At RSAC 2026, AI’s rapid integration into organizations highlighted the critical role of identity security in mitigating risks posed by agentic AI. Chris Kelly, Delinea’s president for go-to-market, emphasizes that as AI shifts from a tool to an autonomous agent, every AI action must be tied to a verified identity and governed by real-time policies. In this Q&A, Kelly also stresses that just-in-time access is essential for managing AI agents and privileged users.
What was the big trend coming out of RSAC 2026, and how do you see that trend shaping the industry in the next 12 to 18 months?
Kelly: AI is already everywhere, but it became clear at RSAC that identity is at the core of enabling secure AI innovation – especially as we step further into the agentic AI era. Over the next year and a half, we’ll see a growing push to govern AI agents more comprehensively. Companies are beginning to understand that the security risks of agentic AI are beginning to catch up with their potential to drive innovation. Their volume is already outpacing the security controls organizations have in place, so I think we’ll see a shift from a “speed over security” mentality to a “security to enable growth” approach.
Delinea’s recent messaging is around AI agents. As we move to more AI-as-an-actor (not just a tool), how can CISOs maintain an audit trail for an agent making real-time decisions?
Kelly: To maintain an audit trail for AI agents acting in real time, CISOs need to move beyond basic logging. Every action should be tied to a verified identity, evaluated against policy at the moment of execution and recorded with enough context to explain what happened, why it happened and what systems or data were involved.
That’s especially important as organizations treat AI as an actor rather than a tool. Standing privileges create too much risk; the better approach is dynamic, just-in-time access so AI agents only get the permissions they need for a specific task, with access revoked once the task is complete, to ensure every action is fully attributable and auditable. AI agents are a new class of privileged user, and should be governed as such.
Continuous automation: Is the goal to make the password vault obsolete in favor of Just in Time access, or do they co-exist (and why)?
Kelly: Password vaults aren’t going away, but they’re no longer enough on their own. Vaults are still essential for securing credentials, but organizations also need just-in-time access to reduce standing privilege and grant elevated access only when it’s needed. For most organizations, vault and JIT work together to reduce risk in automated environments.
Delinea is emphasizing identity resilience. For a CISO on a budget, is resiliency more about buying additional backup tools or about a fundamental change in how they architect their identity stack?
Kelly: Identity resilience is more about strengthening the way identity is managed than adding backup tools. The biggest gains come from getting the basics right: enforcing least privilege and just-in-time access across environments. That doesn’t mean ripping and replacing your entire identity stack. Resilience improves when organizations build stronger controls around the identities and access paths that matter most.
If IT leaders only change one thing about identity governance in 2026, what should that be?
Kelly: The main identity goal for IT leaders in 2026 should be to treat non-human identities with the same governance as human users. You can’t secure what you can’t see, so the first step is discovering every identity, understanding what access it has and identifying where privileges are excessive, persistent or unmanaged.
Meet Chris:
Chris Kelly is the President of Go-To-Market (GTM) at Delinea, overseeing Global Sales, Channel and Customer Success. With more than 25 years of experience in the cybersecurity industry, Chris has a proven track record of scaling businesses and leading high-performing teams at every stage of growth, from startups to global enterprises.
If you like these insights on cybersecurity, sign up for the ISACA SmartBrief on Cybersecurity, a daily look at the top news and workforce education topics.