AI has shifted from assistants that make suggestions to autonomous agents that can read files, execute commands, call APIs, and modify systems on their own. That change expands the attack surface from prompt injection to full system compromise, lateral movement between agents, and persistent access through memory and tooling. 

‍

This session explores how autonomous agents are reshaping the threat model, what early adopters are discovering in practice, and the questions AppSec teams must confront as AI systems gain more autonomy and more potential for harm.

‍

The speaker will cover:

• New risks from code-executing prompt injection to agent-to-agent lateral movement
• How teams are designing permissions, audit trails, sandboxing, and monitoring agent behavior
• Examples of agents being manipulated to exfiltrate data or modify configurations
• The security shifts required to safely deploy autonomous agents in the next year

‍

Software supply chain risks are growing more complex as modern applications rely on deep dependency trees, AI-generated components, and tools that introduce new layers of abstraction. 

‍

Even with SBOMs and automated scanning, many teams struggle to catch issues hidden in transitive packages, dormant services, and emerging AI model leakage paths. As development accelerates, the challenge is no longer visibility at build time, it’s maintaining reliable, end-to-end awareness.

‍

 This panel explores the supply chain risks that are hardest to surface and how leading teams are adapting their practices to keep pace with a rapidly shifting ecosystem.

‍

The panel will cover:

• Where SBOMs provide value and where they still fall short
• How AI models, agent tooling, and opaque dependencies introduce new exposure points
• What transitive, dormant, and abandoned dependencies mean for real-world risk
• Practical approaches for regaining control of complex dependency chains

‍

In this innovative session, attendees will be faced with a series of scenarios that they may face in their roles. Attendees will discuss the possible courses of action with their peers to consider the ramifications of each option before logging their own course of action.

‍

Results will be tallied and analysed by our session facilitator and results will impact the way the group moves through the activity.

‍

Will we collectively choose the right course of action?

‍

Modern engineering teams move fast, and AppSec teams are constantly negotiating when to block, when to slow down, and when to accept risk to keep delivery on track. As exceptions, waivers, and temporary approvals become part of everyday workflows, many organizations struggle to understand what risks they’ve accepted, why they accepted them, and whether those decisions are still defensible months later. 

‍

This panel explores how high-performing teams balance speed with security, how they document and monitor accepted risk, and the frameworks that keep fast-moving environments accountable.

‍

The panel will cover:

• How teams decide when risk acceptance is justified and when it isn’t
• Practical approaches to tracking exceptions, waivers, and approvals over time
• Techniques for documenting context so decisions remain defensible later
• How AppSec and engineering collaborate to keep velocity without losing control

‍

Select a topic of discussion and engage in an interactive roundtable discussion with a group of your like-minded peers.

APIs power every modern product, yet organizations continue to face the same breach patterns year after year: over-permissioned data exposure, zombie endpoints left running long after teams move on, and orphaned microservices no one remembers owning. As architectures become more distributed and engineering velocity accelerates, the real challenge isn’t building APIs, it’s controlling their sprawl. 

‍

This session explores why API security has fallen behind, why traditional controls haven’t kept pace, and what needs to change for teams to finally get ahead of the problem.

‍

The speaker will cover:

• Why API sprawl creates persistent security blind spots
• How over-permissioned data, zombie endpoints, and orphaned services become breach paths
• What leading teams are doing to regain visibility and ownership
• Practical steps to modernize API security in the next year

‍

AppSec teams sit at the center of fast-moving engineering organizations, yet there’s still no consensus on how they should be structured, what they should own, or how much authority they should have to slow things down. 

‍

This interactive session puts those debates on the screen literally. The audience votes live on five core questions covering team design, ownership boundaries, blocking power, developer experience, and how AI is reshaping the AppSec operating model. We explore the results, debate the trade-offs, then vote again to see if perspectives shift in real time.

‍

This session will cover:

• How structure and ownership shape AppSec’s influence
• When blocking authority helps or harms engineering velocity
• How AI is forcing teams to rethink traditional operating models
• What leading organizations are learning about building developer-first AppSec

‍