The latest news, insights, and what we’re hearing between sessions. Our daily journal straight from the Moscone Center floor, compiled by our boots-on-the-ground team, including Leo Grove, President and CEO of SSL.
Thursday, March 26, 2026
From Daniel Rendon, SSL EVP of Strategic Partnerships and Business Development:
On my final day at RSAC 2026, I attended a session on CVE. As a Cloud Signature Consortium board member, I am especially interested in standards and technology interoperability to advance shared innovation and effective cross-border communication.
The CVE Board provides strategic oversight of the Common Vulnerabilities and Exposures (CVE) Program Mission. It sets policies for identifying, naming, and sharing vulnerabilities across governments and private industry.
While the MITRE Corporation operates the program, it has historically been funded and supported by the U.S. Department of Homeland Security, which has placed it within a hybrid public-private governance model critical to global cybersecurity coordination. In recent years, concerns have emerged around funding stability and geopolitical fragmentation, raising the risk that the centralized CVE system could weaken or splinter.
Keeping CVE continuously updated and well-governed is essential because it serves as the universal reference layer for vulnerability management. Without it, coordinated disclosure, patching, and cross-border threat intelligence would become slower, inconsistent, and far less effective.
These challenges were echoed during the session, where participants questioned the role of government in setting standards to combat the rapidly evolving cybersecurity landscape. I echo the panel’s sentiments: there is a role for government in developing standards when the common good is an important consideration and competing interests may counteract the impetus to adopt a common standard. It’s very difficult to keep politics out of this role, but completely private standards frameworks inevitably have personal and financial incentives that are not aligned with the common good.
In the context of organizations like The Cloud Signature Consortium, as more trade agreements, such as the MERCOSUR/European Commission trade agreement, are implemented in an increasingly multipolar trade environment, the need for interoperable standards for digital identity and digital signatures will grow. I look forward to the conversations we’ll have at the CSC’s Trust Without Borders event, May 13-14 in Bogotá, Colombia, where we will convene government, private industry, and academic stakeholders to not only discuss how we can be more interoperable across borders but also commit to taking action.
Wednesday, March 25, 2026
From Daniel Rendon, SSL EVP of Strategic Partnerships and Business Development:
Here’s some food for thought: Should LLMs incorporate code signing into the AI-generated code they provide to users? How much responsibility should engineers retain in an LLM-driven development workflow?
One of the week’s most insightful panel discussions here at RSAC cut through a lot of the noise around GenAI in software development. It focused on a critical reality: GenAI accelerates coding, but it also introduces new layers of risk, including vulnerable code patterns, prompt-injection attacks, and insecure dependencies, among the most pressing. The emphasis on governance, guardrails, and transparency made it clear that secure adoption isn’t optional; it’s foundational, but it still has a way to go in the real world.
One particularly interesting moment was a lively disagreement among panelists around the role engineers should play in GenAI-assisted coding. Some argued that engineers should remain deeply involved in both generating and reviewing code, treating LLMs as productivity tools rather than decision-makers. Others pushed for a more automated future, in which LLMs handle larger portions of code generation, with engineers shifting primarily to oversight and review roles. It was even discussed that expertise in certain languages and frameworks no longer matters.
This tension shows the industry is still finding its balance between speed and control. My takeaway is that GenAI is more than a tooling shift; it represents a fundamental governance challenge. The organizations that will succeed are those that set clear responsibilities, enforce strong review processes, and avoid over-automating prematurely.
So I ask again, should LLMs incorporate code signing into the code they provide to users? How much responsibility should engineers retain in an LLM-driven development workflow? I’d love to connect with you and get your take on this.
From Ram Kishore, Global Head Solutions Architect:
Day two has been packed with sessions and partner meetings, and today the second dominant theme was quantum. The message across sessions was clear: the era of “we’ll deal with it later” is over. The transition to post-quantum cryptography (PQC) is already underway, and enterprises still waiting for a starting signal are already behind. Quantum threats aren’t theoretical future problems. Acting early means staying secure, nimble, and ahead of compliance and ecosystem changes.
This is exactly where SSL.com comes in. Our Digital Trust Platform goes beyond certificate issuance. We’re working with enterprises on every step of their post-quantum journey, from crypto-agility planning to building a resilient trust foundation for what comes next.
Nearly every conversation I’ve had at RSAC today has touched on agentic AI. It’s completely overhauling how businesses operate, with autonomous systems handling workflows at speeds and scales that human teams can’t match. But every agent acting on your behalf is also a potential attack vector, and threat actors are already probing these systems for weaknesses.
The bigger risk isn’t even external: mismanaged AI agents operating without a clear identity, defined permissions, or accountability controls can cause serious damage from the inside out. When machines make autonomous decisions, digital trust is essential. The productivity revolution is real, and so is the responsibility it brings.
Monday, March 23, 2026
From Dustin Ward, SSL EVP of Technology:
RSA Conference (RSAC) is the largest cybersecurity event in the world. Every year, tens of thousands of security professionals congregate in San Francisco’s Moscone Center to discuss what’s in the pipeline, what’s broken, and what we need to do about it. It’s where the industry sets the agenda.
Here’s what I’m hearing across the industry:
- Organizations know Post-Quantum Cryptography is coming, but don’t know where (or how) to start
- AI is creating new attack surfaces and new trust requirements simultaneously
- C2PA and content provenance are moving from “interesting” to “essential”
- Certificate lifecycle management is getting more complex across both public trust and private PKI
- Most teams are managing all of the above with yesterday’s tooling
One session in particular stuck with me more than most. It focused on the move toward 47-day certificate lifetimes: going from 398-day certs to 200, then 100, and eventually 47. That’s an 8x increase in rotation frequency, and it’s not a compliance problem, it’s an operational one. If your answer is still manual processes and loosely connected tooling, you’re already behind. And single-CA dependency becomes a real risk when you might need to replace your entire certificate footprint in 24 hours.
This is something we’ve been leaning into at SSL.com: private PKI for use cases where public trust isn’t the right model, and true backup CA readiness where validations are already in place, issuance paths are established, and you can shift traffic or issue in parallel when it counts.
Beyond certificates, two themes dominated almost every conversation today: AI and PQC.
On the AI side, agentic AI was everywhere today, a productivity revolution that also presents serious risks, from AI-driven attacks to the challenge of governing autonomous agents acting on your behalf. How do we authenticate AI-generated content? How do we secure the models themselves? This is where standards like C2PA and strong PKI aren’t just nice-to-haves. They’re becoming foundational.
On the PQC side, NIST has finalized its post-quantum standards. The migration clock is ticking. If you’re responsible for anything that touches certificates, whether it is public trust TLS/SSL, private PKI, code signing, C2PA content authenticity, the question isn’t if you need a PQC transition plan. It’s whether you already have one.
This is the stuff my team and I work on every day at SSL.com. Please don’t hesitate to reach out if any of these topics are top of mind.
This journal updates daily through RSAC week. Check back tomorrow for Day 2 coverage, and follow us on LinkedIn for real-time highlights from the floor.
Want to talk about how your organization is preparing for shorter certificate lifecycles, multi-CA readiness, or post-quantum planning? Let’s connect.
