A Barnyard View of RSAC 2025: Data Security and Compliance Insights From the Herd

For our RSAC 2025 booth, we created something truly unique—a “Security Barnyard” featuring animated G.O.A.T. (Greatest Of All Time) characters representing different aspects of data security and compliance. As part of our booth, we had live dwarf goats to drive home the point that Kiteworks is the G.O.A.T. of data security and compliance. The concept was a huge hit, drawing crowds and creating memorable conversations about serious security topics through these approachable characters.

To continue the fun while sharing valuable insights from RSAC 2025, I asked our animated security experts—five G.O.A.T. champions—for their thoughts and takeaways on the event. Each character embodies a specific security concept or threat, offering a unique lens through which to view the event’s most important developments.

RSAC 2025 proved to be a transformative event, with agentic AI emerging as the dominant theme, capturing over 40% of the conference sessions—a dramatic increase from just 5% in 2023. Other critical focus areas included Identity Security, with complex challenges arising from the proliferation of machine identities; Data Security and Privacy in an increasingly regulated landscape; Cloud Security across multi-environment infrastructures; and preparations for the post-quantum computing era.

This year’s official conference theme, “Many Voices. One Community,” perfectly encapsulates the diverse perspectives we’ll explore in this post. Just as RSAC emphasized the power of collaborative problem-solving and the strength that comes from varied viewpoints, our unique cast of barnyard characters—from security champions to potential threats—offers multifaceted insights into today’s most pressing cybersecurity challenges.

In the sections that follow, you’ll hear directly from each of these colorful personalities as they share their distinct takeaways from the industry’s premier security event. Their perspectives, though sometimes contradictory, collectively paint a comprehensive picture of where cybersecurity stands today and where it’s headed tomorrow.

Insights From Sherlock “Trustfall” Hooves

If there’s one thing I observed while trotting around RSAC 2025, it’s that Zero Trust isn’t just a security framework anymore—it’s the foundational philosophy driving modern cybersecurity. As I navigated through the packed Moscone Center, session after session emphasized that in today’s interconnected digital ecosystem, the old perimeter-based security model is as outdated as building a castle wall in the age of aircraft.

The most compelling discussions centered on identity-centric approaches. With machine identities now vastly outnumbering human ones, organizations are finally recognizing that robust identity verification must be the cornerstone of security architecture. At one packed session, a CISO from a Fortune 100 company shared how they’ve implemented continuous authentication protocols that verify not just who is accessing resources, but also the context of that access—device posture, location, time patterns, and behavior anomalies—all in real time.

What particularly caught my attention was the evolution of collaborative Zero Trust implementations. Cross-functional teams are now essential, with security, IT, compliance, and business units working in tandem to build effective architectures. The days of security working in isolation are over—much like a herd of goats is stronger together than a lone billy on a mountain.

My key takeaway for security professionals? In an age of agentic AI, the “never trust, always verify” principle must extend beyond human and machine identities to include AI systems themselves. As one speaker eloquently put it, “When your AI can make autonomous decisions, verification isn’t just about access—it’s about intent and outcomes.” Organizations must implement guardrails that continuously validate AI actions against established boundaries and ethical guidelines.

Remember: In today’s threat landscape, trust isn’t a starting point—it’s something earned through continuous verification. Those who master this principle will navigate the complexity of modern security challenges with the sure-footedness of a mountain goat.

Insights From Morgan “Mandate” McGoat

The regulatory landscape dominated conversations at RSAC 2025, and for good reason. With over 157 countries now enforcing data protection laws, organizations face a veritable maze of compliance requirements. The EU’s Data Protection Regulation 2.0 stole the spotlight, with its ambitious scope extending GDPR principles while introducing new requirements for AI systems and cross-border data flows.

Cross-border data protection emerged as a particular pain point for multinational organizations. Several sessions highlighted the collapse of data transfer frameworks between key trading regions, leaving businesses scrambling for alternative legal mechanisms. One enlightening panel featured privacy officers from three continents discussing strategic approaches to navigating these choppy regulatory waters, including data localization, enhanced contractual safeguards, and privacy-enhancing technologies.

I was particularly impressed by the compliance automation solutions showcased on the exhibition floor. Gone are the days of spreadsheet-based compliance tracking! New platforms now leverage AI to continuously monitor regulatory changes across jurisdictions, automatically mapping them to an organization’s data processing activities and suggesting necessary adjustments to privacy programs. These tools not only reduce compliance costs but significantly decrease the risk of violations.

My key takeaway? Organizations must build regulatory adaptability into their data security programs. The compliance landscape will continue evolving rapidly, particularly around AI governance and cross-border transfers. Companies that implement modular compliance architectures—those that can quickly adapt to new requirements without complete redesigns—will maintain competitive advantages while avoiding regulatory penalties. Remember: in today’s digital economy, compliance agility is as essential as security itself.

Insights From Locksley “DataShield” Woolthorpe

RSAC 2025 confirmed what I’ve been bleating about for years: Data-centric security is finally taking center stage! With traditional perimeters essentially dissolved, organizations are now focusing on what truly matters—protecting the data itself.

The most compelling data loss prevention strategies highlighted at the conference incorporated context-aware controls that adapt protection based on data sensitivity, user behavior, and environmental factors. Several vendors demonstrated sophisticated solutions that can identify and classify sensitive information in real time across structured and unstructured repositories, applying appropriate controls automatically.

Data security posture management emerged as the fastest-growing segment, with platforms now offering comprehensive visibility across cloud services, endpoints, and on-premises environments. The most innovative solutions provide continuous monitoring of security controls, detecting misconfigurations and policy violations before they lead to breaches. One eye-opening demonstration showed how a single misconfigured S3 bucket could be identified and remediated within seconds through automated workflows.

The conference placed significant emphasis on protecting data throughout its entire life cycle—from creation to archiving or deletion. Sessions explored how encryption, tokenization, and data masking technologies are evolving to maintain protection regardless of where data travels. Several experts highlighted the importance of data governance frameworks that maintain protection controls even when information moves beyond organizational boundaries.

My key takeaway for security leaders: Data protection strategies must evolve from static, rule-based approaches to dynamic, risk-adaptive frameworks that respond to changing threat landscapes. As organizations increasingly share data with partners, vendors, and AI systems, maintaining consistent protection requires a combination of technical controls, governance processes, and user education. The most resilient organizations will be those that treat data security as a business enabler rather than just a compliance necessity.

Insights From Dash “SecureBeam” Galloway

The cloud security landscape at RSAC 2025 revealed a dramatic shift from migration concerns to optimization strategies. Organizations are no longer asking if they should move to the cloud, but how to secure workloads across increasingly complex multi-cloud environments.

Several sessions highlighted innovative approaches to secure data transfer between cloud providers, emphasizing the need for consistent security policies that travel with the data. The most forward-thinking solutions demonstrated at the conference incorporated zero-trust principles into their data movement frameworks, requiring continuous verification regardless of where data originates or terminates.

Multi-cloud environments presented unique challenges, with organizations struggling to maintain visibility across disparate platforms. The most promising solutions showcased at RSAC offered unified control planes that abstract away provider-specific security implementations, allowing security teams to define consistent policies across AWS, Azure, Google Cloud, and private environments without managing multiple dashboards.

Quantum computing threats loomed large in discussions about the future of transmission security. Several sessions explored the development of quantum-resistant cryptographic algorithms and how organizations can prepare for the post-quantum era. The National Institute of Standards and Technology presented its finalized quantum-resistant cryptographic standards, while vendors demonstrated the first commercial implementations of these algorithms in transmission protocols.

My key takeaway for security professionals: Begin your post-quantum preparedness now. Organizations should start by inventorying cryptographic assets, identifying vulnerable systems, and developing transition plans. While widespread quantum computing threats may still be years away, the complexity of cryptographic transitions means organizations that delay preparation will face significant risk when quantum computing becomes mainstream. As one speaker memorably put it, “By the time quantum computing breaks your encryption, it’s already too late to start planning.”

Insights From Ada “Neural-Network” Ramsey

As the dominant theme of RSAC 2025, AI security discussions revealed both extraordinary promise and profound challenges. With AI systems now making autonomous decisions affecting critical infrastructure, financial systems, and healthcare, securing these systems has become an existential priority.

The most significant debates centered around decision-making authority—specifically, which decisions should remain with humans versus those that can be safely delegated to AI systems. A compelling keynote from Microsoft’s Corporate Vice President Vasu Jakkal explored this tension, emphasizing that “human oversight remains essential for consequential decisions, even as AI systems grow more capable.” This position was echoed across sessions, with a consensus forming around a risk-based approach to AI autonomy.

AI governance frameworks received substantial attention, with organizations sharing early successes and challenges in implementing structured approaches to AI risk management. The most mature frameworks featured comprehensive controls spanning the AI life cycle—from training data security to deployment safeguards and continuous monitoring. A particularly insightful panel featuring leaders from Google, Microsoft, NVIDIA, and the UK AI Safety Institute explored standardization efforts that could help establish baseline security requirements for high-risk AI applications.

The balance between innovation and security emerged as a persistent theme. Organizations are rightfully concerned about competitive disadvantages if security controls overly constrain AI capabilities. Several sessions offered practical guidance on implementing “security by design” principles that integrate protection without inhibiting functionality.

My key takeaway? Organizations must implement thoughtful AI governance frameworks that establish clear boundaries around autonomous decision-making while enabling responsible innovation. The most effective approaches will involve multidisciplinary teams including security, legal, ethics, and business stakeholders. As AI becomes more deeply embedded in business operations, security leaders must focus not just on protecting AI systems, but on securing the entire ecosystem of data, models, and decisions. Remember: In the age of agentic AI, security isn’t just about protecting what AI does—it’s about ensuring AI does what we intend.

Insights From Rooter “ShadowTunnel” Porkington

I must say, RSAC 2025 has been rather frustrating for those of us in the data acquisition business. The advanced detection techniques showcased this year are making my job increasingly difficult. Particularly troublesome are those new behavior-based analytics systems that can spot unusual data movement patterns—even when I’m being exceptionally careful about staying under threshold limits. The demonstration of homomorphic encryption techniques that allow data to be processed while remaining encrypted was particularly disheartening.

Zero Trust architectures have become my personal nemesis. When every access request requires continuous verification regardless of source, my traditional exfiltration techniques have become significantly less effective. The shift from static, perimeter-based security to dynamic identity verification has closed many of the gaps I once exploited with ease. Even my sophisticated lateral movement techniques are being caught by these systems that question every access attempt.

Despite these advances, organizations continue to miss critical vulnerabilities in their data protection strategies. Many still focus too heavily on structured data repositories while neglecting unstructured data scattered across endpoints, cloud storage, and collaboration platforms. Their obsession with protecting databases often leaves email attachments, messaging platforms, and third-party applications woefully underprotected—all prime hunting grounds for a hungry pig like me.

My warning to security professionals: Data exfiltration techniques are evolving just as rapidly as your defenses. While you’re building sophisticated detection systems for known methods, we’re developing low-and-slow techniques that stay below alert thresholds and leverage legitimate communication channels. Remember that your prevention systems are only as strong as their weakest integration point. One overlooked API, one misconfigured cloud storage permission, or one over-privileged service account is all I need to feast on your sensitive data.

Insights From Sly “Loophole” Bushy-Tail

RSAC 2025 has been quite enlightening, watching organizations scramble to address the regulatory labyrinth. What amuses me most is how they overlook the delightful gaps between overlapping regulations. Where GDPR and CCPA contradict each other, or where EU requirements clash with emerging APAC frameworks—these inconsistencies create the perfect hunting grounds for a clever fox.

I’ve noticed compliance automation tools becoming more sophisticated, which admittedly complicates my evasion techniques. These platforms that continuously monitor regulatory changes and automatically adjust controls are particularly troublesome. However, they still struggle with interpretation—the art of determining how abstract regulatory principles apply to specific technologies and processes. This ambiguity remains my playground.

Cross-border data transfers present particularly juicy opportunities. The collapse of adequacy frameworks between major economic regions has created magnificent confusion. Organizations are implementing complex legal mechanisms like Binding Corporate Rules and Standard Contractual Clauses without fully understanding their practical implementation requirements—creating gaps between documented compliance and actual practices that I can exploit with ease.

My warning to compliance officers: Beware of checkbox compliance approaches that focus on documentation without verifying actual implementation. The most sophisticated evasion techniques don’t involve breaking rules outright—they involve creative interpretation and selective application. Remember that while you’re focused on satisfying auditors with well-crafted policies, foxes like me are finding the gaps between your documented controls and operational reality. True compliance requires continuous validation of control effectiveness, not just well-written policy documents.

Insights From Trojan “Backdoor” Gallop

The enhanced focus on identity security showcased at RSAC 2025 has certainly made infiltration more challenging. Multi-factor authentication is now ubiquitous, privileged access management solutions are increasingly sophisticated, and behavioral analytics can detect unusual authentication patterns. However, these advances merely require more sophistication in my approach—I’ve simply shifted from brute force to social engineering, targeting the human elements that remain the weakest link in identity security.

Cloud environments continue to offer promising attack surfaces, despite improved security controls. The dynamic nature of cloud resources, with constant provisioning and decommissioning of assets, creates visibility gaps that I regularly exploit. Many organizations still struggle to maintain consistent security policies across hybrid and multi-cloud environments, creating seams where I can hide persistence mechanisms that survive routine security scanning.

Despite all the advanced security measures showcased at RSAC, several backdoor techniques remain remarkably effective. Supply chain compromises were notably underdiscussed, with organizations focusing on their own environments while neglecting the security of their suppliers and vendors. Additionally, development environments continue to implement fewer security controls than production, offering fertile ground for establishing persistence that can later be elevated to production access.

My warning to security teams: Infiltration discussion methods are becoming increasingly patient and sophisticated. Rather than immediate exploitation, modern approaches focus on establishing persistence first and waiting for opportune moments to escalate access. Your detection strategies must evolve from point-in-time assessments to continuous monitoring across your entire ecosystem—including development environments, third-party connections, and legacy systems. Remember that I don’t need to find the most sophisticated vulnerability—I just need one overlooked access point to establish my beachhead.

Insights From Stubborn “MetaMix” Longears

The discussions on data classification at RSAC 2025 revealed significant blind spots in most organizations’ governance approaches. While companies are investing heavily in identifying and protecting sensitive data, they’re largely neglecting the metadata that gives that data meaning and context. By focusing exclusively on content-based classification, they leave the structural information that organizes and interprets data woefully unprotected.

My preferred techniques for disrupting data governance rely on subtle metadata manipulation rather than overt attacks. By altering classification tags, modifying retention policies, or corrupting relational linkages, I can effectively render data unusable or misinterpreted without triggering traditional security alerts. The most sophisticated organizations are implementing integrity controls for data itself but rarely extend the same protection to its metadata.

The gaps in AI governance present particularly rich opportunities for mischief. As organizations rush to implement AI systems, they’re feeding these models with datasets whose metadata governance is immature at best. By corrupting the labels and relationships within training data, I can influence model outputs without leaving obvious signs of tampering. Several sessions discussed AI poisoning attacks but focused primarily on content rather than the metadata that structures learning processes.

My warning to data governance professionals: Protecting the integrity of your classification and categorization systems is as critical as protecting the data itself. Implement robust controls over who can modify metadata, maintain comprehensive audit logs of metadata changes, and regularly validate the integrity of your classification systems. Remember that when data classification is compromised, even perfectly secured information can lead to catastrophic decisions and actions. In the age of automated decision-making, corrupted metadata can cause more damage than breached data.

Insights From Raptor “DataScraper” Sharp-Eye

RSAC 2025 featured extensive discussions about AI security, but most focused on protecting AI systems rather than addressing a critical vulnerability: the unintentional leakage of sensitive information into public large language models. As organizations enthusiastically adopt AI copilots and assistants, they’re inadvertently feeding proprietary data into these systems with alarming frequency.

The corporate adoption of public LLMs presents a magnificent opportunity for data harvesting. When employees paste confidential information into public AI interfaces for summarization, translation, or analysis, that data potentially becomes part of future training datasets. Even more concerning, several RSAC presentations highlighted how information submitted to these models can sometimes appear in responses to unrelated queries from entirely different users—exposing corporate secrets with no evidence of traditional data breach.

The risks of training data exposure received insufficient attention at the conference. Organizations are implementing prompt engineering guidelines for employees without corresponding technical controls to prevent leakage. Meanwhile, the boundaries between private enterprise data and public AI training data grow increasingly blurred, with significant legal and competitive implications that few organizations have fully assessed.

My warning to security leaders: Implement robust technical and policy controls governing how your organization interacts with public AI systems. Establish clear data classification policies specifying what information can never be submitted to external AI models. Deploy technical controls that scan outbound traffic to public AI interfaces for sensitive data patterns. Invest in secure, private AI infrastructure for handling confidential information. Most importantly, educate your workforce about the permanent, irreversible nature of data submitted to public models—once your proprietary information enters these systems, it can never be truly recalled. The next generation of competitive intelligence won’t come from traditional espionage but from carefully crafting prompts that extract your competitors’ inadvertently leaked information from public AI systems.

Conclusion: Securing Our Digital Farm

As we’ve heard from our barnyard security experts—both the cyber champions and cyber villains—RSAC 2025 revealed a cybersecurity landscape transformed by AI while still grappling with fundamental challenges in identity, data protection, and compliance.

Based on the feedback from our five cyber friends and fiends, several critical trends emerged that will shape security priorities in the coming year:

First, AI security has moved from theoretical to existential. Organizations must develop comprehensive governance frameworks that address not just AI system security, but the protection of data used to train these systems. The rapid adoption of AI demands careful consideration of decision-making authority, with clear boundaries around what decisions can be delegated to automated systems versus those requiring human oversight.

Second, identity-centric security has displaced traditional perimeter-based approaches, with Zero Trust principles now fundamental rather than aspirational. As Sherlock “Trustfall” Hooves noted, verification has become a continuous process rather than a one-time event, particularly critical as machine identities now vastly outnumber human ones.

Third, data protection must evolve from static rules to dynamic, context-aware frameworks that maintain protection throughout the data life cycle. The insights from both Locksley “DataShield” Woolthorpe and Raptor “DataScraper” Sharp-Eye highlight the particular vulnerability of data shared with external systems, especially public AI models.

Fourth, compliance complexity continues to grow, with regulatory fragmentation creating both challenges for legitimate businesses and opportunities for bad actors. As organizations navigate this landscape, compliance automation will become essential, though as Sly “Loophole” Bushy-Tail reminds us, technology alone isn’t sufficient without validation of control effectiveness.

Finally, quantum computing threats demand preparation now, not when these capabilities become mainstream. Organizations should begin inventorying cryptographic assets and developing transition plans to quantum-resistant algorithms—as Dash “SecureBeam” Galloway emphasized, the complexity of these transitions means early adopters will have significant advantages.

I urge all readers to take three specific actions based on these insights:

1. Implement an AI data gateway to control and track how your organization interacts with public AI systems, including data classification policies and monitoring of information submitted to external models.
2. Develop a modular compliance architecture that can adapt to evolving regulations without requiring complete redesigns.
3. Establish comprehensive identity governance across human and non-human identities, with continuous verification based on risk and context.

This year’s RSAC theme, “Many Voices. One Community,” perfectly reflects the multifaceted perspectives we’ve explored through our security barnyard. Just as each of our characters brings a unique viewpoint—from the vigilant GOATS to the scheming farm adversaries—effective security requires diverse perspectives working in concert. No single approach, technology, or framework can address today’s complex threat landscape. Instead, security resilience emerges from the collaborative efforts of different disciplines, roles, and viewpoints, all contributing to our collective defense.

In security, as in nature, the strongest ecosystems are the most diverse. By learning from each perspective—even those of our adversaries—we build more resilient defenses that protect what matters most.

Additional Resources

• Blog Post Zero Trust Architecture: Never Trust, Always Verify
• Video How Kiteworks Helps Advance the NSA’s Zero Trust at the Data Layer Model
• Blog Post What It Means to Extend Zero Trust to the Content Layer
• Blog Post Building Trust in Generative AI with a Zero Trust Approach
• Video Kiteworks + Forcepoint: Demonstrating Compliance and Zero Trust at the Content Layer