I went to the Cyber / AI Expo in Munich a couple of days ago expecting a sales floor. There was one. The thing I came away thinking about, though, wasn't on any booth.
The expo was predictable enough: wall-to-wall vendors, each with a product to move. AI-powered detection, AI-powered response, AI-powered everything. You expect the message to be "here is the tool that solves it." But what I actually heard, talk after talk, was closer to the opposite: The tool is not the point.
The clearest version came from the Microsoft and NVISO keynote, titled almost exactly that — "Beyond the Model: Why AI in Cybersecurity is an Architecture Problem." A few hours later a fellow Chief AI Officer, from emagine, gave a talk whose title was its whole argument: "Own your stack. Own your risk. You can't govern what you don't own." Two different speakers, two different companies, the same underlying claim. The security question has moved beneath the layer where the products live.
That stuck with me, because it's a thing I've been saying in a different domain for a while, and it's strange to hear it said back to you by the people selling the models.
The speed problem everyone agreed on
The part with the most heat was the attacker-defender shift. The framing across several sessions — one speaker called it the "unleveling effect" — was that AI now compresses every phase of an attack, from phishing to lateral movement, and that defense has to operate at the same speed to survive. One phrase I kept hearing, in different words, was act first and ask questions later: secure the asset now, investigate after, because the attack isn't going to wait for a meeting.
While you're sitting there, it's convincing. It was also the moment I started to disagree, and I want to write about that properly another time. "Act first" runs straight into the question of who, or what, is allowed to act — and how much human oversight a regulated system is required to keep. There's a real tension between defending at machine speed and keeping a person meaningfully in control, and "act first, ask questions later" hides that tension instead of resolving it. For now I'll only say the answer probably isn't "remove the human," and it isn't "slow the machine down to human speed" either.
The talk that quietly disagreed with the rest
The session I keep turning over was one about a "self-healing" SOC. Its point cut against the prevailing mood: faster isn't enough. The defenses are still fragmented, the tools still don't share context, the knowledge doesn't travel between them, and the teams still sit in silos. Speed layered on top of a fragmented foundation just gets you to the wrong place sooner.
That matched what the broader data shows. In the ServiceNow and ThoughtLab Enterprise AI Maturity Index 2026 — a survey of 4,500 executives across 19 countries — the share of organizations running integrated, streamlined workflows actually fell from 30% in 2025 to 16% in 2026, even as AI spending rose 110% in a single year. Companies are buying more and connecting less. A room full of point solutions, each impressive on its own, is not a security posture, and the numbers say most organizations are buying more of those disconnected solutions, not fewer.
The newer unease: securing the agents themselves
The theme I didn't expect was about the agents, not the systems. One session had the sharpest title of the day — "AI Security, or who has given a knife to the chatbot?" And several other talks were circling the same problem: once an AI agent is acting on your behalf, reading data and calling tools, you have to verify the agent, not just the human behind it. One speaker described it as machine identities overtaking human ones.
This turns out not to be hypothetical. A few days before the event, on 17 June, Estonia approved a framework to give AI agents their own official digital identity — an "AI ID code" distinct from the person or company behind it, designed so an agent's authority can be scoped, verified, and audited. View data only, draft a document, or make a payment up to a set limit: the permission travels with the agent's identity, not with a blanket handover of the user's credentials. If it holds, Estonia would be the first country to do it, and it lines up with where the EU's own digital-identity wallet work is heading.
That is genuinely new ground. For thirty years, security has asked whether a person is who they claim and whether they're allowed to act. Agents split that into harder questions — who authorized this agent, what was it actually permitted to do, and can that authority be revoked — and most of the security models in that hall were built for the older, simpler version. Having had to build an agent-permission boundary into a tool recently — out of necessity — I have opinions here. But that's a topic for another day.
The parts that were just an expo
Then there was the setting, which I didn't see coming. The whole event was held inside BMW Welt, so the stages and booths sat among the cars on display — one minute you were hearing how fast an AI-driven attack now unfolds, the next you were standing next to a parked sports car. And the coffee, water, drinks and croissants were free, buffet-style, the entire day, which after a few conferences this year I had quietly stopped expecting.
What I took home
The loudest message at a cyber-AI expo, if you tuned past the booths, wasn't about any particular product. It was a quiet consensus, repeated by people who sell the tools for a living, that the tools are the easy part. The hard part is owning your stack, knowing what your agents are allowed to do, and building defenses that hold together instead of merely moving fast. None of that ships in a box.
You could watch a speaker land on that, sit with it for a second, and then go back to demoing the thing they'd come to sell — knowing, surely, that the most useful thing they'd say all day was the part with no product attached to it.
So before the next renewal or the next pilot, the question worth asking isn't which tool. It's whether the things you already bought share context with each other, and whether anyone can say, in one sentence, what each of your agents is permitted to do. If neither answer is clean, another product won't fix it.