By Kevin Hanes, CEO at Reveal Security
Like every year, RSA 2025 was a sensory overload – in the best and worst ways. The buzz of AI was everywhere. The show floor was packed with acronyms and animated product demos (along with puppies, goats, monster trucks and American Ninja Warrior-type challenges?!). But step a few blocks away from Moscone, into the conversations over coffee or dinners, and you could hear a different tone.
This year wasn’t just about what vendors were saying on the show floor – it was about what CISOs were quietly discussing off of it.
1. SaaS and Cloud Have Left the Perimeter Behind
This shouldn’t feel like news, but RSA 2025 made it impossible to ignore: we’re well past the point where legacy security frameworks make sense.
The security industry still loves to talk about endpoints, agents, and network controls – but business operations have moved on. Enterprises now run on SaaS. HR, finance, customer data, source code, and strategic IP all live in third-party environments, accessed by users from everywhere, on everything.
And while security teams have made huge strides in cloud posture management and identity and access management, what happens inside these applications remains largely opaque. The move to SaaS hasn’t just changed where data lives – it’s changed how risk manifests. Most organizations are still adapting.
2. AI Is Flattening the Threat Hierarchy
(Credit to George Kurtz for the analogy)
At a dinner during the conference, Crowdstrike CEO George Kurtz offered a compelling metaphor that resonated with many in the room: think of cyber adversaries as a triangle. Nation-states at the top – sophisticated but scarce. Criminal syndicates in the middle – organized, prolific, and motivated by profit. And at the base, the broader mix: hacktivists, insiders, hobbyists.
What AI has done, in Kurtz’s words, is collapse the triangle. Generative tools and automation frameworks are now allowing bottom-tier attackers to use top-tier tactics. Suddenly, everyone can phish with polished pretexting. Everyone can scale lateral movement. Everyone can disguise behavior using AI-generated camouflage.
This isn’t a hypothetical risk. Security teams are already seeing more volume, more sophistication, and more gray area. Tactics once associated with nation-state operators are now part of everyday incident response.
3. Identities Are Changing – And So Are the Stakes
Another one of the persistent themes this year: identities aren’t just people anymore.
Cloud services and SaaS platforms are increasingly operated by a swarm of non-human actors – service accounts, bots, automation scripts, and now, autonomous agents powered by AI. These “users” perform real tasks, often with significant privilege, but live outside of traditional access models.
This explosion of non-human identities creates both opportunity and confusion. Who governs them? How is behavior tracked? What does “normal” look like for an agent that acts across systems and multiple SaaS applications?
There’s no clean answer yet – but RSA made it clear that the industry is starting to wrestle with this. The shift from managing devices to managing behavior is underway.
4. JPMorgan’s Letter Was a Line in the Sand
Mid-conference, JPMorgan’s open letter to its suppliers got serious attention. The message from CISO Patrick Optet was clear: we expect better security from the SaaS companies we depend on and the industry must modernize security architecture to optimize SaaS integration and minimize risk.
Optet stated, “The modern ‘software as a service’ (SaaS) delivery model is quietly enabling cyber attackers and – as its adoption grows – is creating a substantial vulnerability that is weakening the global economic system.”
The letter outlined requirements for prioritizing security over rushing feature releases, timely breach reporting, and responsible AI use – without mincing words. It also called out the need for security practitioners to work collaboratively to prevent the abuse of interconnected systems. It wasn’t just a list of demands. It was a declaration of changing expectations across the enterprise landscape.
Plenty of CISOs nodded along. While it’s popular to point to the shared responsibility model being a shield for SaaS vendors, it’s time for practitioners to take responsibility for monitoring user behavior and proactively looking for threats in applications just like they do across the rest of their IT estate.
This letter didn’t just raise the bar for suppliers – it gave security teams a new tool to push for better outcomes internally.
5. The Post-Auth Blind Spot: Not a Headline, But a Heartbeat
One trend that didn’t dominate the stage – but came up consistently in private conversations – was this: once someone logs into a cloud or SaaS application, visibility drops off sharply.
Security leaders acknowledged that while access controls are solid and IAM tools are evolving, there’s very little clarity about what users (or bots) do after authentication. How privileges are used. How data is moved. How behaviors diverge from the norm.
This isn’t about a particular product category. It’s a broader recognition that as environments grow more complex and interconnected, the space after access is granted is where risk is migrating.
It’s not yet a mainstream message. It wasn’t printed on t-shirts or booth graphics. But if you listened closely, it was one of the most grounded, practical concerns people were bringing into rooms – especially CISOs grappling with third-party SaaS and identity risk.
Closing Reflections
RSA 2025 was loud. But beneath the noise, the conversations felt more grounded. Less about the next big feature, and more about foundational changes in how we think about risk, behavior and trust.
A few truths stood out:
- SaaS and cloud are the new normal – and they demand new assumptions
- AI is accelerating everything: the good, the bad, and the gray areas
- Identity is getting messier, and non-human actors are here to stay
- Enterprises are raising expectations on partners and suppliers
- Post-authentication activity in SaaS and cloud may be the clearest blind spot left
The future of security is going to be quieter, more behavioral, more identity-centric – and much more collaborative. Whether the industry is ready or not, the shift has already begun.
If you’re watching these shifts unfold in your own organization, we’re always up for a thoughtful conversation. No pitch – just perspective. Contact us today.
#RSA2025 #CybersecurityTrends #AIThreats #SaaSChallenges #IdentitySecurity #CISOReflections
