Over two days at AI Dev SF 2026, our team had 200 conversations with CEOs, founders, CTOs, IT leaders, and data and ML practitioners.

The composition of attendees was unusually senior for a ML/Dev conference, which itself is a signal: the people responsible for AI strategy, security posture, and data architecture are now showing up at the same events as the people writing the code.

CEO’s, Founders

No one questioned whether AI can do useful work. The dominant theme was how to make AI scalable in the enterprise:  what it can see, what it can do, on whose behalf it acts, and how that behavior can be reasoned about, debugged, and understood after the fact.

This is consistent with broader industry data: roughly 4 out of 5 enterprises report some form of agent experimentation, while only about one in ten have agents running in production.

CTO’s, IT

The top issue for CTOs and IT leaders was data security. Users are signing up to AI tools, connecting internal data, uploading CSV files from enterprise systems and running analysis, asking questions building dashboards.

Which systems are connected to AI? Does the AI inherit the access controls of the user, or does it have it’s own credentials? What about the artifacts that the AI creates? If an AI creates a dashboard, and the user shares that with others in the organization, how do we ensure that the recipient has rights to that information? How can I trust the data from the AI to be always be accurate?

And how do we manage identity and security for an AI agent that performs an action independent of a human - querying a database, generating a dashboard, drafting a report, modifying a record. Is the action attributable to some principal in the security model, or does the agent have it’s own identity?

Traditional identity and access management systems were designed for human users authenticating into applications and systems and clicking through interfaces. Agents do not behave that way. They chain tool calls across systems, they operate on behalf of a user but also, increasingly, on their own initiative, and they produce derivative artifacts whose access policies are not defined anywhere.

These are not hypothetical concerns. They are blocking real deployments today, and the prevailing patterns in the field - running agents under broad service accounts, or restricting them so heavily that they become unusable - are both unacceptable in different ways.

ML, Data Science and Data Engineering Leaders

The use cases they described were remarkably consistent across industries: anomaly detection, fraud analysis, pattern discovery across large and heterogeneous datasets, and automation of analytical work that currently requires bespoke modeling.

These are not new problems. What is new is the expectation that an agent might be able to perform them without the multi-month cycle of feature engineering and model development that has historically been required.

The blocker is shaping the data in a way so that the AI can reason its way through it. The data exists in considerable volume, but it lives across warehouses, transactional databases, object storage, SaaS systems, and accumulated artifacts from prior acquisitions. It is silo’d, messy, and hard to get to, and metadata exists in semantic layers, data catalogs and knowledge graphs that have not kept up with schema and business changes.

Getting an agent to reason across that surface in a way that respects schema, permissions, and isolation boundaries is a genuinely hard infrastructure problem, and one that most organizations have not yet solved.

What did I learn?

If there is a synthesis across these three groups, it is that the center of gravity in enterprise AI has shifted from the model layer to the data layer. The differentiating questions are now about how an organization grants, scopes, audits, and isolates the operations an agent can perform on its data. This is the layer where production deployments succeed or fail, where security and compliance teams either approve or block initiatives, and where the difference between an agent demo and an agent system is actually decided.

It is also the layer where enterprise AI architectures are weakest, because it sits at the intersection of identity infrastructure, data infrastructure, and AI infrastructure, domains that historically have not had to coordinate.

What's next?

Two years ago, the dominant question at events like this was whether AI would work at all. A year ago, it was which framework or model to standardize on. This year, we heard much more operationally specific questions about what it takes to put these systems into production responsibly.

To everyone who stopped by, debated with us, pushed back on our assumptions, or shared what is and is not working inside their organization, thank you! The signal density of those two days was unusually high, and these conversations influence how we think about our own work.

‍

To @andrewyng and the folks at DeepLearning.ai, thank you for creating this amazing forum for collaboration across the AI industry.

‍

‍