The Security Strategist

• Can Identity Security Close the AI Governance Gap?

  As AI tools proliferate inside enterprises, often faster than security teams can track or govern them, a new class of risks are emerging. In this episode of the Security Strategist Podcast, IT-Harvest Chief Research Analyst Richard Stiennon sits down with Art Gilliland, CEO of Delinea, to discuss the explosive adoption of AI, the rise of shadow AI, and why identity-centric governance is becoming an urgent priority. Gilliland emphasises the importance of managing AI risks, particularly with machine identities, and the need for intelligent authorization systems to enhance security operations. When Gilliland joined Delinea, he believed in focusing on identity, along with policies that govern it. “In the cloud, you share responsibility. In SaaS, you delegate. But you always own your users—human or machine—and your data.”AI Reduced Inbound Call Volume by 60%Delinea has been integrating AI internally for years. One of the most transformative outcomes was the launch of Delinea Expert, an AI assistant built directly into the product interface. Users can upload screenshots, logs, or questions and receive precise guidance on how to fix or configure the product. It acts, Gilliland says, like a support person on your shoulder.“We shipped it about a year ago, and it reduced our inbound call volume by 60%.”This dramatic result mirrors what Gilliland sees across customers: rapid adoption, often through quick toy implementations that still deliver massive value.AI Prompts Wider Exposure SurfaceBut with the rapid adoption of AI comes a wider exposure surface. Business teams are driving AI, CEOs are demanding it, and developers are already using it. However, Gilliland believes security is still trying to catch up—again.“There's this huge gap between the consumption and use of AI and a company’s ability to get in front of it.”This gap is what many call shadow AI. Unlike historical shadow IT, this version is often approved—business leaders want it. But they lack visibility, policy, or governance structures to ensure it’s secure. Delinea’s recent survey found that “95 per cent of customers are already using or planning to use AI,” spotlights Gilliland, while just “40 per cent have any governance in place.”Gilliland warns that the dynamic resembles earlier waves—laptops, mobile, Wi-Fi, cloud—but has accelerated dramatically. “It’s inevitably going to be used because it’s so powerful. You can’t hold it back—and you wouldn’t want to.”Use AI to Manage AIThis is the future: using AI to manage AI. “AI behaves differently than traditional machine identities. It can make decisions. It has intent.” Because machine-to-machine connections now operate quickly and with shifting intent, organisations need systems capable of evaluating every single request in real time.Traditional machine identities are predictable—like a robot performing the same task endlessly. Attacks happened when credentials were stolen and misused by humans with intent, as in the Salesforce/Drift breach.“AI is going to have a machine connection, which tends to be overprivileged. But it can also make decisions on its own.”Companies must not only build governance, inventory systems, and manage credentials—they must evolve toward understanding intent.“AI is not static. There’s intent behind the connection. Your controls must be able to interpret that intent. That’s where AI is taking us,” Delinea CEO tells Stiennon.TakeawaysAI is a hot topic in cybersecurity today.There is a significant gap between AI

  --------  

  21:29

  --------

  21:29
• EDR, XDR, or MDR - What’s the Real Difference and Why Does It Matter?

  In the recent episode of The Security Strategist podcast, Jim Waggoner, VP of Product Strategy at N-able, and Joe Ferla, one of N-able’s Head Nerds, speak to host Chris Steffen, Vice President of Research at Enterprise Management Associates (EMA). They addressed one of cybersecurity’s biggest misconceptions – while organizations might be getting better at spotting threats, most still struggle to respond to them in real time.“We live in a time where the threat landscape is changing instantly,” Steffen said. With threat actors speeding up their tactics, Waggoner and Ferla insist that the only way forward is constant reassessment.When the ‘Response Action’ Doesn’t DeliverSteffen began by asking the IT leaders about a key challenge faced by many CISOs. He says that the industry often talks about “EDR, MDR, XDR,” yet the promise of real-time response frequently remains unfulfilled.Ferla identified a major problem here: the wrong people are making purchasing decisions. “In the small to mid market, I often see decision-makers who aren’t security experts, and they’re the ones driving the purchasing,” he explained. These executives “trust that the product works as they want, but they don’t know what they really need in the field,” which leads organizations to buy advanced tools they cannot actually use.Even more troubling, Ferla noted that many customers request capabilities that no MDR could or should handle. “I have people at N-able coming to me thinking that we can manage backups as a response. And that's simply not possible.”Waggoner, who spent years developing incident response tools, sees another side of the issue. Vendors often downplay the “response” aspect. “When it came to the R,” he said, “it was a little R.” True MDR has to go well beyond automated blocking. “Can we disable accounts? Can we prevent ransomware from affecting other systems or stop lateral movement?”Also Read: N-able Annual Threat Report 2025Where AI and Cybersecurity Go NextWhen asked about the future of detection and response, Ferla shed light on the increasing complexity. He remembered running an MSP alone just a few years ago. “Nowadays, I could not come anywhere near close to doing this,” he said. “It's impossible.”Waggoner stated that AI will shape the next phase—not just for attackers, but also for defenders who face ongoing staffing shortages. Threat actors are already using AI to change tactics and automate reconnaissance. Defenders need to keep up: “Look at companies like us, using AI for detection models and for responses to address the people shortage.”Waggoner encouraged IT decision-makers to find ways AI can strengthen their security, not make it more complicated. “Get ahead of it. See how you can truly use AI's capabilities to better protect yourself,” he stated.TakeawaysDetection and response tools are evolving rapidly.Organizations often have unrealistic expectations of their security capabilities.Continuous review of security strategies is essential.MSPs play a crucial role in enhancing security for small to mid-sized businesses.Proactive measures are necessary to stay ahead of threats.AI is transforming the cybersecurity...

  --------  

  29:52

  --------

  29:52
• Securing Assets in a Complex IT Landscape: Deterministic Automation in ITAM

  Modern enterprises face a growing challenge in managing thousands of devices, applications, and identities across increasingly complex IT environments. Unmanaged assets, shadow IT, and inconsistent processes can quietly create security gaps that expose organisations to significant risk.In this episode of Security Strategist, Syed Ali, Chief Executive Officer of EZO, joins host Chris Steffen to discuss how IT asset management (ITAM) and deterministic automation provide the visibility and control organizations need to secure their digital landscapes.“There are risks lying around in the organization,” Ali explains. “A good ITAM solution helps identify them and forms the foundation for maturing IT operations.” His insights are drawn from years of experience as both an IT practitioner and entrepreneur, offering practical lessons for IT leaders and security professionals alike.Strengthening Cybersecurity and Risk Management with ITAMEffective ITAM solutions are more than just inventory tools; they are central to reducing cybersecurity risk. By automating asset discovery, monitoring, and reporting, organizations gain accurate, up-to-date visibility into every device, software, and identity across their networks.“Automation runs in IT; it has always run in IT,” Ali notes. Deterministic automation ensures processes are consistent and predictable, allowing IT teams to spot vulnerabilities, reduce the likelihood of human error, and respond quickly to emerging threats. This approach also makes data reliable for decision-making, supporting procurement, patch management, and risk mitigation strategies.Unmanaged assets, he warns, can “come back to bite us,” particularly when organizations lack visibility into endpoints, applications, and shadow identities. Implementing ITAM proactively rather than reactively is crucial for organizations that want to minimize risk rather than simply meet compliance requirements.Future ITAM TrendsLooking forward, agentic AI and identity-aware assets are shaping the future of ITAM. While AI introduces powerful capabilities, keeping it separate from deterministic automation ensures organizations maintain control while enhancing visibility and security.Investing in effective ITAM and automation is an enduring strategy for securing assets, reducing risk, and enabling informed decision-making. As Syed explains, “The system is meant to work for you, but that only happens if there’s discipline and awareness in identifying risks. The danger of not having a solid item in place is very real. I also understand that an understaffed IT team, constantly reacting to issues, can’t always prioritise these risks effectively. Unfortunately, that’s the reality we’re dealing with.”To learn more about effective ITAM solutions, visit EZO.For more insights follow EZO:X: @ezosolutionsInstagram: @ezo.solutionsFacebook: https://www.facebook.com/EZOsolutions/LinkedIn:

  --------  

  21:44

  --------

  21:44
• How Can Businesses Address Guardrails for Autonomous AI Agents with Permissions?

  “People love the idea that an agent can go out, learn how to do something, and just do it,” Jeff Hickman, Head of Customer Engineering, Ory, said. “But that means we need to rethink authorization from the ground up. It’s not just about who can log in; it’s about who can act, on whose behalf, and under what circumstances.”In the latest episode of The Security Strategist Podcast, Ory’s Head of Customer Engineering, Jeff Hickman, speaks to host Richard Stiennon, the Chief Research Analyst at IT-Harvest. They discuss a pressing challenge for businesses adopting AI: managing permissions and identity as autonomous agents start making their own decisions.They particularly explore the implications of AI agents acting autonomously, the need for fine-grained authorization, and the importance of human oversight. The conversation also touches on the skills required for effective management of AI permissions and the key concerns for CISOs in this rapidly changing environment.The fear that AI agents can go rogue or exceed their bounds is very real. They are not just tools anymore; instead, they can now negotiate data, trigger actions, also process payments. Without the right authorisation model, Hickman warns that organizations will encounter both security gaps and operational chaos.Also Watch: Is Your CIAM Ready for Web-Scale and Agentic AI? Why Legacy Identity Can't Secure Agentic AIHuman Element Vital to Prevent AI Agent from Going WildTraditional IAM frameworks aren’t designed for agents that think, adapt, and scale quickly. Anticipating a major shift, Hickman says, “It’s not just about role-based access anymore. We’re moving toward relationship-based authorization—models that understand context, identity, and intent among users, agents, and systems.”Citing Google’s Zanzibar model, the Ory lead customer engineer says that it’s a starting point for this new era. Unlike static roles, it outlines flexible, one-to-one relationships between people, tools, and AI systems. This flexibility will be crucial as organizations deploy millions of autonomous agents operating under various levels of trust.But technology alone won’t solve the issue. Hickman stresses the importance of the human element, saying, “We need humans to define the initial set of permissions. The person who creates an agent should be able to establish the boundaries—in plain language, if possible. The AI should understand those instructions as a core part of its operating model.”This leads to a multi-pronged identity system where humans, agents, and services all verify authorization on behalf of the user before any action takes place—ensuring accountability even when AI acts autonomously.The New Organisational Skill Stack for AI SecurityAs AI systems grow more sophisticated, the people managing them must also evolve. Hickman outlines a three-part skill structure every organization should develop:Identity and Access Architects: To define how agents authenticate, represent and act on behalf of users, and scale securely.AI Behaviour Analysts: A new role that bridges technical and business insights, understanding how LLMs make decisions and how to align that behaviour with enterprise goals.Business...

  --------  

  24:58

  --------

  24:58
• Is Current DLP Failing Data Security in the Age of Generative AI?

  With more and more organisations adopting AI as part of their operations, a new layer of data risk has begun to emerge. In the recent episode of The Security Strategist Podcast, guest Gidi Cohen, CEO and Co-Founder of Bonfy.AI, sat down with host Richard Stiennon, Chief Research Analyst at IT Harvest. They discussed the reasons traditional data loss prevention (DLP) systems fail. Cohen stressed that understanding data context is now crucial for securing AI-driven enterprises.What Happens When “Trusted” AI Tools Become Paramount RiskThe rise of generative AI, from chatbots to embedded assistants in SaaS platforms, has created a complex web of data interactions that many organisations do not fully grasp. Cohen argues that this new reality has made legacy DLP technologies completely irrelevant.“Even before generative AI, DLP never really worked well,” he told Stiennon. “It relied on static classification and outdated detection models that created noise and false positives. Now, with dynamic content generated and shared instantly — and humans often out of the loop — those tools can’t keep up.”While “shadow AI” applications have gained much attention, Cohen believes the larger threat lies in the trusted tools organisations already use. “We’re using Microsoft 365, Google Workspace, Salesforce — all of which now embed AI models,” the Bonfy CEO explains. “They process vast amounts of sensitive data every day. Yet most companies have no control or visibility over how that data is accessed, transformed, or shared.”This lack of visibility creates a perfect storm for data exposure. “You might use an LLM to summarise a customer meeting, which is fine,” Cohen says. “But if that summary is later shared with the wrong client or synced with another app, you’ve just leaked confidential information — and no one will even notice.”The main issue, he adds, isn’t about whether AI vendors misuse data. “The model itself isn’t the main problem. It’s what happens afterwards — how the data and outputs move through the organisation.”How to Create a New Model for AI-Aware Data SecurityCohen’s solution to this growing complexity is what he calls a context-driven, multichannel architecture. Such a way perceives data protection as an ecosystem rather than a single checkpoint.“The flows are too complex for simple guardrails,” he explains. “You can’t just block uploads of credit card numbers and call it a day. You need to understand the context — who’s sharing the information, through what channel, for what purpose, and whether it’s leaving the organisation.”Bonfy’s approach looks across multiple communication layers — from email and file sharing to APIs, AI agents, and web traffic. They create a complete view of how information moves. Cohen says it’s essential for spotting risky behaviour, whether it comes from a careless employee or an autonomous AI agent working in the background.As organisations start using multimodal AI — incorporating text, images, audio, and video — this overall visibility becomes even more important. Browser extensions or regex-based filters, he notes, simply won’t catch everything. “An AI agent isn’t using a browser. It’s running somewhere on your network, processing sensitive data on its own. You need a...

  --------  

  20:17

  --------

  20:17

More Business podcasts

Trending Business podcasts

About The Security Strategist

The Security Strategist: Podcasts in Family