Data security and identity security themes at RSAC 2025

Data security: Data loss prevention and data security posture management

A few years ago, DLP was a slow-moving space full of frustration from hard-to-administer policies to alert noise. Companies knew they needed it to stop data loss and counter insider threats but chaffed at the administrative overhead required to maintain policies and triage alerts.

The times are "a-changin'."

Data loss is a key issue for generative AI (GenAI) initiatives. Many innovators are finding new ways to use GenAI for DLP and insider risk protection. For example, Harmonic Security secures GenAI applications from data loss; Mind is trying to automate DLP and insider risk protection; and Orion Security is coming out of stealth with AI-powered observability. Data security platform players, including Forcepoint, Microsoft, Proofpoint and Thales, are working to solve the macro data security problem with a combination of data detection and response, DLP, DSPM and insider risk protection. And everyone is striving to effectively solve the data leakage risk posed by copilots and custom GenAI models.

At RSAC, I will talk to folks to understand how they are applying AI to reduce alert noise, accelerate investigations and handle complicated data types, such as code and data loss vectors like Slack or Teams.

Identity security and AI agents

The current industry buzzphrase is agentic AI. If you want to be in the cool kids' club, you have to have an AI angle -- or, better yet, an AI agent angle. AI agents are nonhuman identities, a.k.a. machine identities. Identity teams need to consider how to secure and manage these identities. There is a significant security risk here: You don't want your AI agent compromising sensitive information or committing fraud.

Model Context Protocol (MCP) was announced in November 2024 and has been creating quite a buzz. MCP provides a standard for AI agents to interact seamlessly with data, tools and interfaces and has gained astounding support across the industry. Since the RSAC speaking submissions closed in January 2025 just as MCP was taking off, I don't expect to see many agenda sessions on the topic -- but I hope I'm wrong.

I've wondered how AI agents will handle authentication and authorization as they cross boundaries. If you use a Salesforce agent or a Microsoft agent within that walled garden environment, they take care of the authentication and authorization. Things get more complicated when you are in a more complex environment.

In a March 26 update, MCP announced that it provides an OAuth 2.1-based authorization framework. This adds a standard for securing agent-server communication, especially in HTTP-based transports. MCP effectively provides a wrapper around the agent that can use OAuth.

It's early days for AI agents. Agentic AI can unlock huge productivity gains and new, innovative applications, but data security issues must be considered. In particular, identity security must be addressed to realize the promise of agentic AI.

I want to learn about the state of play for agentic AI security and how folks approach identity security issues. I hypothesize that identity security for agentic AI will be a festering problem that requires innovative solutions, perhaps from established players but more likely from startups.

State of play: Platforms and point products

A perennial debate in the industry is platforms versus point products. Platforms are prevalent in many domains, including endpoint security with endpoint detection and response (EDR) platforms, network security with SASE and secure service edge platforms, and cloud security with cloud-native application protection platforms. Yet, other security domains continue to be relatively fragmented.

Identity security has historically required different products for different identity and access management issues. For example, identity governance and administration, privileged account management, MFA and single sign-on, identity threat detection and response (ITDR), and so forth. Some identity security players have recently added on adjacent functionality in a move toward unification or convergence, but research from Enterprise Strategy Group, now part of Omdia, has shown that enterprises frequently gravitate toward a best-of-breed approach for new problems and often deploy multiple technologies for the same problem area.

I want to gauge the state of play for identity security platforms in particular. Vendors are broadening the scope of their products, and enterprises are embracing those broader platforms. At the same time, enterprises are often deploying multiple products in the same problem area. For example, some organizations might have an identity governance and administration (IGA) platform for on-premises applications, but their cloud/IaaS environment might have another IGA to solve those cloud identity issues adequately.

My hypothesis is that there is some convergence happening for more mature areas, but plenty of point products thrive for specific use cases that the bigger players do not adequately address. I hope to poke through the market noise to understand today's reality.

Filling security gaps: New startups solving painful security problems

While the more prominent players add in adjacent functionality as they establish platforms, one of the fun things for me as an analyst is that there are always new problems that enterprises need to solve -- and new startups jumping in to solve them.

Unsolved -- or inadequately solved -- issues such as secure collaboration across teams exist. Enterprise teams need to share credentials outside of the organization to collaborate securely. Commercial password managers are one option, but they frequently lack granular sharing and auditability. Teams can use open source products such as KeePass, but these typically do not provide multiuser scale and do not have enterprise functionality, such as logging and LDAP integration. Traditional privileged access management (PAM) products often lack the flexibility and agility some teams require. Interesting new players, such as Passbolt, and existing PAM vendors are looking to solve this problem.

ITDR continues to be an enterprise problem that many teams struggle to understand and solve. How can you detect and stop identity attacks beyond what EDR can do on the endpoint? I want to learn how the market is evolving and how players such as Breez Security, Push Security, Permiso Security are solving the ITDR challenge.

If you attend RSAC, I look forward to seeing you in San Francisco. You can reach me on LinkedIn. And stay tuned for blogs sharing what I learned following my RSAC adventures.

Todd Thiemann is a senior analyst covering identity access management and data security for Enterprise Strategy Group, now part of Omdia. He has more than 20 years of experience in cybersecurity marketing and strategy.

Enterprise Strategy Group is part of Omdia. Its analysts have business relationships with technology vendors.