Skip to main content

Reflections on BSides and RSAC 2026

· 7 min read
Fletcher Heisler
Fletcher Heisler
CEO at Authentik Security Inc

authentik is an open source Identity Provider that unifies your identity needs into a single platform, replacing Okta, Keycloak, and Ping. Authentik Security is a public benefit company building on top of the open source authentik project.

Another year, another round of San Francisco conferences!

We were fortunate enough to have the Authentik Security team represented across two talks this year at BSidesSF:

These should be posted by BSidesSF in coming weeks.

Some takeaways from the week:

BSidesSF is a wonderful experience

I love a lot about DEFCON. We had a very memorable team experience there last year. But it's a lot to handle, from the sheer size of the event, to the shouting goons, to the sub-sub-niche communities of experts you can find around every corner, to everything about Vegas itself.

BSidesSF was just so friendly by comparison. And while a "village" at the < 2,000-person event might not be much more than a single fold-out table, it also meant that everything was much more approachable, whether you're a beginner or expert.

Having the AMC Metreon as a venue also helps with the great vibes. As an audience member, sitting in a cozy movie theater chair to watch talks, instead of being crammed into tight rows of stackable chairs, is almost too relaxing. As a speaker, getting to see your entire audience - and have your entire audience see your entire XL slides - is a vast improvement over my average experience. The main "stage" uses one of the largest IMAX screens in the US, nearly a hundred feet across. Plus, you get the constant mini-rush of 'sneaking' into the movie theater off-hours.

IAM is fragmented

Sure, we were at security conferences, but it still struck me just how focused the companies, attendees, and talks were on identity and access specifically - but spread out across lots of individual problem spaces. This is partly driven by AI and agent adoption (more on that shortly), but also because there are just so many big, important problems to be solved in identity and access.

Because of this, there are also inevitably dozens of companies offering point solutions to these pains; they reasonably focus on an individual problem, raise a bit of seed funding for a small team to tackle this with a specialized product, then go to market with their "onboard your Windows users" or "enforce SSO for your remote contractors" solution. I counted a handful of companies whose sole purpose was to make Okta slightly less painful - by performing functions that Okta technically does already, just a bit better.

The issue here is that, while a company can bolt on dozens of solutions to improve their identity capabilities, eventually they're paying for and maintaining those dozens of separate solutions on top of their existing identity providers, introducing much more complexity than if they had been able to do more with a single flexible platform.

This has become a common refrain that we hear from our customers when they initially migrate to authentik to escape Entra, Ping, or Okta; they consistently find in the coming months that they're also able to decommission a dozen other services that had been providing various no-longer-needed IAM bandaids meant to overcome the limitations of their old identity providers.

AI was everywhere

Every company that possibly could was touting itself as the "[x] for AI" or "AI for [y]" company. This includes new startups dedicated to "agentic identity" or "MCP security" as well as long-time market leaders hastily rebranding themselves as being 100% AI-focused.

Often that was about as deep as the branding exercise went, however; if you ask how any of these existing companies are specifically gearing themselves for AI, it was usually back to the standard demos and capabilities.

As well it should be, to some extent: if AI agents are expected to perform "human-level" tasks, augmenting or automating much of our current day-to-day work, then it's something of a mystery how we're reinventing entire systems from scratch "for" agents to use. MCP seems to be a necessary piece of duct tape for working with applications that don't already have better APIs or CLIs for interaction. But when it comes to something as broad as identity or access, all the same best practices should be applied to humans and agents alike - finely scoped permissions, passwordless access, rapid scalability, etc.

We are not completely immune to this force; while authentik has already supported non-human service accounts for years, we will be announcing additional functionality in coming months to further enable finely scoped permissioning for non-human agent users within a single cohesive system. That said, I'll wait for this to be more finalized before announcing specific new capabilities - speaking of which...

Vaporware and hype abound

Promises abound at RSAC, but when you dig into the demos, what's actually available today is often at best a faint whisper of that potential.

An example: RSA (the company) chose RSAC to announce its "launch" of Sovereign Deployment, some sort of compliance-friendly identity solution. RSA claims it to be "the first and only full stack identity solution that enables government agencies, financial services, critical infrastructure, and healthcare organizations to modernize their identity infrastructure while meeting regulatory requirements and supporting operational complexity—without ever compromising on security or availability." Interesting... I thought that's what we had already been doing for years.

Although there is precious little detail in the eight paragraphs of press release, it does welcome attendees to stop by their booth for a preview, so I did. After being handed off a couple times, I was told that they don't have such a demo, but a rough POC exists "on one guy's laptop" so far. So, it sounds like it might be a little while before they're able to match our 100k+ user deployments in airgapped federal, financial, and healthcare environments.

While it's tough to cut through the noise at RSAC, the expo floor was often still a great way to get quick, individualized demos that highlight actual product capabilities (or sometimes lack thereof). Just come prepared to each booth of interest with pointed questions, and prepare your inbox to pay the cost in outreach emails afterward.

Identity is moving in-house

The idea of "sovereignty" does touch on an important theme among the CISOs and security teams at larger organizations I spoke with. They all agreed that outsourcing their identity needs to a sprawling set of SaaS providers was an unsustainable, even dangerous approach. Again, the proliferation of agents (with sometimes questionable security policies attached) is only accelerating this need.

As the capability to automate scales up and identity becomes more critically tied to a broader set of capabilities - getting any work done, not just for employees accessing SaaS applications - reliable "identity bandwidth" really matters. It's no longer enough for organizations to hope that access stays up and secure based on a third-party SaaS provider with a rough guarantee of four nines and an even rougher security track record.

We look forward to helping more organizations and community members take control of their identity needs with a flexible, secure solution to streamline access for all users: employees and customers, humans and non-humans, in private cloud or on-prem.


It was great to meet and catch up with so many of you in person last week. We will be speaking at DjangoCon EU, sponsoring Identiverse in Vegas, and out around various other events this year, so come meet us in person and chat about authentik!