AI-generated code now accounts for roughly 27% of all production code, up from 22% the prior quarter — faster than most security teams can update a planning document. RSAC 2026 in San Francisco wasn’t another “AI is coming” conference. It was the one where independent analysts, a standards body, award judges, and a live demo all landed on the same conclusion at the same time: legacy AppSec cannot secure AI-generated code at scale.
In this piece we look at the four most significant signals from RSAC 2026 — Forrester’s ADS framework, Checkmarx’s Global InfoSec Award, OX Security’s DAST live demonstration, and OWASP’s four GenAI sessions — and why together they mark a genuine category shift rather than another vendor marketing cycle. This article is part of our comprehensive series on the AI code security blind spot. If you want the technical detail on why existing scanners fail, start with the underlying SAST failure problem. If you’re already at the vendor evaluation stage, jump straight to the vendors who differentiated at the conference.
Let’s get into it.
Why was RSAC 2026 the turning point for application security?
Previous RSAC conferences raised the AI code security question. RSAC 2026 answered it — and the answer came from four independent parties at once, each with a completely different incentive structure.
Mitiga’s post-conference analysis — an independent research firm, not a vendor — called agentic AI security the defining theme and found roughly 60% of organisations now run AI-augmented automation, up from under 20% in 2023. The trajectory across three years is the framing: 2024 identified the threat surface, 2025 was early tooling, 2026 was the industry committing to a new category and a governance model.
The four signals: a formal analyst category (Forrester ADS), an industry award (Global InfoSec), a live proof-of-failure (OX Security‘s DAST demo), and a standards body commitment (OWASP’s four sessions). When those four validators converge on the same argument, it’s hard to write off as marketing.
What is Agentic Development Security (ADS) and why did Forrester introduce it?
Agentic Development Security (ADS) is a security paradigm defined by Forrester Senior Analyst Janet Worthington that protects AI-powered software development end to end — prevention, detection, prioritisation, and remediation of vulnerabilities introduced by autonomous AI coding agents. Worthington introduced the formal ADS category in April 2026, co-authoring Forrester’s post-RSAC recap.
So why a new category? Because no existing label — DevSecOps, AppSec, ASPM — actually describes the threat surface created when AI agents generate, commit, and deploy code without human review loops. The ADS framework covers eight capability areas: code and dependency analysis, coding guardrails, triage and prioritisation, remediation, dynamic testing, quality gates, supply chain protection, and governance analytics. As of RSAC 2026, no single vendor delivers across all eight. That gap is the category-formation signal.
ADS isn’t just an incremental fix. It defines an operating model where security decisions are autonomous and policy-driven. The companion framework is AEGIS, which Forrester introduced as the enterprise governance layer. Its core principle is “least agency” — the AI equivalent of least privilege, where agents only get the capabilities they need for a specific task. AugmentCode published the most accessible public explanation of the ADS framework post-RSAC if you want a plain-English walkthrough.
How does the Agentic Development Lifecycle (ADLC) differ from a traditional SDLC?
The SDLC was built for human-paced, sequential development. AI agents break every assumption in that model simultaneously. The ADLC is what you get when agents stop assisting developers and start automating development steps. Code generation, dependency resolution, testing, and deployment can happen without a developer writing a single line. Faros AI’s analysis of over 10,000 developers found that teams with high AI adoption merge 98% more pull requests — but PR review time increased 91%. Security review compresses to near zero.
Here’s the key difference in risk class. The SDLC assumed developers made mistakes at human pace. The ADLC means AI agents make consistent, model-specific mistakes at scale. The same hallucinated dependency can appear across hundreds of files in a single session. The control points in ADS sit at agent instruction, context injection, and autonomous commit — much earlier in the lifecycle than the code review and static scan stages where DevSecOps concentrates.
Why did Checkmarx win the Global InfoSec Award at RSAC 2026?
Checkmarx won Market Leader Application Security from Cyber Defense Magazine at the 14th Annual Global InfoSec Awards. The award is judge-selected, not vendor self-reported — that distinction matters. When award committees recognise an AI code security entrant, it means the category has moved into mainstream enterprise buying consideration.
What Checkmarx announced alongside the award: Triage Assist and Remediation Assist (agents for the post-commit phase), AI Supply Chain Security providing a centralised AI-BOM inventory covering MCP servers, LLMs, AI agents and SDKs, and an enhanced DAST engine built for AI-driven and vibe-coding workflows. Use the award as a starting reference for your vendor shortlist, not a final purchasing decision.
What did OX Security’s DAST demonstration actually show?
OX Security’s live demo at RSAC 2026 showed an application built primarily with AI-generated code that was vulnerable to an unauthenticated remote code execution attack via a crafted PDF input — a vulnerability the project’s existing SAST scanning had completely missed.
The methodology is what matters here. The demo used DAST — runtime testing against a live application — proving the vulnerability was exploitable behaviour, not a theoretical code pattern. The gap is a context failure: AI-generated code can be locally correct at the function level while being architecturally broken at the application level. DAST tests the running application rather than individual code functions, which is why it catches what SAST misses.
This is a direct answer to the “my linters didn’t flag anything” objection. As Checkmarx puts it, “text-based analysis cannot evaluate architectural correctness”. A correctly formed authentication call placed in the wrong execution path is syntactically valid and contextually broken — it only becomes apparent when the application runs under real-world conditions. For the technical depth on why SAST misses these patterns, see the underlying SAST failure problem.
What did OWASP signal about its 2026 roadmap at RSAC?
OWASP ran four dedicated GenAI security sessions at RSAC 2026. The project has grown to 25,000+ members, and four main-floor conference sessions reflects AI security moving from niche track to mainstream concern.
The Q2 2026 publication roadmap covers: the OWASP Top 10 for Agentic Applications 2026 developed with 100+ industry experts, the Guide for Secure MCP Server Development (published February 2026), the SBOM/AIBOM Generator, and the AI Security Solutions Landscape for Agentic Red Teaming (April 2026). OWASP AIVSS v0.8 is also in development — extending CVSS concepts to AI-specific risk quantification.
For FinTech and HealthTech teams, the compliance signal is real. EU AI Act enforcement for high-risk AI was set for August 2026, with fines up to €15 million or 3% of global turnover. A November 2025 Omnibus revision proposes pushing some obligations out to December 2027, so the deadline has some uncertainty. The guidance does not. For organisations moving from awareness to action, the DevSecEng organisational shift explains what the structural response looks like. For the full standards breakdown, check the OWASP AI Testing Guide article.
Are AI-native security vendors a real category or marketing repackaging?
The scepticism is fair. The RSAC 2026 vendor floor had both genuine category innovators and repackaged incumbents.
The test that separates them: whether the vendor’s detection logic is AI-code-aware at the analysis level, not just at the reporting level. Veracode’s Spring 2026 GenAI Code Security Report — 80 development tasks, 150+ LLMs, no security-specific prompting — found AI-generated code introduced vulnerabilities in 45% of tasks. CodeRabbit’s analysis found AI-authored PRs produced 2.74× more XSS vulnerabilities. Neither of those are vendor numbers.
The ADS eight pillars are a more reliable evaluation framework than any vendor positioning statement. Ask each vendor which capability areas they cover natively versus via integration, and which they don’t cover at all. The AI-native challengers — ZeroPath in SAST, OX Security’s evidence-based ASPM approach — differ structurally because their analysis engines were built for AI output patterns from the start. For a structured comparison, see the vendors who differentiated at the conference. For the full picture of the AI code security blind spot this conference addressed — covering diagnosis, organisational response, tooling, and compliance — see the series overview.
FAQ
What exactly is the Agentic Development Lifecycle (ADLC)?
The ADLC is Forrester’s term for the lifecycle where AI coding agents generate, review, and ship code at machine speed. Humans set intent and guardrails; agents handle execution. Terminology variants exist: Cycode uses “ADLC” and “Agentic-SDLC” interchangeably; AWS uses “AI-DLC” for their open-source framework.
Who is Janet Worthington and why does her work matter?
Janet Worthington is a Senior Analyst at Forrester Research and co-author of Forrester’s post-RSAC 2026 recap. As an independent analyst, her ADS category definition carries weight with enterprise buyers in a way vendor-produced frameworks simply don’t.
What is “least agency” and how is it different from least privilege?
Least privilege limits what users can access. Least agency applies the same logic to AI agents: agents receive only the capabilities needed for a specific task. The distinction matters because AI agents can act across multiple systems simultaneously — least agency limits blast radius at the task level.
What is slopsquatting and why is it an AI-specific supply chain risk?
Slopsquatting is where adversaries pre-register package names that AI models predictably hallucinate. Analysis of 576,000 AI-generated code samples found 20% recommended non-existent package names, with 43% of those hallucinated names consistently recommended across ten separate queries — predictable enough to pre-register.
Is the 45% AI code vulnerability rate from independent research?
Yes. Veracode’s Spring 2026 GenAI Code Security Report — 80 tasks, 150+ LLMs, no security prompting — found 45% of tasks introduced a known security flaw. Forrester, CSA, and OWASP all reference this figure as a credibility anchor.
What is the OWASP AIVSS and why does it matter?
OWASP AIVSS v0.8 extends CVSS concepts to AI-specific risk, giving teams a standardised method for prioritising AI agent vulnerabilities. It gives security teams and compliance auditors a shared language for rating AI agent risks. Finalisation is expected alongside the Q2 2026 OWASP publications.
How should I evaluate AppSec vendors following RSAC 2026?
Forrester’s eight ADS capability areas give you the evaluation grid: code and dependency analysis, coding guardrails, triage and prioritisation, remediation, dynamic testing, quality gates, supply chain protection, governance analytics. Ask vendors to identify native coverage versus integration coverage for each area. No vendor currently covers all eight natively — anyone claiming otherwise should be asked to demonstrate it against AI-generated code samples, not human-authored test cases.
What does the EU AI Act have to do with RSAC 2026 AppSec discussions?
EU AI Act enforcement for high-risk AI was originally set for August 2026 with fines up to €15 million or 3% of global turnover. A November 2025 Omnibus revision proposes pushing some obligations to December 2027. For organisations in regulated sectors, OWASP’s GenAI sessions and publication roadmap are already being referenced by compliance teams as the practical controls framework — regardless of where the final deadline lands.
Will the ADS framework be useful for teams not yet using AI coding agents?
100% of surveyed organisations (Cycode 2026) confirmed they have AI-generated code in their codebase; 81% have no visibility into how it’s being used. AI-generated code jumped from 22% to 27% in a single quarter. The ADS framework starts with an inventory step — assess current AI tool usage, identify where AI output enters the codebase, measure existing scanning coverage against AI-specific vulnerability classes. If you haven’t started that inventory, start there.
What is the AI-BOM and how does it relate to traditional SBOM?
An AI-BOM inventories every AI component in the software stack: LLMs, MCP servers, AI SDKs, coding agents, and the code they generated. It extends traditional SBOM concepts to the AI-specific supply chain. SPDX 3.0 has been extended with a dedicated AI profile supporting both NIST AI RMF and EU AI Act requirements.
