Red Hat Summit 2026: Automation Governance Takes Center Stage

Red Hat Summit is always a useful signal for where the industry is actually heading — not just where vendors say it’s going. This year in Atlanta, the signal was unusually clear. If there was one theme that ran through every keynote, every hallway conversation, and every breakout session at Summit 2026, it was this: the age of “move fast and fix it later” in automation is over.

We were there. Here is what stood out.

What the industry is talking about

AI dominated the airspace, as expected. But the conversation has moved. The question is no longer “should we use AI?” — it’s “how do we make it governable, predictable, and secure?”

Agent orchestration emerged as the next frontier, with the industry actively wrestling with what meaningful oversight of these agents actually looks like in practice. Red Hat’s introduction of Red Hat AgentOps was one of the headline moments — and the Day 2 keynote demo made the challenge tangible: a lemonade-stand chatbot with built-in safety guardrails, opened up to live audience red-teaming via QR code. People spent several minutes trying to break the rules in real time. The point landed: predictable AI behavior is a hard engineering problem, and it deserves to be solved in the open. More on the AI governance themes from Summit 2026.

Security and compliance were equally front-and-center. The EU Cyber Resilience Act is no longer a distant regulatory horizon — teams at Summit were already asking how to accelerate image hardening in response to it. Red Hat’s new image hardening capability, launched at the event, arrived at exactly the right moment. Across sessions and hallway conversations alike, anxiety about software supply-chain security — and, increasingly, about automation supply chains — was a consistent thread.

A new governance layer for multi-mode automation

Two announcements from Summit deserve particular attention from anyone running automation at scale: Ansible Automation Platform 2.7 and the new Automation Orchestrator, both positioned by Red Hat as the trusted execution layer for the agentic era. Coming in Q3 2026 as an add-on to AAP, the Orchestrator will connect task-driven, event-driven, and AI-driven workflows under a single governance layer — shared audit trails, approval gates, RBAC, short-lived credentials across every trigger type.

Governing automation at scale involves two layers: how workflows are orchestrated and controlled, and what content is actually being run. As AI agents enter the picture, both become more critical — and the work being done at the execution layer makes the content layer more visible, not less. A trusted execution layer is only as trustworthy as the content it executes.

Our session with SWIFT: governing Ansible at the scale of global finance

One of the standout sessions of Summit 2026 for us was on stage with SWIFT — the secure financial messaging backbone connecting 11,000+ financial institutions across more than 200 countries.

Suvasish Ghosh, Product Owner for CI/CD Engineering and DevOps Engineering Services at SWIFT, joined Gregor Berginc, CEO of XLAB Steampunk, to talk about what automation governance looks like when your playbooks effectively touch one-third of global GDP every day. The session covered three concrete use cases: a major version migration across ~2,000 playbooks (projecting ~6,500 engineering hours saved in a 3-month window), third-party collection assessment before internal distribution, and continuous playbook scanning across every developer repository before promotion to production.

The throughline: automation is a software supply chain, and it deserves the same scrutiny as the applications it deploys.

Read the full breakdown of SWIFT’s approach: Inside SWIFT’s plan to modernize thousands of Ansible Playbooks — and govern automation at scale

Spotter as the security gate: no collection enters unscanned

The second highlight from Summit came from the same partnership, viewed from a different angle — and it is worth telling separately because of its specificity.

Security, as SWIFT demonstrated, does not stop at the infrastructure layer. Every Ansible collection entering their environment is validated through Spotter before it ever touches an execution environment. Every playbook goes through the same vetting before promotion to live systems. Custom policies enforce the specifics — not just which collections are approved for use, but exactly how they can be used. Down to which SSH key formats are permitted.

The framing the SWIFT team brought is the right one: playbooks are no different from code. They need to be scanned. Vulnerabilities tracked. Everything in every environment accounted for.

For an organization operating at the heart of global financial transactions, that is not over-engineering. That is the baseline.

We are proud that SWIFT trusts Steampunk Spotter as part of that security gate.

What we heard at the booth: one clear pattern

The stage sessions confirmed where the industry is heading. The booth conversations told us where teams actually are right now.

We asked everyone who stopped by the Steampunk stand what brought them to us. The breakdown was striking:

Nearly half came with a security or compliance problem. Another 40% were trying to bring consistency and standards to an Ansible estate that had grown faster than the governance around it. Together, that is 85% of visitors arriving with a governance problem — whether they framed it that way or not.

The version upgrade conversations reinforced the SWIFT story: migration at scale is a real operational challenge, and teams are looking for a way to do it that does not require months of manual effort.

The pattern fits what we heard from the floor more broadly. Security anxiety is real, and it is arriving at the automation layer. Teams that have spent years hardening their applications are now looking at the automation that builds and configures those applications — and asking themselves why the same rigour has not been applied there.

What this means for your automation

The conversations at Summit 2026 point to a direction of travel that applies whether you run 50 playbooks or 5,000:

• Automation is production infrastructure — govern it as such.
• Supply-chain security for Ansible content is an engineering requirement, not an audit box to tick.
• Governance frameworks built on visibility, consistent policy, and automated feedback loops are what enable velocity at scale — not what slow it down.

If you want to know where your own automation stands against that standard, Spotter is the fastest way to find out.

Stop leaving your Ansible estate unscanned. Reserve a free script assessment and our team will scan your playbooks for security risks, compliance gaps, and modernization opportunities — and walk you through exactly what we find.

👉 Reserve your free script assessment