We were proud to speak at the Rocky Mountain Information Security Conference this year. Three days, dozens of sessions, and a lot of honest conversation from practitioners living these problems daily.
Here is what stood out.
THE GAP BETWEEN AMBITION AND ACCOUNTABILITY
AI is moving faster than the structures built to govern it. That was the clearest signal across the conference.
Microsoft’s carbon footprint grew 23.4% from AI infrastructure last year. State-level regulation, including Colorado’s AI Act (SB 205), is already creating binding obligations for organizations deploying high-risk AI systems. On the compliance side, FedRAMP authorization still costs $800K to $2M and takes up to two years to complete.
The pattern is consistent: organizations adopt fast and govern slowly. The technology outpaces the accountability structure. At some point, that gap closes on its own terms, and those terms are rarely favorable.
YOUR EXISTING CONTROLS WERE NOT BUILT FOR THIS
Whether you are dealing with AI agents that operate within their approved scope but toward unintended ends, employees using unsanctioned AI tools that bypass your data loss prevention controls entirely, or a security team chasing individual vulnerabilities while the root cause goes unaddressed, the pattern is the same.
Security programs were designed for a more predictable threat surface. The high-performing teams we heard from are not responding by adding more controls. They are going upstream: to root causes, to governance architecture, to data classification before incidents happen.
One data point that stuck: over 80% of workers are already using unapproved AI tools. Forty-two percent of organizations have experienced an AI-related security incident. You cannot govern what you have not found. The recommended sequence is Discover, Classify, Control, Monitor, in that order.
THE HARDEST PROBLEM IS STILL THE HUMAN ONE
One of the most grounded sessions at the conference made a pointed argument: the industry’s talent crisis is self-inflicted.
A 31% cybersecurity attrition rate is not a pipeline problem. It is a retention problem. Organizations recruit aggressively and underinvest in the culture, career development, and leadership that keep people. Technical excellence without investment in people is a strategy with an expiration date. The conference reinforced this from multiple directions: keynote, breakouts, and hallway conversation.
SIMPLICITY IS A SECURITY STRATEGY
This was the thread that ran through day three. IR programs fail not because teams lack tools, but because playbooks are too complicated to execute under pressure. AppSec teams that chase vulnerabilities reactively never escape the treadmill. Compliance teams that pursue every framework at once exhaust themselves and gain little.
“Not yet is sequencing, not failure” was probably the most actionable line of the conference. You cannot do everything at once. The organizations making progress chose a direction and went deep, rather than spreading thin across every priority simultaneously.
WHAT THIS MEANS
The security industry has the frameworks, the tools, and in many cases the regulatory clarity. What is harder to manufacture is the discipline to prioritize, the culture to retain talent, and the willingness to govern AI as rigorously as you adopt it.
We left RMISC thinking about where those gaps are sharpest for the organizations we work with, and what it looks like to close them.
If any of these themes resonate with what you are navigating right now, we would be glad to compare notes.

