What You Missed on the Expo Floor
Key Moves in Risk & Compliance at RSAC 2025:
- RSA launched ISPM dashboards for identity-focused risk posture
- Black Kite rolled out Vulnerability Intelligence Briefs for third-party risk visibility
- Drata showcased live compliance automation + reporting
- AppOmni previewed MCP Protocol Server for cross-tool SaaS risk coordination
- DORA, NIS2, and the UK’s new Cyber Resilience Bill were centerstage in panel talks
At RSA Conference 2025, held from April 28 to May 1 in San Francisco, the focus on compliance and risk management was more pronounced than ever. Our team was on the ground throughout the event—attending keynotes, sitting in on panel discussions, and speaking directly with solution providers and CISOs. Across every conversation, it was clear that compliance has become a core part of strategic decision-making, not just a regulatory formality.
The convergence of AI technologies, expanding regulatory frameworks, and the complexities of third-party ecosystems underscored the urgent need for organizations to adopt proactive and integrated approaches to governance and risk mitigation. Here are some key themes from the show that stood out:
GRC Is Getting Smarter—and More Urgent
This year, Compliance & Risk Management wasn’t a backroom topic—it was the backbone of security conversations. We sat in on “Architecting Data Analytics for Continuous Risk Management” and “Shadow AI: Shining the Governance Light on AI,” where the message was consistent: regulatory compliance is now business-critical risk management.
RSA’s own release of Identity Security Posture Management (ISPM) was a clear signal. These AI-powered dashboards give organizations continuous visibility into risk indicators like excessive entitlements, orphaned accounts, and policy violations—exactly the kind of exposure regulators are watching for.
“We used to ask, ‘Are we compliant?’ Now we ask, ‘Are we resilient?’”
—Jim Taylor, CTO, RSA
And Microsoft announced the preview of Security Copilot Agents integrated with Microsoft Purview, aiming to enhance data governance and compliance through AI-driven security solutions.
Semperis launched Ready1, an enterprise resilience platform designed to bring structure, speed, and coordination to cyber crisis management.
Third-Party Risk Takes the Spotlight
Every conversation about risk now includes supply chain security. Black Kite made waves with its Vulnerability Intelligence Briefs (VIBs), giving CISOs a clear way to score third-party threats based on exploitability and real-world exposure—not just CVEs.
Panorays and SecurityScorecard also leaned into this space, framing compliance in terms of vendor accountability and transparency, especially in light of NIS2 and the Digital Operational Resilience Act (DORA).
RiskRecon highlighted its continuous vendor monitoring solution, offering risk-prioritized action plans and demonstrating new product enhancements like the Privacy Ratings module.
Vanta demonstrated how AI is reshaping third-party risk by simplifying and automating the compliance and review process from vendor reviews and questionnaires to managing compliance controls.
Automation Is the New Compliance Engine
Platforms like Drata and AuditBoard emphasized how AI and integrations are transforming traditional compliance workflows. By syncing with cloud infrastructure, identity systems, and ticketing tools, these platforms now enable real-time compliance monitoring with automatic evidence collection—cutting prep time for audits from weeks to hours.
AppOmni, meanwhile, showcased a new Model Context Protocol (MCP) server designed to coordinate decisions across SaaS tools—useful for fast-growing environments with overlapping access and compliance boundaries.
Tufin debuted TufinAI, a cross-platform AI engine designed to modernize security policy management across hybrid environments, showcasing its potential to drive automation and efficiency in enterprise network security.
WitnessAI, a recent startup, demoed their platform which gives companies greater control over the generative AI models they’re deploying while monitoring and auditing activity across applications, uncovering shadow AI.
Regulation Isn’t Just Expanding—It’s Accelerating
From hallway conversations to executive sessions, the tone was clear: regulations are growing in scope, speed, and enforcement teeth.
Sessions on the UK Cyber Resilience Bill and the EU’s DORA stressed the need for organizations to implement proactive, adaptive controls—not just after-the-fact reporting.
What We Heard at the Show
“You can’t treat compliance like a once-a-year sprint anymore. It has to be always-on.”
— Mike Benjamin, Cybersecurity CTO, Capital One
“Third-party accountability is going to define the next era of cyber regulation.”
— Matt Lee, Security & Compliance Senior Director, Pax8
Why It Matters
RSAC 2025 highlighted: Compliance is becoming more than just a reporting exercise—it’s your risk radar.
Top-performing organizations are:
- Integrating identity and access posture into GRC
- Automating real-time evidence collection
- Assessing third-party risk with actionable threat intelligence
- Mapping evolving frameworks (like DORA, NIS2, and CCPA 2.0) into their day-to-day operations
If your compliance tools aren’t helping you move faster and think smarter—you may be falling behind. Check out our vetted list of GRC solution providers.
For more insights and detailed discussions from RSA Conference 2025, explore the full agenda and session recordings available on the RSA Conference website.
