# We Fed Security Leaders Wagyu and Hard Truths at RSA. Here's What We Learned. *A recap from Postman's intimate dinner for security leaders — where the wine was world-class and the reality checks were free.* ![](https://blog.postman.com/wp-content/uploads/2026/04/©Alessandro-Desogos-social-media-116-1024x683.jpg) A few weeks ago during RSA, a small group of CISOs and security leaders walked into Niku Steakhouse in San Francisco expecting a nice steak. What they got, in addition to a genuinely excellent tasting menu, was a frank conversation about the state of AI and API security that no vendor-sponsored keynote would ever let happen. That was the point. I hosted the dinner during RSA week: intentionally off-the-record, intentionally small, and intentionally *not* a sales event. I know, I know. Every vendor says that. I mean it. There were no slides with ROI calculators. **The Blast Radius Is Getting Bigger. Uncomfortably So.** Let's start with the uncomfortable truth I opened with: **LLMs hallucinate text. Agents hallucinate *actions*.** That distinction matters enormously. When a chatbot gives you bad information, someone reads something wrong. When an AI agent makes a bad decision, it *does* something wrong; and "something" increasingly means touching production systems, mutating data, or calling APIs that affect real users at scale. At Postman, we deployed [Agent Mode](https://www.postman.com/product/agent-mode/) to 40 million users. The security risk model for that is not "what if it says something weird." It's "what if it *does* something weird…to 40 million people simultaneously." The blast radius has shifted from information leakage to unauthorized system mutation. Product trust teams, take note. Your frameworks were not built for this. They need to run faster. ## **Five Lessons from Actually Doing This at Scale** I didn't show up with just opinions. I showed up with scars. Here's what we learned the hard way. 1. **Build structure for agents, not freedom.** Counterintuitively, constraining your AI agent makes it *better*, not worse. Permission-aware data access and deterministic execution boundaries aren't bureaucratic overhead — they're the reason fewer things go wrong. Freedom sounds good in a pitch deck. Structure is what keeps you employed. 2. **The "why" matters more than the "what."** Intent logging — capturing the user prompt, the agent's reasoning, the proposed action, the human approval or rejection, and the final outcome — is how you actually understand what your agents are doing and improve over time. You can't govern what you can't observe. Build the loop: Observe → Adapt → Retry → Plan → Improve. 3. **Your AI supply chain is probably too complicated.** The candy store approach to AI tooling — one model here, a sub-agent there, a third-party integration everywhere — doesn't scale. It expands vendor risk, model risk, and your operational blast radius all at once. Too many tools overwhelm models. Too many sub-agents create governance ambiguity. The security principle is simple: reduce execution surface *before* you're writing an incident report. 4. **Think like a data owner, not just a data protector.** Isolating data isn't enough — you have to isolate the *execution environment*. That means ephemeral containers, contextual starvation, encryption at every layer, zero data retention agreements with subprocessors, and PII stripped before it ever reaches the model. Redact first. Ask questions later. 5. **Empower your admins. Kill shadow AI before it kills you.** My job as a security leader isn't to say no — it's to provide a *governed yes*. That means giving human admins the actual tools to do their jobs: kill switches, user and group access controls, MCP server allowlists, clear separation between experiment and production, and executive visibility into what's actually happening. If you don't build the governed path, people will find the ungoverned one. They always do. ## ![](https://blog.postman.com/wp-content/uploads/2026/04/©Alessandro-Desogos-social-media-119-1024x683.jpg) ## **The Room Got Real** The conversation that followed — which, true to the off-the-record format, stays in the room — was exactly what you'd hope for when you put a dozen experienced security leaders around a dinner table without a product demo running in the background. People talked about what's actually hard. Not the polished version of hard. The real version. That's the conversation worth having during RSA week, when everyone outside is trading buzzwords and logo-covered tote bags. ## **The Takeaway** Responsible AI isn't about moving slower. It's about building better brakes so you can drive the fastest car on the track. For security leaders, that's the job right now — not blocking AI adoption, not pretending the risk doesn't exist, but building a braking system good enough that your organization can actually move fast and stop when it needs to. The steak was great. The conversation was better. *I host periodic private dinners and peer exchanges for security leaders. If you're a CISO or senior security decision-maker interested in future conversations, reach out.* ![](https://blog.postman.com/wp-content/uploads/2026/04/©Alessandro-Desogos-social-media-123-1024x683.jpg)