Prof Helen Patton and Prof Frank den Hartog
NIIN Cyber Alliance at RSAC 2026
We recently attended the RSAC 2026 in San Francisco, one of the world’s most significant gatherings of cyber security minds. It brings together researchers, practitioners, policymakers and industry leaders to confront the threats that shape our digital future. Representing the NIIN Cyber Alliance, we heard and engaged in conversation that matter globally, and increasingly for Australia. Here’s what stood out and what it means.
Agentic AI
The defining theme of the conference – Agentic AI. Systems that can act autonomously, completing tasks without human instruction needed at every step. It is happening now. And the questions being asked were not conceptual, they were practical and unresolved, including:
- How do you manage agentic identities at scale?
- Who is accountable when an AI agent makes an error or a decision that causes harm?
- How do you monitor system intent - what a system is planning to do, not just what it has done?
- What happens to governance and compliance frameworks when the human is taken out of the loop – who is responsible?
- Is agentic AI the new shadow IT, and if so, what controls and policies need to be in place to govern it?
From a defender perspective, this quickly becomes very complex. AI agents need to be secured when they are built, when they are in use and when they are not in use. And all regular digital assets within the organisation now need to be protected from rogue AI agents (your own as well as the ones from threat actors). In addition, security teams now need to understand what data an AI agent can access, how that data is being used, and how that activity is monitored, controlled and stopped where needed.
Understanding the integrity and provenance of the underlying data itself has now become an equally urgent challenge. Understanding where data comes from, how it moves through systems, and who is responsible for it at every stage is foundational to securing AI systems.
Which leads into a question of growing importance for Australia: data sovereignty. As Australian businesses rely more on AI systems hosted and operated by cross-border companies, the question arises who controls the data and who is accountable for how it is used. An interesting observation at RSAC was that most speakers discussed these questions, but no complete solutions were presented. Arguably, it was Cisco’s President and Chief Product Officer Jeetu Patel, who presented the most comprehensive overview of at least the building blocks that such solution should comprise.
Critical Infrastructure: Ageing Systems, Modern Threats
The Salt and Volt Typhoon attacks came up often in discussions around critical infrastructure at RSAC. These were not opportunistic attacks, they were deliberate and devastating in their implications, exposing significant vulnerabilities in ageing systems and the technical debt that public sector organisations have accumulated over decades of deferred investment.
We believe that conversations in Australia about protecting our own critical infrastructure are still too much dominated by a misplaced sense that such attacks typically happen somewhere else, not here. The way critical infrastructure is organised differs between the US and Australia, where water, energy, communications and transport systems have different ownership structures, attack surfaces and regulatory environments. But the underlying vulnerability is the same: interconnected, ageing but integrated IT/OT systems that were never designed with today's threat landscape in mind.
Salt and Volt Typhoon, together with a massive acceleration of vulnerability exposure and exploit development lubricated by AI, show us that we need to revise the way we threat model our critical infrastructure and include AI into the relevant zero trust architectures.
The Drone Frontier
One of the more striking topics at RSAC concerned a cyber threat vector that need more attention. Drones.
The rapid production of unmanned aerial systems across commercial, agricultural, emergency services and defence, has created a significant and underappreciated cybersecurity surface. This is largely ignored in the current public discourse, that largely focuses on kinetic threat. But at RSAC, drones are now part of the discussion. One example is an exploration of the role of Remote ID from a cyber security perspective. By law, drones are required to carry remote ID which is an electronic tag that broadcasts identification and location. But that same tag is also an attack vector that can be spoofed, jammed or exploited.
The drones themselves need to be secured as well. This is not a niche concern. It is a mainstream cybersecurity challenge that connects physical and digital infrastructure in ways that traditional security frameworks have not yet fully addressed.
NIIN Impact
NIIN is a collaborative platform of universities, industry leaders and government driving acceleration of Australia’s AI adoption. NIIN's role in this landscape is clear: to translate these global conversations into Australian action. Not in five years, but right now.
First of all, the NIIN is well positioned to contribute and provide thought leadership to the cyber security discussions around Agentic AI. With innovation centres in AI, critical infrastructure, and cyber security at partners such as Adelaide University, LaTrobe University, the University of Canberra, and Queensland University, the NIIN Cyber Alliance can aid Australian organisations with introducing Agentic AI in a measured and secure way.
This then leads automatically into the difficult conversations about workforce. As agentic AI takes on roles and skills that we consider as entry-level in cyber security, the pipeline of future talent seems at risk. We are placing humans in the loop to verify AI outputs, but those humans will eventually be removed. This raises the question of where the next generation of cyber professionals will learn their craft. When entry-level work disappears; the learning disappears with it. This is a workforce development challenge of national significance. What is required is a rapid modernization of how universities educate the new cyber workforce, and also here the NIIN Cyber Alliance is well positioned, given the close collaboration of said institutions with leading industry partners such as Droneshield and Cisco.
In short
The message from RSAC 2026 was: change is accelerating. Agentic AI is reshaping every organisation's risk profile. The boundaries between physical and digital systems are dissolving. We have capable institutions; strong researchers and an industry network built for this moment. But capability without urgency is not enough.
The NIIN is well-positioned to drive these discussions in Australia and invites all stakeholders to jump on board: get in touch with the NIIN and let us journey together in solving your most wicked cyber security challenges, in this disrupting age of emerging technologies and our desperate need for more sovereign capability in our critical infrastructure.