AI Security Podcast

Why are security leaders terrified of connecting AI agents to production data? Because unlike humans, AI agents don't apply judgment, and they operate at machine speed, meaning they can relentlessly hunt down production credentials and do catastrophic damage before a human analyst even blinks.
In this episode, Ashish and Caleb sit down with Graham Neray, CEO of Oso, to tackle the massive, unsolved problem of AuthZ (Authorization) for autonomous AI. We explore why the industry's reliance on static, over-permissioned human identities is a recipe for disaster when applied to tools like Claude Code and Notion Agents. Graham explains the dangerous pitfalls of allowing agents to adopt the permissions of their human operators (privilege escalation), versus the complexity of assigning agents their own unique service accounts.
The conversation dives deep into the fragmented agent security market. Should you deploy a browser extension, an endpoint sensor, or an edge proxy?. Learn why blocking destructive actions is a flawed approach (because agents need to destroy things to work), and why the future of AI AuthZ requires dynamic, data-level policies and continuous "human in the loop" validation.

Questions asked:
(00:00) Introduction(02:50) Graham Neray’s Background and the Mission of Oso(04:20) Why No One is Actually Building Their Own Agents(05:50) The Core Anxiety: Connecting AI to Production Data(07:20) Why Humans Have Judgment and Agents Don't(11:00) The Unsolved Crisis of Human Least Privilege(16:50) Agent Identities: Adopting User Permissions vs. Unique Service Accounts(18:20) Case Study: Privilege Escalation in Agent Alpha Testing(20:00) Background Agents and Unique Identities (Notion, Cursor, Perplexity)(22:30) Why You Need a Governance Plane Outside the AI Product(25:50) The False Promise of Blanket "No Destructive Actions" Policies(33:30) How to Deploy Agent Security: Browsers, Endpoints, and Proxies(38:30) Why No One Actually Uses the "Block" Feature in Security(41:50) The Context Problem: When is an RM-RF Command Good vs. Bad?(43:30) The Future of AuthZ: Resource and Data-Level Agent Permissions

Thank you to Oso for sponsoring this episode of AI Security Podcast.

Is your security team moving at the speed of your engineering team? In this special live recording of the AI Security Podcast from San Francisco, Ashish is joined by Nick Reva (Global Director, Engineering Security, DoorDash) and Shivani Doke to tackle the two most critical conversations in AI right now: Proactive Offensive Security and the evolution of GRC .
In the first half, Nick explains why traditional AppSec teams fail to keep up with AI development, and shares his strategy for building "Forward Deployed" tiger teams that embed directly with product engineers . Nick also coins the term "Claude Kiddie", a new breed of script kiddies using AI to generate sophisticated bug bounty reports and argue with triage administrators .
In the second half, Shivani defines the emerging role of the "GRC Engineer." As AI compresses the software development lifecycle and introduces complex third-party (and fourth-party) risks, static PDF policies and manual compliance screenshots are dead . Learn how GRC is shifting left, embedding guardrails directly into CI/CD pipelines, and eventually using AI agents to automate the bane of every compliance officer's existence: evidence collection.
Questions asked:
(00:00) Introduction: Live from San Francisco (04:00) Audience Story: How an AI Agent Exfiltrated Data via a Vibe-Coded App (06:50) Meet Nick Reva: Securing DoorDash at Silicon Beach (08:30) "Shift Far Left": Embedding Tiger Teams in AI Development (09:30) Using PromptFoo for Automated Prompt Injection Testing (11:30) Why Security Must Operate at the Speed of Engineering (12:30) The Netflix Model: Forward Deployed Security Engineers (15:30) AI-Enabled Threat Modeling and PR Reviews (19:30) Build vs. Buy: Why Speed Matters More Than Money in AI Security (24:30) The Rise of the "Claude Kiddie" in Bug Bounties (30:30) Who Owns AI Risk in the Enterprise? (Business vs. Security) (37:00) Meet Shivani Doke: The Evolution of GRC Engineering (38:30) Why Traditional Compliance Standards (SOC2/ISO) Fail with AI (43:30) Owning Third-Party AI Risk vs. In-House AI Risk (44:30) The Death of PDF Policies: Shifting GRC Left into CI/CD (50:30) The New Privacy Paradigm in Third-Party SaaS Reviews (52:30) Dealing with Unauthorized AI Software Expensed on Corporate Cards (57:30) Fourth-Party Risk and Transitive Dependencies in the Cloud (01:00:30) Will GRC Agents Finally Automate Compliance Screenshots?

Are autonomous AI agents operating unchecked in your enterprise? With the release of open source frameworks like OpenClaw, deploying an AI agent is now as simple as texting, but it comes with massive, unprecedented security risks . In this episode, Ashish and Caleb sit down with Sounil Yu, CTO and Co-Founder of Knostic (and creator of the Cyber Defense Matrix), to discuss the other side of agentic AI . Sounil explains how OpenClaw dangerously violates Meta's "Agent Rule of Two" by blindly processing untrustworthy inputs while maintaining full access to change system states . We discuss why prompt injection is actually a "red herring" compared to the real threat: emergent behavior where an agent might decide to delete your hard drive just to accomplish a poorly-defined task . We also explore the shift from human coders to autonomous coding agents (like Claude Code and Cursor) that are actively building better versions of themselves . Learn why traditional Markdown documentation is now dangerous "executable code," why AI agents will persistently try to escape sandboxes, and how to build consistent security "scaffolding" across your developer environments.

Questions asked:
(00:00) Introduction(02:50) Sounil Yu’s Background: Bank of America, Cyber Defense Matrix, and Knostic (04:00) What is OpenClaw? The Reality of Autonomous AI Agents (08:30) Default Config Risks: Why OpenClaw is Insecure by Default (09:20) Violating Meta's "Agent Rule of Two" (11:00) Why Prompt Injection is a Red Herring Compared to Emergent Behavior (13:30) Google's Code Mender: Autonomous Patching and Unit Testing (19:30) Detecting OpenClaw in the Enterprise (OpenClaw Discover) (20:30) The 3 Tiers of AI Adoption: Pedestrian, Augmented, and Native (29:20) The Shift from Verification to Validation (36:20) Coding Agents Building Better Versions of Themselves (41:50) Building Security "Scaffolding" for AI Developers (48:30) OpenClaw Alternatives: Null Claw and Zero Claw (49:50) Why Markdown Documentation is Now Executable Code (56:20) The Persistent Agent: Why AI Intentionally Escapes Sandboxes (01:00:00) Why Google is Blocking OpenClaw on Paid Accounts

Resources spoken about during the episode:
Knostic

OpenClaw

Code Mender: (Google's AI vulnerability patching initiative discussed at Unprompted Con)

Unprompted Con: (The AI Security conference mentioned throughout the episode)

Is an AI agent's identity a workload or an action? Ashish spoke to Elie Bursztein, Distinguished Research Scientist and co-author of Google SAIF (Secure AI Framework) about how it is neither and that is exactly why our traditional security models no longer apply to the AI era . In this episode, Ashish sits down with Elie to explore the evolution of AI from a passive "brain in a jar" to an active agent that takes actions on your behalf . Elie breaks down the reality of Indirect Prompt Injection, sharing a recent zero-click exploit where simply sending a malicious Google Calendar invite caused an AI agent to execute unauthorized commands . If your organization is building agentic workflows, this conversation provides aroadmap. Learn why you must treat agents like contractors with a verifiable "mandate," why the order of tool execution matters (never let an agent access private banking data and then browse the open internet), and how the industry is moving toward "semantic firewalls" to contain the AI blast radius .

Questions asked:
(00:00) Introduction(02:50) Elie Bursztein’s Background & Creating Google SAIF (07:50) Defining AI Agents: The "Brain in a Jar" vs. Real-World Action (11:00) Agent Identity: Is it a Workload or an Action? (13:30) The Concept of an AI "Mandate" (The Contractor Analogy) (19:30) Translating Natural Language into Verifiable Smart Contracts (24:50) The Missing Semantic Layer in AI Observability (25:30) What’s Next: Agent Identity and AI Privacy (27:30) Indirect Prompt Injection: The Zero-Click Google Calendar Hack (30:00) Containing the AI Blast Radius & Tool Execution Order (33:30) Building a Semantic Firewall (36:00) The #1 Rule for Safely Deploying AI Agents (Start Small) (40:30) Hobbies: Writing a Book on Innovation & The Playing Card Heritage Foundation (44:50) Favorite Food: Yakiniku (Japanese BBQ)

Resources spoken about during the episode:
Google SAIF (Secure AI Framework)
Elie's Website

If your AI solution is just helping humans process the same amount of alerts a little faster, you haven't transformed anything, you've just created a faster hamster wheel.In this episode, Ashish and Caleb speak with Heather Ceylan, CISO at Box.com, about how she is leading a true, developer-first AI transformation within her security organization . Heather reveals the five strategic "AI Bets" Box is making. We dive into the reality of building an AI SOC, discussing how Box achieved a 38% automated triage rate for Tier 1 alerts, and why teaching AI not to hallucinate requires treating prompts like strict policy engines .The conversation also tackles the build vs. buy dilemma. Heather explains why she prefers to have her team build custom AI solutions (at least until vendors can out-innovate her engineers) and shares her biggest disappointment when evaluating AI security startups

Questions asked:
(00:00) Introduction(02:50) Who is Heather Ceylan? (CISO at Box.com) (04:20) Transformation vs. Acceleration: Eliminating Classes of Work (06:00) Building an AI SOC: Achieving 38% Automated Triage (07:20) Controlling Hallucinations: Prompts as Policy Engines (09:30) The Buy vs. Build Debate for CISOs (14:00) Why Security Architecture Must Be Machine Consumable (16:50) The Problem with 3rd Party Risk Management (18:20) Box's "5 AI Bets" Framework (21:30) Will AI Replace SOC Analysts? Why Teams Are Embracing the Change (23:50) Continuous Pen Testing & Evaluating AI Startups (26:30) The Biggest Pitching Mistake Startups Make with CISOs (30:20) Shadow AI: When the Business Starts Building Its Own Apps (37:30) Personalized Software: The LEGO Brick Model of Security Agents (41:50) Fun Questions: Crocodile Jerky and Tim Tam Slams (44:20) Hobbies & Family: Raising Two Boys and Surviving the Chaos (45:30) Favorite Restaurant: Meyhouse (Turkish Cuisine in Palo Alto)

Resources discussed during the episode:
Heather's LinkedIn Newsletter
Heather's post RSA blog
5 Big AI Bets
https://blog.box.com/big-cybersecurity-bets-part1
https://blog.box.com/big-cybersecurity-bets-part-2
https://blog.box.com/big-security-bet-3-ai-redefines-vulnerability-management
https://blog.box.com/5-big-cybersecurity-bets-4-scaling-security-architecture-ai-first-world
https://blog.box.com/5-big-cybersecurity-bets-continuous-adversarial-validation