San Francisco Secure Software and AppSec Summit 2026: The Next AppSec Operating Model

The San Francisco Secure Software and AppSec Summit 2026, held in Palo Alto, highlighted the evolving landscape of application security, emphasizing the rapid integration of AI and the challenges it presents. Key discussions revolved around the need to treat AI agents with caution, similar to interns with root access, by implementing robust control measures such as capability scoping, sandboxed execution, and human approval gates for critical actions. The summit underscored the importance of decommissioning obsolete systems and the necessity for cross-functional processes to manage asset shutdowns effectively. Panelists debated the limitations of Software Bills of Materials (SBOMs) in preventing vulnerabilities and stressed the urgency for system-level guardrails to manage dependencies in AI-assisted development. The future of application security is seen as shifting towards control plane engineering, where accountability for software changes, retirement, and delegation to agents is prioritized. The summit emphasized the need for machine-enforced boundaries to keep pace with AI-generated work and highlighted the significance of ownership and reversibility in managing security risks. AppSec is evolving from a reactive review function to an integrated operating model, focusing on creating systems that prevent vulnerabilities by default.