The hallway conversations at RSAC Conference 2026 all converged on one anxiety, and a new CSA report backs it up with numbers that should worry every security leader. Itamar Apelblat of Token Security translates what he heard on the floor into what enterprises need to do next about AI agents.
The floor at RSAC Conference 2026 had one dominant frequency, and it was not subtle. Every booth, every hallway, every late-night conversation kept circling back to the same question: how do enterprises adopt AI agents without losing control of them? In a post-conference follow-up, Itamar Apelblat, Co-Founder and CEO of Token Security, translates what he heard on the ground into what the data now confirms.
Token Security arrived at RSAC with a fresh set of findings, produced in collaboration with the Cloud Security Alliance and released alongside the event. The report, Autonomous but Not Controlled: AI Agent Incidents Now Common in Enterprises, puts numbers to what practitioners already suspected: 65 percent of organizations have experienced an AI agent-related incident in the past twelve months, and 82 percent discovered agents running in their environment that no one had authorized. Only 21 percent have a formal process for decommissioning agents — a gap Itamar Apelblat flags as a low-hanging attack path. The short version from the conversation: visibility is the starting line, not the finish line, and the path from discovery to intent-based enforcement is where most programs are stuck.
This is a Brand Highlight. A Brand Highlight is a ~5 minute introductory conversation designed to put a spotlight on the guest and their company. Learn more: https://www.studioc60.com/creation#highlight
GUEST
Itamar Apelblat, Co-Founder and CEO, Token Security | https://www.linkedin.com/in/itamar-apelblat/
RESOURCES
Learn more about Token Security: https://www.token.security/
Download the CSA + Token Security Report — Autonomous but Not Controlled: AI Agent Incidents Now Common in Enterprises: https://cloudsecurityalliance.org/artifacts/autonomous-but-not-controlled-ai-agent-incidents-now-common-in-enterprises
Are you interested in telling your story?
▶︎ Full Length Brand Story: https://www.studioc60.com/content-creation#full
▶︎ Brand Spotlight Story: https://www.studioc60.com/content-creation#spotlight
▶︎ Brand Highlight Story: https://www.studioc60.com/content-creation#highlight
KEYWORDS
Itamar Apelblat, Token Security, Sean Martin, brand story, brand marketing, marketing podcast, brand highlight, AI agents, agentic AI, non-human identity, identity security, shadow AI, CSA report, Cloud Security Alliance, intent-based access, AI agent governance, agent decommissioning, RSAC Conference 2026
From RSAC Conference 2026 Floor to the CSA Report: What Enterprises Are Missing About AI Agents | A Brand Highlight Conversation with Itamar Apelblat, Co-Founder and CEO of Token Security
[00:00:10] Sean Martin: Hey, hey, Itamar. How are you?
[00:00:12] Itamar Apelblat: I am good, Sean. How are you doing? Good to see you.
[00:00:14] Sean Martin: Very, very well, and it's good to see you as well. So, we're not in San Francisco anymore, but the tones of agents ring loudly in my brain still. There's a lot of stuff going on with AI and agentic AI, of course all the risk that surrounds it. And we're going to kind of get a word from you on some of the updates you have from the event and a new report you have out as well with CSA. Before we do that, quick word from you, Itamar, who you are, and an overview of Token Security for me, please.
[00:00:49] Itamar Apelblat: Yes. So my name is Itamar Apelblat. My Starbucks name is Andrew. I'm the co-founder and CEO of Token Security. Basically, we founded this company because we saw that identity security and the identities the organization has have completely changed. Most of the identities organizations have today are non-human identities, and now with AI agents even increasing more, we built a security solution that focuses on those agents, looking at their access, their purpose, their intent, and creating remediation and enforcement capabilities based on what they're meant to do, from discovery to enforcement, all the way.
[00:01:36] Sean Martin: It's perfect, and it's a hot space, an important category, and you guys are having tremendous success. Tell me a little bit about some of the things you saw and heard during the week at RSAC Conference.
[00:01:47] Itamar Apelblat: Yeah. So RSAC, I'd say it was all about agentic security. Every company we spoke with was trying to understand how they're going to implement and adopt AI agents in the organization in a secure way. They're already understanding that agents are being adopted in the organization, but now they're trying to move from reactive to proactive measurements on how to secure those agents. A lot of people are looking for thought guidance and trying to understand better how to tackle this change, this space. It's changing so quickly. One day MCPs are everything. The next day people are saying MCPs are dead, right? So you see all of those new experimental technologies being massively adopted in the organization, and security folks, whether they are tech-savvy or less, they're trying to understand how to keep up with this technology and how to adopt this technology in a secure way. So that was the main conversation.
[00:02:51] Sean Martin: And how does that align with the survey and the results of that survey through the report that you produced with Cloud Security Alliance?
[00:03:00] Itamar Apelblat: Yeah, so that was a very interesting conversation. In our report that we did with CSA, we learned a few really interesting and also shocking pieces of information. I think the most shocking thing for me was that 65 percent of the organizations in the survey had already experienced an AI agent attack, an event. That was something that was completely shocking for us. Not only how, obviously we know already how organizations are implementing AI agents, but also how threat actors are already leveraging those agents in the enterprise. So that was very shocking for us. The other very interesting observation we had is that 82% of organizations discovered agents that were unauthorized, that they had no idea about. Many of the organizations know about the agentic plan, the roadmap, how the organization is planning to adopt AI agents, but because it's also so experimental, we see agents popping up in a lot of different ways and a lot of different platforms. 82% of organizations were surprised and discovered shadow AI basically in their organization.
[00:04:40] Sean Martin: Yeah, Marco has no idea how many agents I've deployed in our environment.
[00:04:46] Itamar Apelblat: Yeah, you should use Token. Yeah.
[00:04:48] Sean Martin: Well, tell us about that. So what is the call for folks who probably are thinking, that's me, I know we have a plan, I know we're doing some stuff, but there are probably some things that I don't know what's going on, and I need to control it. How do they work with you to do that?
[00:05:04] Itamar Apelblat: Not only do I not know exactly what's going on, but I also don't know how to continuously secure those agents. So our entire approach is that it all starts with visibility, but it cannot end with visibility. So, at first, we're discovering all of your AI agents, but the goal is to really enforce your policies. You're leveraging Token in order to take measurements and create intent-based risk remediation and intent-based risk access. So looking at the agents, not only discovering them, but understanding what they're meant to do, what is their intent and purpose, and then creating restriction policies based on that. So from discovery to enforcement. And maybe just to add on top of that, another thing that was also surprising from the report is that only 21% of organizations have a program for decommissioning agents, and that's the most basic thing right now. People are experiencing things after they stop leveraging an agent. You need to remove it. This is a low-hanging fruit and a very easy attack path for the attacker, right? So only 21% are actively thinking about it. You really need a tool that will help you manage the life cycle of this agent.
[00:06:36] Sean Martin: Good stuff, Itamar. Thank you. Thank you for the chat. I encourage everybody to download the report and connect with Itamar and the Token Security team. And thanks for the chat, and hopefully many more to come.
[00:06:49] Itamar Apelblat: Absolutely. Thank you, Sean.