RSA 2026: Hope, Hype, and a 20-Year Unsolved Problem

After eleven RSAs, you develop a feel for the rhythm of the conference — what themes will dominate, which problems will get repackaged, and occasionally, which genuinely new ideas will cut through. This year, the energy was high, and the floor was packed.

Notwithstanding, I left San Francisco with the same tension I've felt building for a few years now: everyone privately acknowledges the threat landscape is shifting fast, yet the public conversation still feels anchored to familiar ground.

AI-powered attacks are accelerating. Vulnerability management is stretched thin at most organizations. And the industry's response, by and large, was to do more of what it already knows how to do.

That's not enough. Here are the gaps I think the industry needs to start talking about more honestly.

The Red Ocean: Everyone Is Fishing in the Same Waters

The overwhelming majority of what was on display at RSA this year was vendors selling variations of the same fundamental idea: build a higher wall, a smarter moat, a better lock on the front door. Detect threats faster. Patch vulnerabilities quicker. Stop data from leaking out. Prevent the bad actor from getting in.

These are legitimate, important problems. I'm not dismissing them. But I am saying that the sheer concentration of energy and investment focused on perimeter defense (keeping data locked down and locked in) represents a crowded, commoditizing red ocean. The threat surface is expanding faster than any wall can contain it. The attackers are getting smarter, faster, and increasingly AI-equipped. And the implicit assumption underneath most of what RSA showcased, that your job is to prevent data from ever leaving your control, is fundamentally at odds with how modern organizations actually operate.

Data has to move. Data has to be shared. That's not a vulnerability. That's the entire point.

At Virtru, we think about this differently. That’s why our co-founder, Will Ackerly, created the Trusted Data Format, an open standard that wraps data in a cryptographic envelope so that policy and access controls travel with the data itself. The result is that data is protected wherever it goes and the owner stays in control.

While the rest of the industry works harder and harder to lock data down, we're focused on setting data free — giving owners genuine agency over their data so it can be shared with humans and machines alike, without sacrificing security, control, privacy, sovereignty, or authenticity. That's a blue ocean.

And it was largely (but not entirely) absent from the RSA conversation.

History Repeats: From "Internet Security" to "AI Security"

This year, "AI security" was everywhere. Expected? Absolutely. But ask ten different people what it actually means and you'll get ten different answers. That's a sign that the industry hasn't done the hard work of defining the problem yet.

Sound familiar? It should. In the early 1990s, "we need Internet security" was the rallying cry of every boardroom and every conference. Nobody knew what it meant then either. It took years of painful iteration — firewalls, intrusion detection, application security, browser security, penetration testing — before the abstraction collapsed into something actionable.

We are in that same moment right now with AI security. And the vendors who figure out the right categories first – not the analyst-driven categories, but the real ones (like data centric security) – will win the next decade.

Perhaps Phil Venables said it best: the biggest defense against bad actors armed with AI isn’t a single magical capability. Rather, it is a strong baseline collection of controls. The blocking and tackling of a zero trust security architecture, applied with discipline and specificity:

• Strong identity and authentication with granular entitlements
• Layered defenses and segmentation
• Rapid patching and detection
• Software supply chain controls baked into development
• Architectural choices that reduce blast radius
• And — perhaps most critically, and most overlooked — granular policy and access controls on sensitive data as it moves beyond your walls

That last one is where most security stacks have a gaping hole. And it's exactly what Virtru was built to address.

Microsoft Tried to Solve This for 20 Years. They Couldn't.

Here's the moment from RSA that I keep coming back to. During a meeting with a key customer (one of the world's largest banks) a senior architect, someone with deep prior experience in Microsoft's engineering organization, sat across from us after reviewing the Virtru Data Security Platform architecture. He'd seen it all. He'd lived through Microsoft's own attempt to solve this problem. He looked up and said simply:

"Virtru is a universal RMS."

If you know what that means, you felt it. If you don't, let me explain why it stopped the room.

Microsoft launched Windows Rights Management Services (AD RMS) around 2003 with a genuinely powerful premise: attach persistent permissions to the data itself, so that access controls travel with the file regardless of where it goes. In theory, you could revoke access to a document even after it had been emailed outside your organization. Revolutionary idea.

In practice, it failed. It was trapped inside the Microsoft ecosystem. Key management was brittle. It required every party — sender and recipient — to be enrolled in a compatible RMS infrastructure. It never delivered on the "follow the data anywhere" promise across organizational and platform boundaries.

Microsoft evolved it into Azure Information Protection, then folded it into Purview. More capable, yes. But still fundamentally shackled to the Microsoft universe, and organizationally brutal to deploy at true enterprise scale across heterogeneous environments. The former Microsoft engineering leader candidly stated, "It was painful."

And then he said Virtru is doing what Microsoft never could.

That is not a casual compliment. That is a technically informed signal from someone who has seen this problem from the inside at the highest level — now sitting at a global bank with a mandate to protect every piece of data leaving the institution. He's not evaluating products. He's evaluating whether a solution to a 20-year unsolved problem finally exists.

The Conversation Is Already Happening

It wasn't just that one meeting. On the day after RSA, security analyst Cole Grolmus published a post on LinkedIn about OpenTDF that captured the same idea from a different angle. His framing was sharp, "You've found your sensitive data. Great. Now what? Protect it. And better yet, take that protection everywhere the data goes." The comments section proved equally revealing. A reader drew the comparison to Microsoft's old RMS, noting that identity and encryption together had always been the hard part—the "double kill" that defeated most attempts to solve it.

Cole's observation about where the data security market is heading after years of DSPM hype, from discovering sensitive data to actually protecting it everywhere it travels, is exactly the gap that TDF was designed to close.

The market is finally being forced to ask the right question. The answer has been quietly taking shape for years.

The TDF Difference: The RMS Dream Made Real

What makes Virtru's architecture different isn't magic. It's a set of deliberate system design choices that directly address every reason Microsoft's approach failed:

• Data-centric, not perimeter-centric.
• Protection travels with the data object itself. Not the network boundary. Not the application layer. The data.
• Cross-ecosystem by design. Virtru doesn't require the world to run on a single platform. It works across email providers, cloud environments, and organizational boundaries.
• Cryptographic key control as a first-class citizen. TDF's architecture gives organizations granular, auditable, and revocable control over who can decrypt data — even after it has left the building. That's not a feature. That's the foundation.
• True interoperability. Policy enforcement is embedded in the data object itself. Recipients don't need to be Virtru customers in any traditional sense. The rights travel with the data.

This is what a universal, vendor-agnostic rights management platform for enterprise data actually looks like. Something Microsoft spent two decades and enormous resources pursuing, and never fully achieved.

Ecosystem Is Already Forming

One of the more energizing moments of RSA week didn't happen on the floor at all. Virtru hosted an intimate dinner with a group of technology innovators who are actively building on top of the Virtru Data Security Platform by embedding granular policy and access controls, powered by TDF, directly into their own products.

The companies at the table (Kong, Mattermost, Thales, Ohalo, and Everfox) represent something significant: a growing ecosystem of builders who have independently concluded that data-centric security isn't a feature to bolt on, but a foundation to build from. The conversation that night was less about market positioning and more about what becomes possible when protection travels with the data itself — across networks, organizations, and use cases that no single vendor could serve on its own. That's not a partner program. That's an ecosystem forming around an open standard.

What Comes Next

Here’s my takeaway from RSA 2026. The organizations that will navigate the next few years successfully won't just be the ones with the best threat detection and remediation. They'll be the ones who have fundamentally rethought how they govern data; not just to lock it down, but enable it to be shared securely with others at the speed of business.

The "universal RMS" conversation wasn't trending on the show floor this year. But after eleven RSAs, I've learned something: the signals that matter most rarely come from the keynotes. They often come from intimate conversations with people who have actually lived through these problems; the ones who've spent careers trying to solve what most people haven't even correctly defined yet.

When someone with that background looks at what Virtru has built and says, quietly and without fanfare, "this is what no one else has managed to do" — you pay attention.

The storm is coming. The entire data control plane needs to be ready. And for the first time, I believe it is.