Here's what's waiting for you in San Francisco at The AI Agent Security Summit

May 27, 2026. Commonwealth Club. It’s going to be epic.

Last October was our biggest summit yet. But this one feels different. The agentic attack surface has changed more in the last six months than in the two years before it - OpenClaw, frameworks like the OWASP Top 10 for Agentic Applications, and the emergent “Vulnpocalypse” have added a consequential gravity to the discussion of agent security in the enterprise.

The people we've got on stage have been living inside that shift. They're not here to talk theory.

This is where the real conversation happens.

No vendor pitches. No fluff. Just practitioners, researchers, and security leaders who are actually breaking things, building things, and willing to be honest about both. It's where frameworks like the OWASP Top 10 for Agentic Applications get stress-tested, where the standards being written right now get shaped by the people who'll have to live with them.

Here's a taste of who's up:

Gadi Evron, No one stops the storm. Gadi shows you how to ride it - enough said for now.

Jim Reavis, In April, Claude Mythos autonomously found 271 Firefox vulnerabilities in a single engagement. The zero-day clock has collapsed from 56 days to 9 hours. Jim breaks down what actually changed after Mythos and where security leaders need to focus now to build a program that can keep pace.

Jenn Gile, AI skill registries didn't exist until January 2026. By February, there were 700+ malicious skills in the wild. Jenn walks through the ClawHub campaign - how threat actors weaponized skills to steal crypto and credentials, why VirusTotal scanning gave a false sense of safety, and what you can actually do before you install a skill.

Chris Hughes, Jim Reavis, Rajiv Dattani & Cassie Crossley, Existing compliance frameworks weren't built for agents. Autonomous decisions, dynamic tool use, machine-speed identity proliferation - AIUC-1 was built to close that gap. This panel gets into what the standard prescribes that nothing else covers, and how you move agents from pilots to production safely.

Aron Eidelman, Agents can write a lot of code fast. That's the problem. Aron shows you how test-driven development and context engineering keep agentic output secure, stable, and actually reviewable - so you ship faster without losing control.

Ishan Shah, Long-running agents don't fail all at once - they drift. Stale context, poisoned memory, temporary exceptions that never expire. Ishan breaks down why state management is a security control, not cleanup, and what it actually takes to keep an agent trustworthy over time.

Rein Daelman, Your CI/CD pipeline is probably already running AI agents with shell access, write tokens, and secrets. Rein shows exactly how prompt injection turns a GitHub issue into a supply chain attack.

Aamiruddin Syed, Attackers don't need infrastructure access anymore - they just need to control the identity. Aamiruddin breaks down how tool provenance, runtime dependencies, and delegated trust become exploitable attack surfaces, and what it takes to enforce verifiable identity across the agentic supply chain.

This community has been ahead of the curve every time. LCNC risks before they were mainstream. Copilot attack surfaces before vendors acknowledged them. Agentic risk before most people had a name for it.

It’s time for the next chapter. Come be part of it.

See the full agenda and grab your spot at zenity.io/resources/events/ai-agent-security-summit-san-francisco