The Security Strategist

Financial crime is no longer a peripheral concern for banks and fintechs; it is a defining operational challenge. The pressure to grow transaction volumes, onboard customers quickly, and keep pace with increasingly sophisticated fraud actors has placed finance and compliance teams at the very heart of business strategy. For many institutions, the question is no longer how to use artificial intelligence in their fraud detection stack, but how to use it responsibly.
In this Security Strategist podcast, hosted by Jonathan Care, Senior Lead Analyst at KuppingerCole, he speaks with Kunal Datta, Chief Product Officer at Unit21, about the changes in financial crime prevention technology and the gaps that remain in the industry.
The role of AI in fraud detection
For most of the past two decades, financial crime prevention operated on one of two tracks. Larger, data-rich institutions invested in machine learning models capable of identifying complex behavioural patterns across millions of transactions. Smaller players, or those entering new product categories with thin data histories, tended to rely on rules-based systems, which are explicit, human-authored logic that flags transactions meeting predefined criteria.
Both approaches have genuine strengths. Rules-based systems are auditable, easy to explain to a regulator, and quick to update when a new fraud typology emerges. Machine learning systems are far more powerful at surfacing non-obvious correlations and adapting to evolving attack patterns, but they require substantial training data and significant engineering effort to deploy.
The arrival of large language models and generative AI has introduced a third paradigm, one that is fundamentally non-deterministic. Unlike a rule that fires predictably on every run, or an ML model that produces a consistent probability score for a given feature vector, a generative AI system may reason differently across identical inputs. This has profound implications for how institutions build, test, and govern their fraud detection infrastructure.
Balancing revenue growth and fraud risk
Perhaps the most underappreciated tension in financial crime prevention is not technical; it is commercial. Every fraud control is also a friction point. A transaction declined as suspicious is, from the customer's perspective, simply a transaction that failed. Every false positive erodes trust, damages conversion rates, and risks losing a customer to a competitor with a more permissive onboarding flow. According to Datta:
“Machine learning excels at identifying complex patterns, but rules-based systems can quickly adapt to new types of fraud that humans can spot with minimal examples.”
This means that fraud teams are never simply optimising for fraud prevention in isolation. They are solving a constrained optimisation problem that is minimising fraud losses while simultaneously protecting revenue, preserving customer experience, and staying within the bounds of what regulators require. AI can shift that frontier, enabling more precise risk assessment that reduces both fraud and false positives simultaneously. But only if it is deployed and governed carefully.
The future of AI in financial crime
Looking forward, Datta sees the trajectory of AI in financial crime prevention pointing towards systems that combine the pattern-recognition power of machine learning with increasingly robust mechanisms for transparency and accountability. The goal is not to choose between a powerful AI and an explainable one — it is to build infrastructure that delivers both.
Several technical approaches are emerging to close this gap. Structured output formatting — requiring AI systems to return decisions in machine-readable formats like JSON, with explicit reasoning chains, makes it possible to audit AI behaviour at scale. Evaluation sets, which establish a curated baseline of labelled cases against which model performance is continuously benchmarked, allow institutions to detect drift and maintain defensible performance records.
The institutions that will lead this space are those treating AI governance not as a compliance overhead but as a competitive advantage. A well-governed AI system is faster to get regulatory approval, faster to deploy new capabilities, and more resilient when regulatory scrutiny increases.
The most striking thread in Datta's thinking is his insistence on placing financial crime prevention within a broader moral frame. Financial crime is not merely an operational risk; it is a conduit for some of the most serious harms in the world: human trafficking, modern slavery, terrorist financing, and the systematic exploitation of vulnerable people. Viewed through this lens, the deployment of better AI in financial crime prevention is not primarily a business efficiency story. It is a contribution to a more just and safer world. Datta says:
“AI should be viewed not only as an efficiency driver but as a tool to address broader societal issues like human trafficking and exploitation. Better detection is a moral obligation.”
This framing matters for how organisations think about investment in financial crime technology. If AI in fraud prevention is purely a cost centre, it will always lose budget battles to revenue-generating activities.
If you would like to find out more, visit: Unit21.ai or read more about Rules vs. Machine Learning: Finding the Best of Both Worlds by Kunal Datta.
If you are looking to strengthen how your organisation identifies and manages risk, you can request a personalised demo with Unit21.
Takeaways
Evolution of financial crime detection over the last decade
Deterministic vs non-deterministic AI systems in fraud prevention
The role of generative AI and context engineering in compliance
Accountability and explainability in AI-driven decision making
Regulatory perspectives on AI and risk management

00:00 Navigating Financial Crime Prevention Challenges
02:54 The Evolution of Fraud Detection Systems
05:55 The Debate: Explainability vs. Performance in AI
08:51 Balancing Accuracy and Regulatory Expectations
12:01 Context Engineering in AI for Financial Crime
15:04 Rethinking Accountability in AI Systems
17:55 AI as a Societal Imperative in Risk and Compliance

Podcast: The Security Strategist
Guest: Rick Wagner, Senior Director, Product Management at SailPoint
Analyst: Jonathan Care, Lead Analyst, KuppingerCole
The identity security market is crowded, but a significant change is occurring below the surface. In a recent episode of The Security Strategist podcast, host Jonathan Care, Lead Analyst at KuppingerCole, sat down with Rick Wagner, Sr. Director Product Management at SailPoint.
In this episode, Wagner pointed out a growing gap between how enterprises manage access and how modern systems operate. As AI and machine identities grow rapidly, traditional models no longer work.
Static Access Reviews Are Breaking at Scale
For years, enterprises have depended on periodic access certifications to manage access. However, such a model is proving to be weak. “Periodic access reviews only look at appropriate access at a point in time,” says Wagner, noting that “certification fatigue results in rubber stamping.”
The challenge is both scale and accuracy. With machine identities often outnumbering humans, governance processes designed for manual oversight are quickly becoming outdated. “Doing those certifications at agent speed is literally impossible,” he adds, emphasising the need for change.
Also Watch: Why AI Agents Demand a New Approach to Identity Security
How is Real-Time Authorisation & AI Redefining Identity Security?
The way ahead is real-time authorisation, which continuously checks if access is appropriate at the moment it is requested. “It’s not only appropriate— is it appropriate right now?” Wagner explains.
This change depends on context, incorporating information such as device health, user behaviour, and risk level. Frameworks like the Shared Signals Framework help enterprises implement this by allowing real-time data sharing across the security ecosystem. This approach leads to more dynamic, policy-driven access that keeps pace with AI systems.
How to Tackle Shadow AI?
At the same time, CISOs face the rise of shadow AI, an expanding network of agents operating with little oversight. “You can’t manage what you can’t see or what you don’t know about,” says Wagner, highlighting visibility as the first line of defence.
The long-term goal is autonomous identity governance, where systems continuously evaluate and adjust access based on risk. “As risk levels start to increase, we might add additional factors up to quarantining that access,” he explains.
In this new framework, identity becomes the core of cybersecurity strategy. As Wagner puts it, the ongoing challenge is urgent – determining “who has access to what—and is that access appropriate right now.”
Key Takeaways
Real-time identity governance replacing static access reviews
AI and machine identities outpace human oversight
“Certification fatigue” is weakening traditional access controls, increasing risk through unchecked approvals.
Non-human identities (AI agents, bots) are now the fastest-growing and least visible attack surface.
Context-aware access decisions—based on risk, behaviour, and environment—are becoming the new standard.
Visibility into agents and their permissions is critical: “you can’t manage what you can’t see.”
Autonomous, risk-adaptive identity security is emerging as the end-state for modern enterprise cybersecurity.

Chapters
00:00 Introduction to Identity Security in AI Era
06:54 Managing Privileged Access Risks
13:52 Real-Time Governance and Joiners, Movers, Leavers
20:14 Strategic Moves for CISOs in Agent-Based Operations
For more information, please visit em360tech.com and sailpoint.com.
To stay updated on B2B Tech front and centre, follow EM360Tech:
YouTube: @enterprisemanagement360
LinkedIn: @EM360Tech
X: @EM360Tech
Follow SailPoint on all its major platforms:
YouTube: @SailPointTechnologies
LinkedIn: @SailPoint
X: @SailPoint
#IdentitySecurity #AIAgents #RealTimeGovernance #SailPoint #IAM #ShadowAI #Cybersecurity #EnterpriseTech #TechLeadership #CIOInsights #DigitalTransformation #MachineIdentities

Over 95 per cent of leaders now say identity security is core to their strategy. A decade ago, this wasn’t even part of the conversation. The awareness is there, but awareness alone isn’t enough. Many organisations feel secure, yet the metrics they track often tell a different story.
In this episode of Security Strategist, EM360Tech’s Trisha Pillay sits down with Craig Ramsay, Senior Field Strategist, and Rod Simmons, VP of Product Strategy at Omada, to unpack the State of Identity Governance 2026 report. Together, they explore why confidence in identity security doesn’t always equal true protection and how AI, non-human identities, and fragmented systems are changing the rules.
Bridging the Gap Between Perception and Reality
Many organisations focus on operational metrics that are easy to measure: provisioning speed, audit readiness, and compliance. These give a sense of efficiency but not necessarily security. Simmons explains: “We can provision identities faster, but that doesn’t tell us about inherent risks. Orphaned accounts, dormant privileges, unmanaged access—these risks often go unseen.”
Ramsay adds, “It’s like home security. You might feel confident, but when was the last time you checked your back door?”
The survey revealed a clear disconnect: strategic awareness exists, but organisations are not always measuring the right things. Security leaders should not only track completed tasks, but they must also understand where risk accumulates and how quickly they can respond to incidents. Risk-based metrics, rather than activity-based metrics, are the key to true governance.
Zero Trust and the Challenge of Integration
Almost every organisation reports adopting Zero Trust principles. The execution often falls short. Policies may exist in pockets, but full implementation requires connected systems that can share signals in real time. Without this integration, Zero Trust becomes a concept rather than a functioning model.
Rod highlights the issue: “It’s one thing to want continuous evaluation, but another to have systems that actually support it. Shared signal frameworks are essential for consistent enforcement across the enterprise.” Until Zero Trust principles are fully integrated across all platforms, access control and identity governance will remain reactive rather than proactive.
Non-Human Identities, AI, and the New Frontline
Identity is no longer just about people. Non-human identities, but API keys, service accounts, and AI agents, are multiplying at unprecedented rates. Some organisations see 150 non-human identities for every human. These identities act autonomously, persistently, and at scale. Simmons explains the challenge: “With human identities, we ask what access they have. With non-human identities, we ask what they can do, and what they’ve done.”
Ramsay adds a crucial reminder: “Artificial intelligence still needs an accountable individual. Human oversight is essential, even as AI agents scale and operate independently.”
These agents create both risk and opportunity. They can automate governance, improve provisioning, and flag anomalies—but without proper visibility and ownership, they become a blind spot. Over 40 per cent of surveyed organisations admitted their AI agents still use static credentials, a simple but serious vulnerability.
One thing is for sure: you cannot govern what you cannot see. Visibility is the foundation. Only once organisations know what exists, who owns it, and how it behaves can they secure identities, human and non-human alike, effectively.
Identity security is no longer a back-office concern—it’s strategic. Organisations must move from confidence to proof, from operational reporting to risk measurement, and from fragmented controls to integrated governance. AI and non-human identities are not just a challenge; they are an opportunity to rethink how identity security can truly enable business, not just protect it.
For more insights on effective identity governance strategies, check out Omada's State of Identity Governance 2026 Report.
Takeaways
Over 95 per cent of security leaders now see identity as a core strategy. Identity isn’t optional anymore.
Feeling secure doesn’t equal being secure. Many organisations track efficiency, not actual risk.
Non-human identities are multiplying fast.
Zero Trust adoption is growing, but integration gaps remain.
AI in identity governance works, but always keep a human in the loop.

Chapters
00:00 Introduction to Identity Governance and Security Challenges
02:55 Insights from the State of Identity Governance Report
05:53 The Gap in Security Confidence and Measurement
08:53 Operational Metrics vs. Risk Indicators
11:50 Zero Trust Adoption and Implementation Challenges
14:54 The Role of AI in Identity Governance
17:52 Non-Human Identities and Governance Challenges
21:07 Key Takeaways for Security Leaders

Podcast series: The Security Strategist
Guest: Amit Megiddo, CEO and Co-Founder, Native
Host: Richard Stiennon, Chief Analyst Researcher at IT-Harvest
In the recent episode of The Security Strategist Podcast, Amit Megiddo, CEO and Co-Founder, Native, joins host Richard Stiennon, Chief Research Analyst at IT-Harvest, to discuss a growing challenge in enterprise cloud security. Enterprises are investing heavily in cloud providers’ built-in controls, yet risk persists when those controls are not consistently enforced across complex environments.
According to Megiddo, the problem isn't a lack of tools, but a failure to make them work effectively. Drawing on his experience launching Amazon GuardDuty at Amazon Web Services, the Native CEO explains that enterprises have hit a tipping point. The challenge is no longer about visibility. It is about executing at scale across complex multi-cloud environments.
What is the Execution Gap in Cloud Security?
Cloud providers such as Amazon Web Services, Microsoft Azure, Google Cloud, and Oracle Cloud offer a wide range of built-in security features. Yet, as Megiddo points out, most enterprises are only using a small part of what is available.
“The easy part is turning controls on,” he says. “The hard part is making sure they consistently deliver security results.” This is where many enterprises struggle. Security teams create policies, but platform teams carry them out. In the process, vital context is lost. The result is a disjointed approach where risks are identified but not effectively managed.
Megiddo calls this the “execution gap.” It is a fundamental issue in how enterprises handle cloud security. Even with sophisticated CSPM and CNAP tools, organisations remain mostly reactive. They are relying on detection and fixing problems instead of preventing them.
How to Move From Detection to Policy-Driven Enforcement
The podcast spotlights a key shift in enterprise security strategy – moving from detection controls to proactive, policy-driven enforcement. Conventional methods focus on spotting issues—like unencrypted or publicly exposed data—and then starting remediation processes. However, as cloud environments grow, this method becomes untenable.
Megiddo suggests embedding security directly into the architecture:
Preventing non-compliant resources from being created
Designating approved regions for workloads
Enforcing network isolation rules for sensitive environments, such as AI training workloads

This “secure-by-design” approach turns security from a reactive task into a core operational control. However, implementing this is not easy. Enterprises must translate high-level policy goals into thousands of low-level settings across various cloud providers, each with its own APIs, services, and policy frameworks.
“It’s not just about writing the policy,” Megiddo emphasises. “It’s about safely rolling it out, simulating impact, managing exceptions, and ensuring it stays enforced over time.”
It creates new operational needs such as simulation tools, drift detection, real-time developer feedback, and automated exception handling. Essentially, cloud security becomes a continuous process rather than a one-time setup.
Why is the Unified Control System Critical?
The main takeaway for enterprise leaders is that cloud security is no longer just about managing risks; it is becoming an edge in the market. As major providers continue to invest heavily in native security features, the real differentiator will be the ability to coordinate and enforce those tools effectively.
Megiddo’s vision is straightforward: a unified control system that lets enterprises define security intent once and apply it consistently across cloud and hybrid environments.
In an industry shaped by AI, multi-cloud complexity, and rapid digital changes, this ability could determine how quickly—and securely—enterprises can progress. For CISOs and IT leaders, the message is clear: the future of cloud security lies not in observing more, but in doing more—with precision, consistency, and scale.
Key Takeaways
Shift from detection to proactive, policy-driven cloud security to reduce risk.
Multi-cloud across Amazon Web Services, Microsoft Azure, and Google Cloud requires unified enforcement.
CISOs need tools that turn security policy into automated controls.
Secure-by-design cloud architecture protects AI and enterprise workloads.
Strong cloud security execution drives scalability and resilience.

Chapters
00:00 The Cloud Security Landscape
03:11 Challenges in Implementing Cloud Security
08:00 Transitioning to Proactive Security
12:26 The Evolving Role of Security Leaders
16:42 Future Trends in Cloud Security

For more information, please visit em360tech.com and native.security.
Follow: @EM360Tech on YouTube, LinkedIn and X
Native LinkedIn: https://www.linkedin.com/company/native-security/
#CloudSecurity #PolicyDrivenSecurity #CloudEnforcement #MultiCloudSecurity #SecurityByDesign #ExecutionGap #CISOs #TheSecurityStrategist #NativeSecurity #CSPM #CNAP #EnterpriseSecurity #NativeSecurity #AmitMegiddo

If you've ever tried to navigate the FedRAMP authorization process, you already know it's slow, expensive, and tedious when it comes to the documentation. For cloud service providers (CSPs) hoping to sell to the federal government, it has long been one of the biggest barriers to entry. That’s now changing. FedRAMP 20x is the most significant modernization of the Federal Risk and Authorization Management Program in its history and is reshaping how CSPs can achieve compliance.
In this episode of the Security Strategist podcast, Kenny Scott, founder and CEO of Paramify, joins host Richard Stiennon, Chief Research Analyst at IT-Harvest, to unpack what’s changing, why it matters, and how it could redefine the path to federal authorization.
FedRAMP 20x is set to help CSPs approach compliance by cutting costs, reducing timelines, and shifting the focus from paperwork to verifiable security evidence.
What Is FedRAMP And Why Did It Need to Change?
FedRAMP, the Federal Risk and Authorization Management Program, provides a standardised framework for the security assessment, authorisation, and continuous monitoring of cloud products and services used by U.S. federal agencies. In theory, it's a smart idea: one unified security standard that any agency can rely on.
In practice, the traditional process became a bottleneck. Scott puts it bluntly: "FedRAMP's original design had a fatal flaw; it prioritized documentation over deterministic security evidence."
The result? CSPs were spending months, sometimes years, and hundreds of thousands of dollars compiling documentation packages that didn't necessarily make their systems more secure. Agencies weren't getting the real-time, verifiable security assurance they needed. And smaller, innovative CSPs were priced out entirely.
Problems with Traditional FedRAMP
Lengthy approval times as authorisation could take 12–18+ months, delaying market entry for cloud providers.
High compliance costs with smaller CSPs often couldn't afford the financial burden of full FedRAMP authorization.
Documentation overload with extensive paperwork, distracted from actual security practices and outcomes.

FedRAMP 20x
FedRAMP 20x goes beyond a version update; it signals a fundamental shift in how compliance is defined in modern cloud environments. Announced by the General Services Administration, the initiative is designed to make authorizations faster, cheaper, and more meaningful.
Changes in FedRAMP 20x:
Streamlined authorization processes, which means faster pathways to approval, reducing time-to-market for CSPs.
Automation-first compliance that replaces manual documentation with automated, machine-readable security evidence.
Risk-based flexibility that tailors requirements to the actual risk profile of a service, rather than a one-size-fits-all model.

As Scott explains, the shift is from compliance as a paper exercise to compliance as a continuous, evidence-based practice. Agencies want real, deterministic security evidence, and FedRAMP 20x is built to deliver exactly that.
What FedRAMP 20x Means for Cloud Service Providers
For CSPs, the modernization is a double-edged opportunity; those who adapt quickly will gain a significant competitive advantage; those who don't may find themselves falling behind as the compliance landscape evolves.
On the opportunity side, the most immediate impact is a faster time to market. With streamlined approval processes, CSPs can move through authorisation more efficiently and reach federal customers sooner than before. This acceleration is paired with lower compliance costs, as reduced documentation and administrative burden free up resources that can instead be directed toward innovation and strengthening security capabilities. Perhaps most significantly, the changes help level the playing field, enabling smaller CSPs with strong security practices to compete more effectively against larger, established incumbents.
At the same time, these benefits come with new demands. CSPs will need to stay closely aligned with an evolving framework, continuously tracking updates and guidance as FedRAMP 20x matures. In addition, fully realising the advantages of the new model will require investment in automation. Organizations that adopt compliance and security automation tooling will be better positioned to keep pace, reduce manual effort, and maintain consistent alignment with the updated requirements.
If you would like to find out about this visit paramify.com and connect with Scott on LinkedIn.
Chapters
00:00 — Introduction to FedRAMP 20x
13:42 — The Need for Change in FedRAMP
20:20 — FedRAMP 20x: A New Approach
28:27 — Success Stories with FedRAMP 20x

Takeaways
FedRAMP 20x modernizes federal cloud security compliance by replacing documentation-heavy processes with automation and evidence-based security.
The traditional FedRAMP process was slow, costly, and document-intensive — a barrier that limited innovation and market access for CSPs.
CSPs that invest in automation and stay ahead of evolving requirements will gain a clear competitive edge in the federal marketplace.
Kenny Scott and Paramify are at the forefront of helping organizations navigate this shift intelligently and efficiently.