There were over 100 sessions that dealt with AI at the conference. Many conference attendees were most interested in the double-edged sword of generative AI: how to use it as a tool to detect and prevent cyberattacks and how cyber criminals use the technology to launch attacks. AI’s role in misinformation campaigns and developing deepfakes has many people worried about a significant shift in the way threat actors use social engineering. This worry only compounds with the concern that security awareness training won’t be able to keep up.

The term “shadow AI” was mentioned a number of times, often by CISOs who expressed concern that the risks faced through shadow IT and shadow cloud behaviors are beginning to repeat themselves in the use of unauthorized AI. Right now, much of shadow AI is related to employees who use tools like ChatGPT for research resources and trusting the information they receive as absolute truths. But as employees become more sophisticated in using AI tools and as generative AI shows itself as a potential security risk, CISOs want to see steps taken to get AI policies and approved tools adopted into the organizations sooner rather than later.

However, one of the issues that cybersecurity experts were quick to point out is the need to separate generative AI from other types of AI. Because of the overwhelming presence of AI throughout the conference, the technology has this feeling of newness to it, that it is something that was just introduced in the past year. Many of the panel discussions covered machine learning and large language models and how to build on the predictive benefits these technologies bring to cybersecurity tools. AI isn’t new, one CISO said; it’s been around in some form for decades. The hope is that the AI hype of this year settles down by RSAC 2025 and that there will be more positive discussions around building better predictive models with AI or more defined uses of the tool.