RSAC, Data Security, AI/ML, OT Security

RSAC 2026: We’re entering the age of ‘integrous’ systems

Cybersecurity researcher Bruce Schneier speaks at the 2026 RSAC conference in San Francisco, March 25, 2026.

SAN FRANCISCO — Most cybersecurity practitioners are familiar with the "CIA triad" of data security: confidentiality, integrity and availability. Every good data-security program strives to provide all three.

However, said famed cybersecurity gadfly Bruce Schneier at the 2026 RSAC conference here Wednesday (March 25), we've been neglecting integrity, the middle part of the triad, for far too long.

"Web 1.0, in the dot-com era, was all about availability, to put everything online very quickly," Schneier said.

"Web 2.0, the one we're in right now, emphasizes confidentiality," he added, hence the current emphasis on encryption, access controls, and privacy.

But Web 3.0, which Schneier called "the decentralized, peer-to-peer, AI-driven internet of tomorrow," will depend on integrity: the assurance that data being ingested by AI is correct, uncorrupted and complete.

What happens when you lose integrity?

To illustrate a famous example of an integrity failure, he cited the July 2024 CrowdStrike update error that knocked out tens of thousands of Windows machines worldwide, especially those used by major airlines.

"Was this a cyber incident? There was no malicious actor," Schneier asked. "But it was definitely an integrity failure. And I think those that cause widespread harm are indeed security failures."

Along more malicious lines, the SolarWinds supply-chain attack of 2020 was also a failure of integrity because the update files were not checked for malicious changes.

"Integrity," he added, "is about being correct. It's the guarantee that data won't be altered. It's what makes IT systems trustworthy."

An old idea due for a refresh

What adjective can we use to describe something with perfect integrity? "Correct"? "Right"? Schneier prefers "integrous," which is a real word — our spell-checker accepts it — even though it's a bit out-of-date.

Schneier said the Oxford English Dictionary lists the word as obsolete, having last appeared in print in the mid-17th century.

We're already familiar with integrous systems and processes in the human sphere, he pointed out: double-entry bookkeeping, copy editing, peer review in scientific journals, courtroom discovery.

In the digital world, Scheier said, providing integrity takes the form of checksums, hashes for software installers, digital signatures, the undo button in Word, the reboot process for a PC.

An audience member pointed out that the lock-step system processing in mainframe computers, in which instructions are executed twice or even three times simultaneously to eliminate errors, is another process to ensure digital integrity.

Many of these digital methods to guarantee integrity date back to the 1960s or '70s, before the personal-computer explosion. We've been taking digital integrity for granted ever since.

AI needs integrity more than ever

But we can't anymore, Schneier said, now that we're creating powerful, unpredictable computer processes with agency to affect human lives — AI agents.

"Computers now have greater access to the outside world," he said. "Anything that is output can be weaponized. Without integrity, you get the wrong braking distance, the wrong grid response."

He pointed out that many modern attacks against AI are actually integrity attacks, ranging from prompt injections to stickers on road signs to fool self-driving cars.

"Without integrity, no company should let AI access its sensitive data," Schneier said, adding that any AI in an adversarial environment will be vulnerable to integrity attacks. "If we can't guarantee that it won't be compromised, then it can't be trusted."

 To build what Schneier calls "integrous system design," he said, we need to do many things, among them authenticating sources, validating data, maintaining granular access controls, providing human-centered integrity interfaces, implementing the principle of least privilege, use software bills of material (SBOMs), and perhaps most obviously, creating a hard separation between content and command in AI processes.

 "When computers have write access to the world," Schneier said, "correctness is paramount."

An In-Depth Guide to AI

Get essential knowledge and practical strategies to use AI to better your security program.
Paul Wagenseil

Paul Wagenseil is a custom content strategist for CyberRisk Alliance, leading creation of content developed from CRA research and aligned to the most critical topics of interest for the cybersecurity community. He previously held editor roles focused on the security market at Tom’s Guide, Laptop Magazine, TechNewsDaily.com and SecurityNewsDaily.com.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds