to a tool that finds AI agents you don't know you have. That tells you everything.
The most important award at the world's largest cybersecurity conference didn't go to a firewall. It didn't go to a threat intelligence platform. It didn't go to an AI-powered anything. It didn't go to any of the things you'd expect.
It went to a flashlight.
Geordie. A platform built to do exactly one thing: find the AI agents already running inside your organization that your IT team doesn't know about. Named after the mining safety lamp. The kind miners used when they were working in the dark. A room full of the smartest security minds on the planet gave a standing ovation to a flashlight. They were right to.
I just got back from four days at RSAC 2026. I gave my first RSAC presentation. I spent 90 minutes with the man who invented Zero Trust. I survived a near-kidnapping by a confused Waymo. I'll get to all of it.
But sit with the Geordie moment a little longer.
Geordie won because shadow AI agents are now the defining security problem of this moment. Not a future problem. A right-now problem. Your employees figured out AI agents months before your IT team did. The agents are already up and running. They already have access to your data and systems. The question isn't whether to govern them. The question is whether you can even see them.
Most organizations can't.
Key takeaways:
Geordie won RSAC 2026's top innovation award for one reason: it finds the AI agents already running inside your organization that nobody else has cataloged.
George Kurtz of CrowdStrike named three governance gaps that appear in every company deploying AI at scale: invisible reasoning, no kill switch, and speed mismatch.
ClawHavoc, the first known supply chain attack on agentic AI infrastructure, planted 1,100 poisoned skills in OpenClaw. It was real, in the wild, and already happened.
Zero Trust creator John Kindervag's view: no single identity signal is secure on its own. Security comes from evaluating the full collection of signals together.
Cisco's Jeetu Patel said it from the keynote stage: governance is shifting from access control to action control. Most AI deployments haven't made that distinction yet.
Why did the top RSAC 2026 award go to a flashlight?
Geordie was named after a miner's safety lamp because that's what it does. It lights up the AI agents already running inside your environment that nobody approved, nobody documented, and nobody can shut down. The Innovation Sandbox at RSAC 2026 gave it the top award because shadow AI agents have become the defining security problem of this moment, not a future risk to plan for.
Most organizations have no idea how many AI agents are running on their data right now. Marketing built one. Sales built one. Finance built three. None of them went through IT. None of them have audit logs. None of them have kill switches. The first time you find out is when one of them does something you have to answer for.
Geordie wins because it solves the problem that comes before every other AI governance question: visibility.
What three gaps make up the Agent Governance Gap?
George Kurtz, the CEO of CrowdStrike, named three governance gaps in his RSAC remarks. Every organization I've talked to has some version of all three. Invisible reasoning. No kill switch. Speed mismatch. Plus a fourth that nobody named directly from a keynote stage: nobody on the team has been told they're personally accountable.
Invisible reasoning. Your AI agent makes a decision, takes an action, and moves on. There's no record of why. When something goes wrong, and something will, you have nothing to trace. You're stuck with an outcome nobody can explain.
No kill switch. Kurtz asked executives in that room how they would stop a compromised agent. Most couldn't answer. They'd deployed something with no documented way to shut it down.
Speed mismatch. You act in minutes. Your AI agent acts in milliseconds. By the time your security team notices something is off, the agent has already taken 50 more actions. The damage is done before the first meeting gets scheduled.
What is the ClawHavoc attack and why does it matter?
ClawHavoc is the first known supply chain attack on agentic AI infrastructure. An attacker planted 1,100 poisoned skills inside OpenClaw, the open framework many enterprise AI agents are built on. Not a proof of concept in a research lab. An actual attack, in the wild, that already happened.
Your AI agents are already a target. The only question is whether you'll know when they're hit. Most organizations can't answer that question yet.
What did Zero Trust creator John Kindervag say over lunch?
John Kindervag invented Zero Trust. He also wrote the foreword for my book. We spent 90 minutes together at RSAC. His view on identity: no single signal is secure on its own. FIDO, 802.1x, OAuth tokens, any credential in isolation can be beaten. 802.1x can be bypassed two ways: plug in a hub, or sniff traffic to figure out routing. Real security comes from evaluating the full collection of signals together. Not trusting any one thing in isolation.
He also said his favorite weapon has always been a map. Because you cannot protect what you cannot see.
Sit with that alongside Geordie for a second. Geordie is the lamp. It lights up what's in the dark. John's map tells you what to do once you can see it. One shows you where your agents are. The other tells you where they're allowed to go.
Right now, most companies don't have either.
John invited me to join a major industry campaign he's leading with Andrew Rubin, CEO of Illumio. The thesis: cybersecurity has always been broken. I said yes immediately. When the person who invented Zero Trust tells you where the next frontier is, you don't think twice.
What did keynote speakers stop short of saying out loud?
Joshua Wright from SANS put it most directly in his annual top-five attack techniques talk. We're still failing at the basics. Attackers exploit new vulnerabilities in minutes. They penetrate in minutes. They move laterally in seconds. Most organizations are still patching quarterly. AI didn't create that problem. It handed it a rocket ship. The attackers have AI too. They're not waiting for your change management process.
Most companies haven't solved the 2019 security problems yet. And now they're about to add 1.3 billion new attack surfaces on top of them.
Nobody on a keynote stage said it that directly. So I'm saying it here.
What four questions should you ask your leadership team this week?
Take these to your team. Don't accept vague answers. This is the level of directness we need.
1. Can you show me every AI agent running in our environment right now? If they can't produce a list in 24 hours, you have a Geordie problem. Agents you can't see are making decisions you can't trace.
2. If one of our agents was compromised right now, how would we know? And what's the documented process to shut it down? No documented process means no kill switch. Most teams fail this question immediately.
3. When our agents make decisions, is there a record of why? No audit trail means no accountability. When something goes wrong, you'll have no way to investigate.
4. What is each agent permitted to do, not just access? Cisco's Jeetu Patel said it from the keynote stage: we're moving from access control to action control. Access to your email system isn't the same as permission to send an email on your behalf. Most AI deployments haven't made that distinction yet.
If your team answers all four clearly and confidently, you're ahead of almost every company I talked to at RSAC. If they can't, that's exactly where you start. Today.
What would you do if you were a CEO right now?
I've spent 30 years inside enterprise security. I run my own agentic AI lab. I just spent four days at the world's largest cybersecurity conference. I've talked to dozens of CISOs about exactly this problem. Here's what I would do this quarter. Not someday. This quarter.
Require a full agent inventory. Every AI agent running in my environment, who approved it, what it has access to, and what it's permitted to do. If my team couldn't produce that list in 72 hours, that would be my first board agenda item.
Require a kill switch policy. Every agent gets a documented shutdown procedure before it goes live. Not after something goes wrong. Before. Kurtz asked a room full of executives if they had one. Most didn't.
Separate access from action. My agents would have permission to perform specific actions for specific tasks, not blanket access to systems. The difference between "can read email" and "can send email on my behalf" is the difference between a useful tool and a liability.
Require audit logging on every agent decision. If my agent takes an action and there's no record of why, that agent doesn't run in my environment. Full stop.
Assign a human owner to every agent. Not a team. A person. Someone whose name is on it. Accountability changes behavior, even when the behavior is being set by a machine.
None of this requires a new vendor. No new platform. No six-month implementation. These are governance decisions. You make them in a meeting and enforce them in the next deployment cycle. Governed agents earn trust. Trusted agents get more autonomy. That's where the real productivity lives.
Why does Zero Trust break with AI agents?
Zero Trust was built on one idea: never trust, always verify. Verify identity. Verify device. Verify access rights. Verify the request itself. Grant the minimum needed. Monitor behavior over time. That model has a hidden assumption nobody talks about. The entity being trusted is a human who acts slowly enough for a security team to monitor and respond. AI agents shatter that assumption.
A human employee has a consistent identity. A behavioral baseline. A pattern your security team can monitor over time and flag when something changes. An AI agent doesn't have any of that. Its identity is a credential that can be shared, spoofed, or compromised. Its behavior isn't a pattern you evaluate the way you'd evaluate a person's judgment. It acts at a speed where, by the time you're monitoring, it's already done.
John Kindervag put it plainly at lunch. No single identity signal is enough. Real security comes from evaluating the full collection of signals together. That maps directly to how the Agentic Trust Framework approaches identity: as one of five elements that work together, not a standalone control you check once and move on.
The ATF extends Zero Trust by adding two things the original model never needed. Action-level controls, not just access-level. And real-time behavioral monitoring, not retrospective audits after the damage is done.
Every major keynote at RSAC named this independently. Vasu Jakkal from Microsoft named four pillars of continuous agent governance: identity, policy-driven, behavior-aware, self-enforcing. Jeetu Patel from Cisco named the access-to-action shift. Kurtz named the three governance gaps that appear when those elements are missing. Splunk's John Morgan literally called for "an agentic trust and governance model" from the stage.
They were all describing the same thing from different stages. Geordie tells you what agents you have. The Agentic Trust Framework tells you what they should be allowed to do and how to know when they're doing something else. That combination is what good looks like.
Almost nobody has it yet. The window to get ahead of it is smaller than most leaders realize.
What did a runaway Waymo teach me about kill switches?
On Sunday night, before the conference officially started, Gadi Evron hosted his annual Old Pharts birthday party on a rooftop in San Francisco. The rule to get in: shoes off at the door. Day one of a four-day conference. Everyone in their conference socks. The pile at the entrance was enormous. Standing in stinky socks on that rooftop were some of the most influential people in cybersecurity. Just talking. No badges, no vendor pitches, no keynote slides, no agendas.
When I finally put my shoes back on, I ran into G Mark Hardy, host of the CISO Tradecraft podcast. Same hotel. He jumped in my Waymo. A Waymo is a fully autonomous, driverless car. No human behind the wheel. It goes where the algorithm decides.
Somewhere on Van Ness, it started looping. Back up the street. Around again. Mark and I looked at each other. Two cybersecurity professionals. Both of us spend our careers telling companies never to unconditionally trust an autonomous system.
Sitting in an autonomous system. Unconditionally.
For about 30 seconds, we genuinely wondered if we were being kidnapped by a Waymo. We were fine. The route was just bad. But I'll think about that moment every time I talk about the risks of delegating decisions to autonomous agents without a kill switch.
That lesson applies to me too.
Frequently asked questions
What is shadow AI?
Shadow AI is any AI agent or tool running on your company's data without IT approval. Marketing builds one to draft emails. Sales builds one to qualify leads. Finance builds three for forecasting. None of them go through security. None of them have logs. The first time most teams find out about a shadow AI agent is after it does something they have to answer for.
Why is "access" different from "action"?
Access tells the agent what systems it can reach. Action tells the agent what it's allowed to do inside those systems. "Read email" is access. "Send an email on your behalf" is action. Most AI deployments grant broad access and assume the agent will only use what it needs. The new generation of governance, named from the RSAC keynote stage by Cisco's Jeetu Patel, controls the action itself.
What's the fastest way to find shadow AI agents in my company?
Geordie is purpose-built for it. If you want to do it manually: ask your business unit leaders separately, run network logs against known AI provider endpoints, scan for credential usage on those endpoints, and audit finance for unexplained AI-platform charges. The point isn't the tool. It's that visibility comes before governance.
What is the Agentic Trust Framework?
The Agentic Trust Framework (ATF) extends Zero Trust for AI agents. It defines five elements every agent needs: identity, behavioral monitoring, capability boundaries, audit trail, and recovery. The free assessment at verifiedagents.ai walks through all five in about ten minutes.
Where does the Geordie name come from?
Geordie is the name of the safety lamp invented by George Stephenson in the early 1800s for British coal miners. It let miners see in dark mines without igniting flammable gases. The product was named after it because shadow AI agents are the same kind of problem: invisible until something goes wrong, dangerous because of what's already there.
The bottom line
The biggest award at the largest cybersecurity conference in the world went to a flashlight, because most companies can't see what's already running in their own environment. The fix isn't more tools. The fix is governance. A list of every agent. A documented kill switch. Action-level scopes. An audit trail for every decision. A named human owner.
What AI agents are running in your environment that your security team doesn't know about?
Want to see where your organization stands? The free Agentic Trust Framework assessment at verifiedagents.ai takes ten minutes. For a deeper read, check out Agentic AI + Zero Trust: A Guide for Business Leaders and the Agentic Trust Framework.