Rich Mogull joined the Cloud Security Alliance as Chief Analyst in October 2025 with a clear mandate: turn world-class security research into outcomes organizations can actually measure. In this on-site conversation at RSAC Conference 2026, he unpacks the AI Security Maturity Model, CSA's new enterprise membership program, and why implementation has always been the harder problem.
At RSAC Conference 2026, Sean Martin caught up with Rich Mogull at the Cloud Security Alliance booth for a candid conversation about where enterprise security programs stand -- and what it takes to keep pace with AI. Mogull, who joined CSA as Chief Analyst in October 2025, brings a practitioner's instinct to a research-first organization, and he arrived with a clear mandate: help organizations stop treating security frameworks as shelf documents and start treating them as operational tools.
CSA operates across three pillars -- cloud, zero trust, and AI -- and Mogull is the first to acknowledge the identity tension that comes with that breadth. But his argument is consistent: each pillar represents a transformational technology that exposed the limits of existing security practices. "Our sweet spot is these transformational, disruptive technologies," he says. The same challenge that played out with cloud adoption is now repeating itself with AI, and CSA's job is to help security teams navigate it with research that is genuinely actionable.
One of the most anticipated deliverables from Mogull's first year is the AI Security Maturity Model -- a structured framework that gives enterprise security programs a lens for assessing and improving their AI security posture. Modeled on CSA's Cloud Security Maturity Model (which Mogull also authored), it is built around measurable KPIs and designed to be as automatable as possible. After its first public draft drew over 600 comments from 60 international reviewers, Mogull is in the final stages of revision. The model covers governance, identity and access management, security monitoring, model security, AI infrastructure, agentic applications, MCP servers, and AI developer enablement -- a purpose-built lens for enterprise AI security programs, not a generic maturity template.
Beyond the model itself, Mogull is building the operational infrastructure to help CSA members actually use it. The new Enterprise Membership program -- launched in March 2026 -- centers on the Operational Maturity Roadmap: a structured, year-long engagement where CSA analysts work directly with member organizations, providing monthly guidance, specific recommendations, and an annual progress report tied to measurable outcomes. The goal is to move CSA from research producer to implementation partner -- and to deliver the kind of decision support that scales beyond what any individual consultant can provide.
This is a Brand Spotlight. A Brand Spotlight is a ~15 minute conversation designed to explore the guest, their company, and what makes their approach unique. Learn more: https://www.studioc60.com/creation#spotlight
GUEST
Rich Mogull, Chief Analyst, Cloud Security Alliance
LinkedIn: https://www.linkedin.com/in/richmogull/
RESOURCES
Cloud Security Alliance: https://cloudsecurityalliance.org
CSA Enterprise Membership Program: https://cloudsecurityalliance.org/membership
CSA AI Controls Matrix: https://cloudsecurityalliance.org/research/working-groups/ai-controls-matrix
CSA Cloud Controls Matrix: https://cloudsecurityalliance.org/research/cloud-controls-matrix
Are you interested in telling your story?
▶︎ Full Length Brand Story: https://www.studioc60.com/content-creation#full
▶︎ Brand Spotlight Story: https://www.studioc60.com/content-creation#spotlight
▶︎ Brand Highlight Story: https://www.studioc60.com/content-creation#highlight
KEYWORDS
Rich Mogull, Cloud Security Alliance, CSA, Sean Martin, AI Security Maturity Model, cloud security, zero trust, AI security, enterprise security, security maturity model, RSAC Conference 2026, brand spotlight, brand marketing, marketing podcast
From Cloud to AI: Building Security Programs That Scale | A Brand Spotlight at RSAC Conference 2026 with Rich Mogull, Chief Analyst of Cloud Security Alliance
[00:00:10] Sean Martin: Look who I found here at the Cloud Security Alliance booth. Rich Mogull. How are you, my friend?
[00:00:17] Rich Mogull: I'm doing well. How have you been?
[00:00:18] Sean Martin: I'm very well, very well. It's a good couple days in to RSAC Conference.
[00:00:25] Rich Mogull: I mean, technically this is like day one at the official conference, but,
[00:00:29] Sean Martin: but I was busy yesterday.
[00:00:32] Rich Mogull: We were both busy yesterday. Yeah.
[00:00:33] Sean Martin: Doing the summit, which we'll touch on a little bit. Cloud Security Alliance, great organization. Love Jim and all the stuff he's done. Clearly you're a big part of this as well. We're gonna talk about what you're up to. Maybe a quick word for folks who don't know who Rich is -- your role, what are you up to these days?
[00:00:57] Rich Mogull: Yeah, so Rich Mogull, I'm Chief Analyst at the Cloud Security Alliance. It's actually a very new role for me. I only started back in October, but I describe myself as a day one -- or day two -- participant in the CSA. CSA was announced at RSA Conference like 17 years ago and I went in on that, got to know Jim, and helped actually contribute a lot to various research initiatives. And then last year, right before RSAC, Jim gave me a whole list of stuff he wanted to do and I said, Jim, why don't I just come work for you? I can't do this as an outsider anymore. And it was the right time for both of us. So it was great.
[00:01:36] Sean Martin: Super cool. I think Jim will probably know better than me because my memory's bad, but I think I met Jim the first time he brought CSA to London.
[00:01:46] Rich Mogull: Oh yeah.
[00:01:46] Sean Martin: And I remember walking up the steps and saying, Jim, CSA, and we're talking. Jim Reavis, the founder of the CSA. He's still running CSA, still keeping things rolling. Anyway, I love the organization -- known for cloud. Maybe give folks the overview.
[00:02:09] Rich Mogull: We've got a bit of an identity crisis. We are the Cloud Security Alliance, but there are actually three pillars of our coverage. Obviously cloud -- if we get rid of that, we have worse of an identity crisis. We cover cloud. We added zero trust quite a long time ago because we were seeing a lot of affinity in terms of the principles of zero trust and how cloud computing drove so much of it. And then the last pillar is AI, because a lot of it started in cloud, a lot of it is still in cloud. And that's obviously exploding quite a bit, to the point where we've actually launched a whole other nonprofit -- CSI -- to focus on that, right underneath us.
[00:03:10] Sean Martin: Well, the reason CSA exists is because of how transformational cloud was.
[00:03:15] Rich Mogull: Yeah.
[00:03:15] Sean Martin: Still is in many ways. Certainly AI has the ability to be as transformational, disruptive, at minimum.
[00:03:24] Rich Mogull: Well, I think our sweet spot is these transformational, disruptive technologies. And one of the things that got me interested early on is I got involved in cloud in 2009, around the time CSA started, and I realized it was going to change so much of what we did for security. And yet a lot of our existing practices and models don't necessarily translate well if you just try to pull them directly over into these new disruptive technology areas. So that's one of the things I love about CSA -- if we're going to make cloud safer and more secure for everyone, let's produce the research and the guidelines. And then as zero trust hit, similarly, it's a domain area, not just an add-on to network security. And now with AI, it's really about what specifically is different about AI that we need to focus on -- what tools and research do enterprises need to safely deal with that.
[00:04:48] Sean Martin: Yeah. So obviously very rooted in research, helping the community learn and understand, and taking that and making it actionable.
[00:05:00] Rich Mogull: Yeah. So we've done a great job of producing industry research and working groups. We had contributors from all around the world, and I think we set a lot of the standards -- particularly the Cloud Controls Matrix, the AI Controls Matrix we released recently, our training programs. But what CSA historically has not done a great job of is taking all of that and helping clients through the implementation. How do I use the CCM to guide my program? How do I use the maturity models to assess my KPIs? How do I actually complete what we call the CAIQ -- the Consensus Assessment Initiative Questionnaire -- which is a standard questionnaire so you can communicate how you're doing cloud security to the outside world? How do we actually do that? So this is where I came in. For years I was doing advisory work and consulting, and I made a good living off CSA research because people need help. But that doesn't scale.
[00:06:20] Sean Martin: Right.
[00:06:20] Rich Mogull: There's one of me. Could we as an organization build more scalable capabilities to support the community and CSA members?
[00:06:37] Sean Martin: We'll touch on the membership in a second. I want to talk about the AI Security Maturity Model. Tell us about that.
[00:06:44] Rich Mogull: Yes. So this is exciting -- it's not even fully released yet. Years ago I wrote the Cloud Security Maturity Model and did a revision. I designed it not to be just a generic five-tier capability maturity model. I actually built out behind it key performance indicators so you could measure your levels, and those were designed to be as automatable as possible so you could pull your CSPM results and use them to help figure out your maturity as your program and track it over time. My focus is always how do I make something a usable tool, not just an interesting piece of research. So we built that, and then I realized we need an AI version. The cloud one has worked so well. Let's make one for AI. And like the cloud model, the objective is to describe the journey of a security program -- what are the different places, the categories? With cloud we had 12 categories: identity management, governance, application, network, data security. With AI, I challenged myself: could I write a version of that that would work from where AI is, because it's such a rapidly evolving technology? Worked on the first draft, worked with some colleagues at CSA. We put it out for public review and got over 600 comments in two weeks.
[00:08:21] Sean Martin: That's incredible.
[00:08:22] Rich Mogull: From 60 reviewers internationally. And I'm working through all of those -- they absolutely found things I had missed. They said, your level one description is like a level zero description. So I'm almost done cleaning those up and we'll have that first version of the model.
[00:08:56] Sean Martin: Right.
[00:08:56] Rich Mogull: There are other AI maturity models out there, but ours is very focused -- maybe I should call it the AI Security Program Maturity Model, but there are too many letters. The idea is to give security professionals and leaders a lens to look at AI, not as something scary, but in a way they can embed AI defense into their existing program. So we have governance, organization management, identity and access management, security monitoring -- the core. But then where normally we think in terms of data, application, network, and workload security, it's different for AI. We think in terms of model, infrastructure, application -- which includes agents and MCP servers -- and then data security and process improvement things like AI developer enablement. We've built that out to give security teams a focused lens: instead of looking at one AI problem and one AI application, how can I look at improving my overall enterprise security program for AI? What does that journey look like?
[00:10:52] Sean Martin: And the people building for you.
[00:10:53] Rich Mogull: Yeah, exactly.
[00:10:54] Sean Martin: Super cool. I'd talk to you for hours about that, so maybe we'll do a deeper dive. But let's talk about membership. What's going on with that?
[00:11:10] Rich Mogull: Yeah, so to be blunt, I think it's probably the biggest reason I came in in October -- can we better help organizations, our CSA members, to improve their security outcomes through the application of our research? And that's really what our new membership program is. We just launched it -- technically last week was a soft launch, and I presented on stage yesterday. The idea was we don't want to replicate an analyst firm or consulting firm. What could we do that's very unique and aligned with the CSA mission? Help enterprises apply CSA research to improve their security outcomes, and do this in a structured way. It's the Operational Maturity Roadmap. I built out this whole program where it uses those maturity models as the framing mechanism. We do an onboarding and assessment, and then every month we go through that, constantly working with you, making very specific guidance and advice -- here's what you should be focused on for identity management for AI versus for cloud. We try to give you the resources, the research documents you need, the technical support presentations, and throughout the year we work directly to help you improve those capabilities. Of course, you can call up the analyst team and ask any questions. But really it's that focus around maturity.
[00:13:16] Sean Martin: Right.
[00:13:17] Rich Mogull: And at the end of the year, there's going to be a report showing where you've improved, where it's delivered value, and we try to do this over a three-year model -- going from foundational to operationalization to eventually external communications. We're going to work with you directly to fill out your STAR registry entries, to do CCM. So it's a very structured membership program. It still has all the benefits -- the training and collaborative kinds of things from our other membership programs -- but it's really about giving us a lot more direct interaction with the membership versus them just consuming research. We can provide that decision support guidance throughout the membership base, and we have that structure. Because I want to deliver better outcomes.
[00:13:55] Sean Martin: Sounds like my dream job. I'm glad you have it.
[00:13:58] Rich Mogull: Yeah, but I've got to scale. That's the challenge.
[00:14:00] Sean Martin: I know. The research and the analysis and the documentation and the presentation and being able to bring it in and drive an outcome. That's really, really cool.
[00:14:23] Rich Mogull: My career -- and I know it sounds corny, no one's going to believe this -- but when I started my last company, we gave all of our research away for free and I figured out how to make a living doing that. And coming into CSA, a lot of it is like, I do believe that this really matters. Helping people use these technologies more safely, more securely -- it's legitimately important. And I'm so thankful to be here. Jim brought me in and the team here is amazing and all aligned with: let's just make things better.
[00:14:57] Sean Martin: You're amazing, Rich. Appreciate it. I love Jim, love the organization. Be a member, take advantage of all the cool membership stuff. Stay tuned for all kinds of cool things coming from CSA. And hopefully we'll keep chatting, Rich, and everybody stay tuned for more from RSAC Conference all this week.