The Security Strategist

• How Can Businesses Address Guardrails for Autonomous AI Agents with Permissions?

  “People love the idea that an agent can go out, learn how to do something, and just do it,” Jeff Hickman, Head of Customer Engineering, Ory, said. “But that means we need to rethink authorization from the ground up. It’s not just about who can log in; it’s about who can act, on whose behalf, and under what circumstances.”In the latest episode of The Security Strategist Podcast, Ory’s Head of Customer Engineering, Jeff Hickman, speaks to host Richard Stiennon, the Chief Research Analyst at IT-Harvest. They discuss a pressing challenge for businesses adopting AI: managing permissions and identity as autonomous agents start making their own decisions.They particularly explore the implications of AI agents acting autonomously, the need for fine-grained authorization, and the importance of human oversight. The conversation also touches on the skills required for effective management of AI permissions and the key concerns for CISOs in this rapidly changing environment.The fear that AI agents can go rogue or exceed their bounds is very real. They are not just tools anymore; instead, they can now negotiate data, trigger actions, also process payments. Without the right authorisation model, Hickman warns that organizations will encounter both security gaps and operational chaos.Also Watch: Is Your CIAM Ready for Web-Scale and Agentic AI? Why Legacy Identity Can't Secure Agentic AIHuman Element Vital to Prevent AI Agent from Going WildTraditional IAM frameworks aren’t designed for agents that think, adapt, and scale quickly. Anticipating a major shift, Hickman says, “It’s not just about role-based access anymore. We’re moving toward relationship-based authorization—models that understand context, identity, and intent among users, agents, and systems.”Citing Google’s Zanzibar model, the Ory lead customer engineer says that it’s a starting point for this new era. Unlike static roles, it outlines flexible, one-to-one relationships between people, tools, and AI systems. This flexibility will be crucial as organizations deploy millions of autonomous agents operating under various levels of trust.But technology alone won’t solve the issue. Hickman stresses the importance of the human element, saying, “We need humans to define the initial set of permissions. The person who creates an agent should be able to establish the boundaries—in plain language, if possible. The AI should understand those instructions as a core part of its operating model.”This leads to a multi-pronged identity system where humans, agents, and services all verify authorization on behalf of the user before any action takes place—ensuring accountability even when AI acts autonomously.The New Organisational Skill Stack for AI SecurityAs AI systems grow more sophisticated, the people managing them must also evolve. Hickman outlines a three-part skill structure every organization should develop:Identity and Access Architects: To define how agents authenticate, represent and act on behalf of users, and scale securely.AI Behaviour Analysts: A new role that bridges technical and business insights, understanding how LLMs make decisions and how to align that behaviour with enterprise goals.Business...

  --------  

  24:58

  --------

  24:58
• Is Current DLP Failing Data Security in the Age of Generative AI?

  With more and more organisations adopting AI as part of their operations, a new layer of data risk has begun to emerge. In the recent episode of The Security Strategist Podcast, guest Gidi Cohen, CEO and Co-Founder of Bonfy.AI, sat down with host Richard Stiennon, Chief Research Analyst at IT Harvest. They discussed the reasons traditional data loss prevention (DLP) systems fail. Cohen stressed that understanding data context is now crucial for securing AI-driven enterprises.What Happens When “Trusted” AI Tools Become Paramount RiskThe rise of generative AI, from chatbots to embedded assistants in SaaS platforms, has created a complex web of data interactions that many organisations do not fully grasp. Cohen argues that this new reality has made legacy DLP technologies completely irrelevant.“Even before generative AI, DLP never really worked well,” he told Stiennon. “It relied on static classification and outdated detection models that created noise and false positives. Now, with dynamic content generated and shared instantly — and humans often out of the loop — those tools can’t keep up.”While “shadow AI” applications have gained much attention, Cohen believes the larger threat lies in the trusted tools organisations already use. “We’re using Microsoft 365, Google Workspace, Salesforce — all of which now embed AI models,” the Bonfy CEO explains. “They process vast amounts of sensitive data every day. Yet most companies have no control or visibility over how that data is accessed, transformed, or shared.”This lack of visibility creates a perfect storm for data exposure. “You might use an LLM to summarise a customer meeting, which is fine,” Cohen says. “But if that summary is later shared with the wrong client or synced with another app, you’ve just leaked confidential information — and no one will even notice.”The main issue, he adds, isn’t about whether AI vendors misuse data. “The model itself isn’t the main problem. It’s what happens afterwards — how the data and outputs move through the organisation.”How to Create a New Model for AI-Aware Data SecurityCohen’s solution to this growing complexity is what he calls a context-driven, multichannel architecture. Such a way perceives data protection as an ecosystem rather than a single checkpoint.“The flows are too complex for simple guardrails,” he explains. “You can’t just block uploads of credit card numbers and call it a day. You need to understand the context — who’s sharing the information, through what channel, for what purpose, and whether it’s leaving the organisation.”Bonfy’s approach looks across multiple communication layers — from email and file sharing to APIs, AI agents, and web traffic. They create a complete view of how information moves. Cohen says it’s essential for spotting risky behaviour, whether it comes from a careless employee or an autonomous AI agent working in the background.As organisations start using multimodal AI — incorporating text, images, audio, and video — this overall visibility becomes even more important. Browser extensions or regex-based filters, he notes, simply won’t catch everything. “An AI agent isn’t using a browser. It’s running somewhere on your network, processing sensitive data on its own. You need a...

  --------  

  20:17

  --------

  20:17
• The Zero Trust Conundrum: How Intelligent Friction Boosts Business Velocity

  In this episode of The Security Strategist podcast, host Jonathan Care, Lead Analyst at KuppingerCole Analysts, speaks with Sudhir Reddy, the Chief Technology Officer (CTO) of Esper, about how to build trust in ‘Zero Trust.’. They explore this paradox in Zero Trust systems, where human trust is essential for the system to function effectively. Reddy emphasises the need for intelligent friction in security measures, allowing for a balance between security and business operations. The conversation also highlights the importance of understanding user needs and building trust within security systems to ensure effective implementation of Zero Trust strategies.How to Build Trust in a "Zero Trust" World?“Security should be a seatbelt, not a straightjacket,” Esper CTO said, describing the nature of zero trust in cybersecurity. For Reddy, zero trust isn’t just about “trust no one.” It’s about verifying everything while still allowing people to do their work.“Zero Trust is really about verification,” he explains. “But the paradox is that it’s built to create trust among the people using it.” As systems, devices, and AI tools grow, security can’t just mean adding more barriers. “The number of people interacting with systems has increased a lot,” Reddy adds. “But if the system doesn’t support the business, people will find a way around it.” That, he says, poses a risk where extremely rigid security could defeat its own purpose.From “Friction” to “Intelligent Friction”The Esper CTO explains Intelligent Friction designs systems that adjust security based on the situation. “You want the least friction where there is friction,” he says. “Add friction where it matters most, and make it disappear when it doesn’t.”Alluding to an example of banking apps, Reddy explains intelligent friction as a simple login for checking balances and extra verification for large transfers. “That’s intelligent design — progressive, contextual, and trusted.”When asked about the key message for CISOs, CEOs and IT decision-makers, he urges them to “stop measuring adherence to rules.” Instead, “start measuring where people are bypassing them — that’s where your friction is hurting the business.”At Esper, this approach guides everything from device management to enterprise policy design: security that protects without slowing you down. Discover how Esper is redefining Zero Trust through Intelligent Friction. Learn more at Esper.io.TakeawaysZero Trust is fundamentally about verification at every step.The shift to Zero Trust is driven by increased exposure and sophisticated attack vectors.Human trust is essential for Zero Trust systems to function effectively.Intelligent friction allows for security measures that adapt to user needs.Security should not hinder business operations; it should support them.CISOs should measure rebellion against security rules, not just adherence.Progressive security checks can enhance user trust in systems.Cultural change is necessary for effective security implementation.Feedback...

  --------  

  20:05

  --------

  20:05
• Universal Privileged Access Authorization: Securing Humans, Machines, and Agentic AI

  Can your organization truly trust every identity, human, machine, and AI?The traditional security perimeter is no longer a reliable boundary. As enterprises adopt hybrid infrastructures, cloud services, and autonomous AI systems, identity has emerged as the central element of effective cybersecurity.In the latest episode of The Security Strategist Podcast, Richard Stiennon speaks with StrongDM’s Chief Executive Officer Tim Prendergast about how organizations can secure human users, machines, and agentic AI through identity-based controls.Identity at the Center of Zero TrustBoth Stiennon and Prendergast believe identity has become the true control plane for modern cybersecurity. While Zero Trust frameworks are widely promoted, they often remain theoretical until grounded in strong identity governance. By continuously verifying and managing every identity—human, machine, and AI—organizations can strengthen access control, reduce the risk of credential theft, and enforce clear operational boundaries across their environments.As Prendergast explains, “No one wants to go out of business tomorrow, no matter how good their security is. You have to balance the needs of the business, the needs of your user or customer populations, and practical security.Securing Human UsersFor human users, particularly those with privileged access, identity management must strike a balance between security and productivity. CISOs need visibility into who is accessing critical assets, when, and under what context. StrongDM’s approach emphasizes just-in-time access, ensuring users receive only the permissions they need, precisely when they need them.Implementation ConsiderationsDeploying identity-based security requires a strategic, phased approach. Prendergast stresses that security measures must align with business priorities to minimize disruption. By treating users, machines, and AI agents as identities rather than simply devices or services, organizations can enforce dynamic policies, respond to threats more effectively, and maintain compliance in increasingly distributed IT environments.StrongDM’s approach demonstrates that the future of security lies in identity-first models where humans, machines, and AI agents are governed under the same principles, ensuring that the right identities have the right access at the right time.TakeawaysIdentity is the new control plane for security.Zero Trust is often theoretical; real progress lies in identity-based security.Stolen credentials are the primary attack vector.A Renaissance in identity security...

  --------  

  23:30

  --------

  23:30
• How Can MSPs Stay Competitive with Managed Detection and Response (MDR)?

  In today’s cybersecurity industry, Managed Service Providers (MSPs) who do not adapt risk falling behind. In the recent episode of The Security Strategist podcast, host Richard Stiennon, Chief Research Analyst at IT-Harvest, talks with Stefanie Hammond, Head Nerd at N-able, and Jim Waggoner, Vice President of Product Management at N-able. They discuss how MSPs can tackle rising threats, bridge the talent gap, and maintain profitability in a quickly evolving market.The speakers particularly explore the critical need for MSPs to adopt Managed Detection and Response (MDR) services, the importance of internal security investments, and how AI can enhance efficiency. The conversation also touches on compliance challenges and future trends in pricing strategies for MSPs, emphasising the need for continuous adaptation in a rapidly changing threat environment.When Stiennon asked, “How quickly must an MSP change their entire model to a managed detection and response offering to stay competitive?” Hammond's answer was straightforward: “If an MSP hasn’t done that yet, I don’t know how much longer they can wait.” This sets the stage for the podcast.MDR Is No Longer Optional but Critical for MSPsFor MSPs serving clients in tightly regulated fields like finance, healthcare, government, or education, Managed Detection and Response (MDR) is a necessity.“Organisations in those sectors face a greater risk,” says Hammond. “Managed Service Providers (MSPs) need to incorporate MDR into their security offerings and make it standard for their customers to stay competitive.”However, Hammond cautions against selling MDR as a standalone solution.“We shouldn’t sell any security tools as a separate service.” Instead, she suggests packaging MDR with other prevention, detection, and recovery options—like backup and data protection—to create a layered cybersecurity package.Agreeing, Waggoner steps in and describes this as a natural growth process for MSPs: “It becomes a maturity lifecycle. You start by managing hardware and software, move on to daily security, and eventually cover full detection and response. If MSPs don’t want to develop that in-house, N-able can assist—we can co-manage it or handle it for them as they grow.”MSPs for Smarter Security and AI-Backed EfficiencyThe speakers also talked about howtalked how AI and automation are changing cybersecurity, not just for spotting threats but also for improving operations and driving sales. “We automatically handle 90 per cent of security alerts using AI,” expressed Waggoner. “If you’re not automating, you’re falling behind,” the Vice President of Product Management at N-able added.For Hammond, AI is equally beneficial in marketing and communication. She recommends MSPs not to manage sales and marketing on their own but to use AI to support themselves. Both experts agree that compliance, identity protection, and education are essential parts of a resilient security framework. “It always comes down to identity,” Waggoner emphasises. “Use unique logins, change passwords regularly, and set up...

  --------  

  28:27

  --------

  28:27

More Business podcasts

Trending Business podcasts

About The Security Strategist

The Security Strategist: Podcasts in Family