A recap of the San Francisco Secure Software and AppSec Summit 2026, covering key themes from practitioner sessions. Topics included securing autonomous AI agents (treating prompt injection like arbitrary code execution, scoping agent permissions, requiring revocable identities), decommissioning stale infrastructure as a security control, the limited effectiveness of SBOMs for production risk reduction, and the future of AppSec shifting from manual code review toward control plane engineering. The overarching message: AppSec is moving from a review function to an architectural layer that enforces constraints at machine speed, with ownership accountability and reversibility as the new security boundaries.
Table of contents
The Agent in the HoodieKill the Server Before It Kills YouSBOMs, Herds, and the Dependency Reality CheckAppSec Moves Closer to the ArchitectureAppSec Is Becoming Control Plane EngineeringThe Work Of AppSec Is Moving Down a LayerSort: