As RSAC 2026 approaches, Daniel Bardenstein, CEO and Co-Founder of Manifest, joins hosts Sean Martin and Marco Ciappelli to unpack the growing disconnect between how security leaders perceive their AI and software supply chain posture and what practitioners on the ground actually experience. Drawing from Manifest's new research report — Beyond the Black Box — Bardenstein connects the dots between shadow AI, SBOM adoption gaps, and a dangerous pattern: history is repeating itself as organizations rush to adopt AI with the same disregard for security that characterized the early cloud era.
As RSAC 2026 approaches, Daniel Bardenstein, CEO and Co-Founder of Manifest, joins hosts Sean Martin and Marco Ciappelli to unpack the growing disconnect between how security leaders perceive their AI and software supply chain posture and what practitioners on the ground actually experience. Drawing from Manifest's new research report — Beyond the Black Box — Bardenstein connects the dots between shadow AI, SBOM adoption gaps, and a dangerous pattern: history is repeating itself as organizations rush to adopt AI with the same disregard for security that characterized the early cloud era.
In a wide-ranging pre-event conversation ahead of RSAC 2026, Daniel Bardenstein, CEO and Co-Founder of Manifest, explores what it means to truly secure the software and AI supply chain — not just check the compliance box. Manifest's new research report, Beyond the Black Box, surveyed more than 300 security and AI leaders globally to understand the reality of AI adoption and software supply chain risk. One of the most striking findings was not a statistic, but a structural problem: a significant perception gap exists between how confident executive security leadership feels about their AI security posture and how unprepared frontline practitioners actually are. Where there is misalignment, Bardenstein notes, there is risk.
The conversation draws a vivid parallel to the cloud adoption wave of a decade ago, when organizations rushed to SaaS and cloud infrastructure without thinking through security implications — and gave birth to entire new industries to clean up the mess. Today, the same dynamic is playing out with AI. Nearly two-thirds of the survey respondents reported encountering shadow AI within their organizations, as employees freely use tools like ChatGPT, DeepSeek, or locally downloaded models without centralized governance. When that AI eventually gets embedded into software that organizations build, deploy, and sell, the blind spots compound.
SBOMs — software bills of materials — represent a promising step toward supply chain transparency, and Bardenstein credits the US government's regulatory nudging for driving adoption. Manifest's research shows that roughly 60% of organizations are now generating SBOMs, a meaningful milestone. But generation is not governance. Too many organizations treat an SBOM as a compliance artifact — a JSON file on a hard drive — rather than an operational tool that could dramatically accelerate vulnerability response, regulatory compliance, and incident management. The prescription has been filled; it's just not being taken.
To reframe the urgency, Bardenstein introduces the concept of the "transparency tax" — the hidden cost organizations pay in time, money, and risk when they build or buy opaque technology. Just as consumers demand ingredient labels on food, Carfax reports on used cars, and active ingredient disclosures on prescriptions, the technology sector needs to normalize the same transparency for software and AI. For organizations willing to do the math, the case for investing in supply chain visibility becomes not just a security argument, but a business one.
Heading into RSAC 2026, Manifest will not have a booth but will be active across the conference floor, meeting with customers, partners, and prospects. Bardenstein will appear on an invite-only panel alongside leadership from Corridor Dev, 1Password, and Google to discuss secure software and secure AI. The team is also planning to announce new platform capabilities designed to close the governance gaps their research surfaced — helping organizations move fast without creating the kind of blind spots that make AI adoption a liability rather than an advantage.
Tune in for this sharp, candid pre-event conversation — and look for the full on-location Brand Spotlight recorded live at RSAC 2026 in San Francisco.
🎙️ This story is part of the RSAC 2026 Coverage Series on ITSPmagazine, produced in partnership with Manifest.
GUEST
Daniel Bardenstein
CEO and Co-Founder, Manifest
https://www.linkedin.com/in/bardenstein/
https://www.manifestcyber.com
RESOURCES
Beyond the Black Box Research Report — Manifest:
https://www.manifestcyber.com
Learn more about Manifest and their software and AI supply chain security platform:
https://www.manifestcyber.com
Learn more about and follow ITSPmagazine's coverage on RSAC 2026:
https://www.itspmagazine.com/rsac-usa-2026-san-francisco-cybersecurity-event-coverage
Catch all of our event coverage:
https://www.itspmagazine.com/technology-cybersecurity-society-podcast-coverage
Want to tell your Brand Story Difference Maker Podcast Story or Advertise with us? 👉 https://www.itspmagazine.com/telling-your-story
KEYWORDS
Daniel Bardenstein, Manifest, Manifest Cyber, software supply chain security, SBOM, AI supply chain, AI risk, RSAC 2026, RSA Conference, Sean Martin, Marco Ciappelli, brand spotlight, brand story, ITSPmagazine, brand marketing, marketing podcast
Software Supply Chains, AI Risk, and the Transparency Gap | A Brand Spotlight with Daniel Bardenstein of Manifest | RSAC 2026
Sean Martin: [00:00:00] Marco, Marco.
Marco Ciappelli: Sean, you're going to San Francisco.
Sean Martin: I am. And I have to say, I really hope the supply chain holds up on my journey from east to west.
Marco Ciappelli: Well, we all hope that.
Sean Martin: Right?
Marco Ciappelli: Not just for you, for the entire world actually.
Sean Martin: Exactly, exactly. Well, everything is software these days and pretty much every software is built by a bunch of pieces of software. And if we don't have an idea of what's going on in there, things can go sour fairly quickly. So hopefully that doesn't happen.
Marco Ciappelli: It doesn't, but look, Daniel and I already had a quick five minute chat before, so we have some metaphors. I think we have some food label metaphor and something else. So we got it going already.
Daniel Bardenstein: Our space is full of metaphors and analogies. And I mean, Sean, you're joking about the supply chain affecting travel — it reminds me of there was an incident last year. I don't want to point fingers incorrectly — I forget who it was, but it was either a major airline or a major airline manufacturer that had to ground a bunch of planes because there was a bad software update and it took them most of a day or two just to figure out where across all the planes they have, one piece of software with that certain version was running. Because they didn't know, they couldn't say it's just one plane or two planes or all the planes. They grounded all the planes for a day or two. So the joke is right on the money about the importance of software supply chains and how it affects how we fly, what we eat, the water and electricity we get to our homes. It's both fascinating and terrifying at the same time.
Marco Ciappelli: For sure.
Sean Martin: It is fascinating. So I'm happy to stick with the food stuff. And I don't know, perhaps we'll get into that when we start talking about San Francisco and sourdough bread and clam chowder. But this isn't about food necessarily. And not just about supply chain, but it's about building secure software. And of course, Daniel, you and the Manifest team are going to be at RSA Conference and having some good conversations with customers and partners and prospects and peers and talking about all this. So before we get into the conversation, maybe a few words about who you are, Daniel, your role with Manifest — a brief view of what the company does, to set the stage as we get into all the things RSA Conference.
Daniel Bardenstein: [00:03:00] Sounds good. Well, Sean and Marco first — thanks for having me. Always a pleasure. For those who don't know me, I'm Daniel Bardenstein. I'm the CEO and Co-Founder of Manifest. My background very briefly: I've been building enterprise security tools for most of my career. Spent some time in government and academia as well. Ultimately trying to make the society we all live in more secure since, as we've already noted and joked, software is everywhere. And as we'll allude to with future metaphors, we don't demand the same level of transparency in the software that governs our lives as we do for the food we eat, the prescription drugs we buy, the cars we drive, the houses we want to live in. Manifest is a company that focuses on all things software supply chain and AI supply chain security. Our mission is to help organizations build and buy more trusted software and AI. The ultimate impact we hope to have on the world and technologies — we want both people and organizations to have that same trust in the technology that governs our everyday lives. Whether it's AI in the cars we're driving, or software in the medical devices and MRI machines that we and our families are hooked up to — just as we do with the food we eat in the grocery store where we can look at ingredients lists, prescription drugs that list the primary active ingredient, even the cars you want to buy where you can look up the Carfax. So ultimately we're on a mission to make technology more transparent and more trusted.
Marco Ciappelli: [00:04:00] Yep. And I'm expecting a lot of those kinds of conversations on the floor at RSA Conference. You know, we make the joke where we say when we go to this conference, we kind of look into the future as a way to look at the status of things. We make a game of guessing the buzzword of the year. So I know we have some announcements and talk about something you'll go a little bit deeper into — the research that you guys have done and will be presenting — but what's your expectation for this year's RSA Conference?
Daniel Bardenstein: Well, I think AI is definitely going to be on my Bingo card of buzzwords again. It certainly was last year. And to be honest, we're also going to be talking about our research and work into AI and AI security as well. My experience with RSA is always seeing old topics redone — whether it's zero trust or AI or whatnot. And so I think we'll see lots of acronyms and buzzwords. I'm excited to see a much deeper advancement in maturity around how we talk about AI security. Last year there was just AI plastered onto every single company's booth in marketing — all of a sudden everyone's an AI company. And so I think, as we'll talk about today, the rapid proliferation of AI will not surprise anybody, but it's actually caused these meaningful conversations around — well, how well do we actually know what AI risk is and looks like? How mature are people and how ready are they to detect, respond to that risk? And how do we make sure we have the technology to enable that? So I'm excited for that. Along with, as Sean mentioned, I'm going to get my sourdough, my croissants. I lived in the San Francisco Bay area for ten years, so it's always a little bit of a nostalgic homecoming. And yeah, as you noted, [00:06:00] Manifest won't have a booth, but we'll be running around meeting customers, prospects, and partners. I'll be on a panel for an invite-only event with leadership from Corridor Dev, 1Password, and Google, which I'm very excited about — all about secure software and secure AI. It'll be a lot of fun and always a little bit crazy, which RSA always is.
Sean Martin: So maybe we start to touch on — I know you guys put out a new report. What's the name of it? Beyond the Black Box. I used to be part of an engineering team and manage engineering teams, and the way software is built today has changed a lot. There are so many parts and pieces and services running on-prem and in the cloud, and I know part of the highlights you mentioned — and I think you even talked about it in the beginning — is that visibility and knowing. Because we're building so much and deploying so much and doing it so fast, how can teams actually get that visibility, and what are some of the points from the research you did that kind of highlight some of that?
Daniel Bardenstein: [00:07:00] Yeah, I think one of the most surprising things to me from the research we did — which for context, we interviewed more than 300 security and AI leaders around the globe around their use of common code security tools, AI adoption, and AI security — the most important finding wasn't necessarily a specific statistic around any of those topics, but really this existence of a serious misalignment between executive perception and operational reality. I can certainly talk about some of the specific findings around how prevalent shadow AI is, how security teams are already drowning in false positives from their code scanning tools and aren't prepared to turn that toward AI, but even before we jumped into statistics around AI security and the tooling itself, one of the major findings that stood out was there's a huge gap between how secure security leaders think their organization is versus the reality that their application security teams — their hands-on security teams on the front line — think they are within the same organization. And that's pretty serious. Where there is misalignment, there is risk. When security leadership is feeling very confident about — we've adopted AI, but we're doing it securely — but the frontline security practitioners are saying, actually, we don't have these tools, we know there are users around the organization who are building their own AI-enabled tools or using forbidden non-compliant models. That was a major gap and a bit of a wake-up call that we weren't expecting to find.
Marco Ciappelli: [00:08:00] Hey, I see I'm going to quote someone named Daniel Bardenstein, CEO and Co-Founder, who says, "We are seeing history repeat itself." Elaborate.
Daniel Bardenstein: Yes. Well, I think there are a couple ways to unpack that. The first is, this is likely not the first time where there's been that overconfidence within leadership versus what we see at the ground level — and I've certainly experienced that in my past career. The biggest application of that concept of seeing history repeat itself is in terms of how quickly we are all adopting new technology to try to benefit and leverage the efficiencies of it without thinking about the security and the risk reduction around it. I often think about the launch to cloud when cloud was a big thing — now what, ten, fifteen years ago? And SaaS — everyone's rushing to the cloud, everyone's rushing to SaaS, and there were so many predictable things that people weren't thinking about that gave birth to entire new industries around how to secure cloud technologies, how to migrate, how to do hybrid cloud. And the same thing is happening with AI. In the same way that the rush to adopt cloud-based technologies gave us shadow IT — because people were spinning up cloud instances here and there on their own local machines without centralized control — nearly two-thirds of respondents in our Black Box report are seeing shadow AI in their organizations. Because the bar is so low for employees to go out to the public internet, use ChatGPT or DeepSeek, download Claude, and there's no centralized security management. It leads to this lack of visibility. [00:10:00] This is why we are after trying to illuminate supply chains and software supply chains and AI supply chains — because security leaders aren't already aware of all the shadow AI that their employees and developers are using. Maybe it's just on their own laptops, but when that AI gets put into software that they develop, deploy, and sell, that becomes a blind spot. And just like traditional software supply chain attacks — the likes we've seen over the last five years — we're really poised to repeat the same mistakes as we did when we rushed to cloud without thinking about security. We're rushing to adopt AI without proper security and governance.
Sean Martin: [00:10:30] And speaking of nudging, you're there in DC and I know we probably have a lot of mutual friends who have worked a lot on the world of supply chain security and SBOMs. And I think if I mentioned one name, he'd pop up on the podcast and join us. But back to the nudging — I think the government kind of helps when they put out guidelines and rules and frameworks and things like that. And I think I saw in the report that we actually do generate SBOMs now, which is a positive step. But what's your view of the state of software bill of materials — are they really producing the results that we want — and where are security leaders, business leaders, AppDev and AppSec teams misaligned on what that really looks like?
Daniel Bardenstein: [00:11:00] Yeah, the US government definitely deserves all the credit it can for helping popularize the concept of an SBOM and baking it into some early regulation — the executive order from a few years ago. Our research shows that there has been pretty significant adoption of SBOM generation — around 60-plus percent of organizations are already generating SBOMs. It's not a hundred percent, it's not where we need to get to if we want to reach the vision of software supply chain transparency, but it's not nothing. But the other side of generation of these artifacts is operationalization — what are you doing with them? A lot of organizations still see SBOMs as a compliance checkbox: I've generated this JSON file, this ingredients list, therefore I must be more secure. It's as valuable as it is to say, I picked up my prescription, but I haven't actually taken it. There's certainly more room — for government, for policy makers, for industry leaders — to educate security leaders and practitioners around the world on: well, what do you actually do with an SBOM? How do you actually turn this piece of data into something that helps you build and buy more secure software? How do you use it for AI? How do you use it for cryptography? How do you use it to respond to vulnerabilities and software supply chain incidents much faster? How do you use it to answer the mail on all the global compliance that's coming out? [00:13:00] Generation is not governance. Generating SBOMs or AI SBOMs doesn't make you safer. Visibility doesn't translate into decisions and enforcement — it doesn't really reduce risk at all. It's just security theater. And so it's encouraging to see the adoption of SBOM generation, but if you're just generating a compliance artifact and not doing anything with it, then you're not actually making your organization, your customers, or your data any more secure.
Marco Ciappelli: [00:13:30] So I have a question — I like to think about the general overview. I'm assuming there are certain industries that need this more than others, but I'm still thinking about the food industry analogy: once you adopt the system, you can't just say we're going to do it for vegetables and meat but not for everything. Because I'm thinking of the synergy between all the different software and components and devices and technologies — how possible is it to make progress where it becomes part of the system and not just something tied to legislation? I don't know if it's going to really resolve the problem if it goes siloed.
Daniel Bardenstein: [00:14:00] Yeah, it's a great question and point, and there are a couple of ways to think about it. The first: there is precedent for it. We think a lot about the automotive sector in terms of how it does recalls. Car manufacturers know every single part from every single supplier and what make and model of car it goes into. So if they detect a defect in an airbag, within hours or days they can identify the supplier, the makes and models affected, and notify the dealerships or sometimes the end users. I've certainly gotten notices from my car's manufacturer saying, you have a problem in your car, go get it fixed. We just need to do that with software. There's also this fun idiosyncrasy of the US government — there is no central regulator across industries in the US except for the US Congress, which is focused on perhaps some other things these days. There are different sector risk management agencies — that's a whole other thing we can dive into. But ultimately, going back to the previous concept, [00:16:00] I think one thing that we hope people across sectors really realize — and that will lead them not to wait for regulation but to do this voluntarily and get ahead of the curve — is thinking about this in terms of a tax. A lack of transparency is a tax. When you build or buy software and AI that you don't know where it came from, what's in it, or how secure it is, there's a transparency tax. That's the extra time, money, and risk that organizations have to spend in order to secure, maintain, and respond to incidents in opaque technology. Organizations who are aware of their costs need to be thinking about: I think I'm saving time by using AI coding tools or open source tools, but if I factor in this additional cost — this tax I expect to pay long term — that will actually start to change behavior and reveal it actually is better for our bottom line to understand what technology we're bringing in from the outside.
Sean Martin: [00:17:00] So interesting. And I'm excited to have another chat with you on location in San Francisco where we can dive a little deeper and get into some of the technical parts of it. I know you guys are releasing some new capabilities, which we'll touch on on location as well. As we wrap here, Daniel — you're talking about tax, and Marco kind of led me to this idea that security often gets in the way of business — not just the department of No, but just by the way we talk about it. We're not talking about it in terms of attacks; we're talking about it in terms of threat and risk. So looking at who you plan to talk to and do business with at RSA Conference — how do you expect those conversations to go where we can kind of get out of our own way as security and really get back to the real nuts and bolts of business and actually solve this?
Daniel Bardenstein: [00:18:00] I think one of the greatest ironies here is that while AI is meant to allow us to innovate faster and gain efficiencies, it's already creating legal drag and compliance drag within organizations. We're already talking with Fortune 500 and Global 2000 organizations — our report showed that this is true for over 50% of organizations — where even just the process of securing AI or approving AI to be compliant is causing slowdown. So people in the race to adopt AI are actually slowing themselves down because they don't have the right processes and tools in place. And so there's this ironic push and pull that we expect to chat about more at RSA. We'll also have an announcement about new platform capabilities, especially hitting some of the themes we gleaned from the research report. There are various gaps that organizations are already aware of around how they govern AI that we have already closed, and we're excited to bring that to market. Overall, one of the themes of both what we are continuing to build and what we're continuing to talk about — and expect to talk about at RSA — is how do we close that perception gap between how secure leaders think they are versus what the reality is on the front lines? How do we make sure organizations really understand what's in the AI and software they're building and buying? And how does everybody have the tooling to make sure that their adoption [00:20:00] of new software and new AI is as fast as the innovation they want to pursue, without introducing risk and slowing themselves down?
Marco Ciappelli: Awesome.
Sean Martin: Good stuff. Well, I would encourage everybody to track you down. Look for Daniel Bardenstein and the rest of the Manifest team in San Francisco. Check out the report — we'll include a link to that, of course — so you can get your hands on it and figure out how to apply it to your program. There's a lot of operational stuff in there.
Daniel Bardenstein: There certainly is — a lot of things that I was surprised to read as well about how AI is being adopted and some of its gaps. Feel free to reach out and read the report. Find us at manifest.cyber and we're always happy to meet up with folks at RSA who want to nerd out about all of these fascinating and yet depressing topics.
Marco Ciappelli: Definitely going to keep an eye on the floor and in the corridors about what we think security is and what it really is — which is kind of like branding, right? It's what people think. You are not what you think you are. Anyway, everybody stay tuned. We'll have many more conversations. We'll hang out a lot in Moscone North. If you are there, stop by, say hi — and of course, that's what we're going to record with you as well. Take care. We'll see you next time.
Daniel Bardenstein: Thanks all.
Sean Martin: Thank you.