Access the full text logs of this transmission for compliance and review purposes.
Actual (00:00)
Welcome to Status Secure. For 20 years, the cybersecurity industry has preached the same gospel. People are your first line of defense. We’ve spent millions training the human firewall, but the tech sector is moving fast. We’re stripping humans out of the loop and replacing them with autonomous AI agents to maximize efficiency. Look at Meta last month. An internal AI agent misfired, issued incorrect instructions, and exposed sensitive corporate data to unauthorized employees. So, CISO
They say people are your first sign of defense, but when you take the people out, now what?
The CISO (00:31)
Well, mean, that’s a great question, AI is not a chat box. It’s not Google. It’s not you ask a question, and it just gives you an answer. It’s an autonomous agent that can read and write. It can execute scripts. It can create databases. It can change permissions on its own.
where you know before like even though you know they say people are your first line of defense we have gut feeling we have intuition we have experience so that way when we see something or have a feeling that something’s not right we double check right we can double check it ai has no gut feeling it has no intuition right it does not
say, ⁓ maybe I shouldn’t do this, right? Because it doesn’t feel right. So if you tell an AI to grant permissions to sensitive information, it’s just going to do it. It’s going to instantly provide those permissions and not even think twice. And it’ll be quick. It’ll be fast. So we’re giving non-human identities
super superpowers like God mode access to systems without the guardrails to verify why they’re taking this action.
Actual (01:46)
Yeah. And, know, when we talked about this topic for today’s episode, and some of the, discussed some of other recent cyber attacks or incidents that have happened since the striker incident. And what it reminded me of was, you know, we talked about, how, you know, we’re going to start, you have a lot of companies now they’re trying to implement AI within their organizations as fast as possible to maximize the benefit, which there is it’s
It does have benefit in a way. It reminds me of when we started having that bring your own device wave happening where people could bring their own computers or they could take a laptop and work from home. it was this new thing where, there’s a security problem here. Now, like someone’s bringing their personal laptop with that could be riddled with malware and whatever, like who knows on it. And then now they’re accessing work stuff and
Now what right and so then the industry had to create all these new security processes which we have today which are now industry standards so that we can work this way and so just it feels like we’re in that that stage now and so would you say that this internal AI is just sort of the modern day BYOD scenario?
The CISO (02:54)
Anytime you introduce new technology, especially big leaps like this, you’re going to introduce new risk, new security issues, and you’re spot on. BYOD was one of those big technology leaps, and it changed your perimeter because instead of your perimeter being within your physical location, your office, now your perimeter expanded outside of the physical.
right, into people’s homes, into cafes, into wherever they were working. So with AI agents, you’re basically dissolving those identity because now like identity is like, you know, with a person or, you know, non-human accounts, which are very, like they do one thing or one specific thing, right? But this is, is,
AI is different. AI can do multiple things. It’s not restricted as of yet. So companies are allowing, you know, basically bring your own AI. So when you’re building internal agents without a management framework, you know, to secure it, you have risks. You’ve now exposed yourself to security issues that weren’t there before. And the agents are often over-permissioned, just like, you know, people are…
Overput user accounts are over permissioned. Everyone knows that right oftentimes And we haven’t even we haven’t been able to fix that problem. So now you have agents that are over permissioned. So, you know, there I think the big thing is If you’re going to use AI, you need to fix your over permission of your user accounts Because you’re you’re the user who’s building the agent
that usually the agent’s permissions are based on that user’s permissions. So there are things that you need to do, you need to put in place. The AI interprets complex prompts from a junior employee. And if this junior employee has access to sensitive information, now this AI is over-permissioned because they want to pull whatever information and
and have the AI do their job, do its job. And the data the junior employee shouldn’t see, now the AI will give to them. That’s where the concern is. And I’ve seen that actually in multiple companies who started implementing AI, that they realized like, no, this person is not supposed to see this data. But because of the AI agent being over-permissioned, now they see it.
The CISO (05:12)
Yeah, so now the agent just performs whatever the junior employee tells it to. if the agent, and most companies have not restricted their AI, so that AI is going to go out and it’s going to have
access to highly confidential HR financial data. And now that junior employee who just asked the agent to do something is going to see what they’re not authorized for. I see that a lot in companies now. They’ve opened up AI and now, you know, people are, luckily, good employees are reporting that they’re seeing data that they’re not supposed to.
Actual (05:54)
So we’re basically, what it sounds like is we’re giving the keys to the castle to an algorithm so that we can save time and work more efficiently. So how does the speed of an AI failure maybe compare to the speed of like human error?
The CISO (06:08)
Well, it’s lot faster. It’s immediate, at least with human error. There’s a delay. But the big thing is the innovation rush versus security. Tech companies are terrified of falling behind. And so they’re using AI to speed to market. I think that’s the term.
they’re using the AI to get to market first to get that, you know.
that market share as fast as possible. But they’re compromising or they’re sacrificing security. So this means it’s going to be speed of failure. So a human might accidentally CC the wrong person on an email and leak a file. You have DLP now that’s in place.
But an over-permissioned AI can recursively alter permissions across your entire cloud environment or expose thousands of records in milliseconds. So your rush, your speed to market is now going to create a speed of failure.
Actual (07:06)
Yeah, which leads us into my next question on my next point about talking about liability and our investment for this new speed. And so if we’re allowing AI in our company, which no reason not to, it sounds like we really do need to invest in securing it, especially depending on what type of company you are. Right. if you can, if you think about,
Maybe now it’s an old example of like, a person for stealing data from a company, IP, these kinds of conversations. So now we’re dealing with that sort of topic in terms of a piece of software, like an algorithm. So if an internal AI agent exposes your customer’s proprietary data, for example,
because you didn’t invest in securing it, what is the legal liability conversation around something like that?
The CISO (07:59)
Well, when you talk about laws, always reasonable care. If a regulator comes in to investigate you because something happened, because there was an event, they’re going to look to see if you took reasonable care. If you implemented AI, but you put no controls in, no guardrails, was that reasonable care? That’s an easy absolutely no. Did you try to provide controls and guardrails?
Right. because it’s so new, the area is so new. So as long as you try and especially like role-based access control, like on your AI, understanding, like the inventory, like this is basic security to inventory, your AI nowhere, no, no, what agents you have, what permissions that the AI agents are, allowed, like your inventory, your access management, like those controls.
⁓ like on your AI, then that helps, right? That always helps when you go to court. so you own the actions of your AI, just like you own the actions of your employees. If you deploy it to save money on labor and you, ⁓ redirect. So you have to redirect a portion of those, like what you’re expecting to save by using the AI into securing, into an AI security posture management program, right? You, you.
You know, you’re using it so you can save a lot of money and make more money, but you need to take that and then reinvest back into your AI program, into securing your AI.
Actual (09:26)
Yeah, that makes sense. And so to get actionable, give our listeners some action items, what are our marching orders for these tech CEOs and CTOs listening? Clearly, we’re not going to turn AI off. We didn’t ban smartphones or laptops when we started incorporating the BYOD work environment. And we have to compete, and we have to win.
The CISO (09:26)
No.
Actual (09:50)
Right. It’s not just about being in business. It’s about winning in business. And right now, if you’re not using AI, you’re going to lose. And so with that in mind, where do we start tomorrow? What can someone do to meet that other half, right? To get the security aspect, have a maybe a warm and fuzzy around that. They have done, you know, a reasonable amount of effort on the security side. What can they do?
The CISO (10:14)
will say two things immediately. Number one is do a non-human identity audit. And this is your AI and your service accounts. If you’re poor at managing your service accounts, you’re going to be even worse at managing AI. So you need to get a map of that. need to inventory that. Find out exactly what data they have access to. If a AI agent has global read write access.
revoke that immediately. Make sure that it only has access to what it needs to perform the work that you want it to. Make sure that it has least privilege. These are very basic security controls. So you just need to apply them, though, to AI. Human in the loop is the other one, which is make sure that in the workflow, there’s some human reviewing what the AI agent does.
Don’t take that human out right now. AI can’t be trusted. Not yet.
Actual (11:08)
Got it? So the perimeter is no longer just your firewall. It is the internal guard rails you build around your autonomous tools. So when you replace the human first line of defense, you’ve also got to replace it with a zero trust automation. So mission success is about operational control. And this conversation, it’s about our operational security so that we can’t execute as fast as possible. So we can.
win. So let’s do that. Let’s execute to the standard and we’ll see you guys next week.
