
Loading summary
A
Cybersecurity Today would like to thank Meter for their support in bringing you this podcast. Meter delivers a complete networking stack, wired, wireless and cellular in one integrated solution that's built for performance and scale. You can find them at meter.com CST welcome to Cybersecurity Today on the weekend. Anyone who has been following the security issues in the rapid adoption of what we've termed agentic AI knows well we've done it again as an industry, the software industry. Despite all the great hand wringing that goes on when security fails and we acknowledge that we need security to be built in and not bolted on, nothing really changes. Agentic AI has proven this again. It's taken the already weak foundations of AI security and blown them up. Even the largest and supposedly most responsible AI companies are just throwing up their hands. Last week we did a story. A researcher reported a huge issue with MCP Model Control Protocol, Anthropic's agentic communication layer that's become the industry standard. Anthropic, arguably the company whose brand is most identified with responsible AI, reportedly said they weren't going to fix the issue because it was. Yeah, it was how MCP was supposed to work. Now they're probably right to work. Maybe it does have to be inherently insecure and that makes security somebody else's problem. And for most of our audience, that's you. Now, it's not just the big companies. Open source Agentix solutions have caught fire over the past few weeks and spread like wildfire or went viral with Open Claw or whatever we're calling it this week. Now both of those. By the way, wildfire and went viral are ideal descriptions if you mean destructive wildfires like in California, or viral like Covid. This new open source program was so full of security holes, even the founder had to caution people that only those who were expert at the Linux command line should set it up. And of course, everybody listen. Our advice from our Linux expert was when we installed it, delete it. And that sounds fine because I do a. I'm. I play a security guy on, on the radio. But if you're working day to day in industry and you got a job to do, you don't have the luxury of standing on the sidelines and saying don't do it. And has that ever worked in cybersecurity? No, they'll bring it in anyway. So I've been looking for people and companies who have practical solutions for this issue and this company popped up in my email. It was intriguing on two levels. First, who'Danone? There's a contest, an innovation sandbox contest for securing autonomous AI agents like OpenClaw. Second, this company was a top 10 finalist. So I invited them on the show and we have today Ido Shlomo. He's the co founder and CTO of Tokens Security. Welcome Ito.
B
Thank you, Jim. Thank you for having me here. So excited to talk about AI security. I think that let's break that down from a thing that sounds like sci fi to real world problem. So really appreciate being here.
A
We will do that, sir. First of all, just my listeners know that we do take sponsors for programs. Actually we do. We have to pay bills, but we don't do commercials on the show. But it is useful if you tell us who Token Security is and what you do so we can get some sort of grounding on what you where you are as a customer.
B
So Token is first of all a company I'm calling in, by the way from Tel Aviv. But we're a company that's based both here in terms of R and D product and in New York. And our goal is to realize the fact that AI agents are already operating with real access to your environment and to help protect that assets. So without any commercial talk, I would say that we are already. We already have agents running among us. We'll talk about it more deeply, but they are very real and have very large permissions. We tried to limit that. We tried to put a choke on the agentic technology and to say let's limit every input and every output that it gets that an agent gets. And it's a bit like trying to limit other areas of the world that we, all of us know what I'm talking about. It would never work. You just need to be able to get the right guardrail in place. And that's what Tolkien does.
A
Yeah, it is a bit like, I don't know whether it's a bad science fiction movie or if it's that horror story where they phone and they say the evil is in the house.
B
Because I'm looking at it like a guilty pleasure that we don't want to allow our employees to have. But once they have it, they don't want, they can't have enough of it. And now we're trying to say, wait, that could be bad for you as well. Have you think about it like that?
A
Yeah, I don't think we'll get past that. And I've said that before was the idea that we're going to keep these out of our organizations is just a fantasy. It will never happen. And the more we try to restrict it, and I know maybe I sound like a broken record to our audience, the more you try to restrict it, the more they're just going to hide it. How do I know that I've been guilty as charged in myself, in my career? You brought something in. You think this is really good.
B
It reminds me of when people got the first smartphones, the iPhones, Androids or whatnot, and they couldn't stop taking pictures because they were amazed or they couldn't stop touching the screen and the screen got all smudgy and you're saying like, what would they do with so many pictures? But you're still taking them. Taking them. Yeah. At a certain point you understand that in order to have a healthy life, you need to balance the time that you spend on that screen together with some real touching grass, as they say. And I think that AI is a little bit like that right now.
A
Yeah. And before we just get onto agentic AI, tell me a little bit how you're in Tel Aviv, there's a huge security industry there. It's exciting, it's vibrant. Tell me a little bit about that just because I'm curious what's it like working there?
B
So I'll tell you my personal story and why I think that we started such a vibrant cybersecurity community. But long story short, as a kid I was an avid gamer. I used to host private servers for online games like World of Warcraft or Maplestory. And at a certain point, because of how the Middle east is the ecosystem here, we are all recruited into army service at the age of 18. So at the age of 18, moving from being a gamer to somewhat of feeling like a James Bond of the cyber world, I started learning how to do cyber operations, vulnerability research, then learning network security and so on. And I ended up serving for 13 years on national security projects here in Israel. When I finished, I understood that we have the power to change the world, not only locally, but, but also to bring that knowledge and that expertise that is very literally battle tested to the Slovenian world. And I think that's why, since we are used to breaking boundaries and we are used to invent stuff for our national needs, we also took that to the commercial world. And I think that's why there's such a good synergy between Israel and I would say, like, cybersecurity ecosystem worldwide.
A
Yeah. The stupidest piece of advice I gave to my kids was don't play so many video games. Apparently that wasn't smart. And my daughter went on to Be a world famous gamer. Thank God she didn't listen to me. But, but it is true that this is, has really spurred on an industry, both the gaming aficionados and the need for national defense. And I think that's happened. We've seen that in Ukraine, we're seeing that all around the world that the next line of defense may be gamers.
B
There is a very strong correlation between the challenges and the mind patterns of online gaming and hacking. You need to find a way that even though you play the same game a thousand times, you need to always try to win in very creative and very dynamic opportunity space. You can go a million different directions, but eventually you need to out beat a certain competitor.
A
Thankfully you're with the good guys. That's all I can say. No. Can we just back up a little bit and talk about this whole agent thing? Why My audience has heard me rabbit on about it, but why are agents so fundamentally insecure? And I guess that probably implies that AI is also fundamentally insecure. Why in your opinion is that true?
B
There's a lot of ways, there are a lot of right ways to answer these questions and there's a lot of wrong ways. So I start with the right ways in my opinion and we can talk about what's wrong. I think that the right way to look at AI is it takes me to two places. One, it's a new operating system. Basically think about a new technology that's starting to be deployed in all of the critical centers of the world, making decisions about people, about businesses, about processes. It decides whether on a very micro level it will decide whether you would get a refund on that delivery or not. And on a very macro level, it will decide whether to make an investment or not. And to put a new operating system in the center of that like of those decision making is scary. Every new technology has its corners and has the things that are rough at the start. And you need to like to polish that. I think the second, the second fundamental challenge is that AI resembles, and I know that it's a bit spiritual to say, but it resembles a human spirit. People are saying that AI is like this savant genius with some cognitive problems. They correlates the chatgpt and the cloud to the Rainman movie. I don't know if you've seen that, but such a great, it's such a great analogy, I think saying that working with AI is working in like with the human spirit that operates like an academic level knowledge, but with very deep amnesia, very wants to please and to confirm what you asked it to do and goes on a very, A very weird cognitive path. And so when you work with such a human spirit, you need to be, you need to communicate it with a, say in a certain pattern. It's not controllable like people think that you can control the ins and outs of, of an AI agent. It's very hard. It's like trying to control 100% of the actions that a human would do. So you need to take a different approach to that problem.
A
Glad you mentioned the controls of inputs and outputs, because I think that presumes an algorithmic expression and that is that every time I enter this, something is going to happen. It's going to be predictable. And likewise, no matter how illogical it might seem, the output will equally be predictable. In other words, I can predict an output from an input. And that's just not true with AI, which blows apart our whole structure of trying to say I can govern the outputs and inputs. You can't, I guess is. And I love your Rain man example because I think that's. There's a logic to it. This is what I. People are always talking about hallucinations. There are no hallucinations. There's just a logic train you can't follow. And anyway, so that, so with confronting that problem, what do you do? Or are there more problems to it? I don't want to cut you off. Sorry.
B
No, I think that, like, you touched on the core of it, eventually there are the wrong ways to look at AI and why it's flawed, like people would think. Wait, this is a technology and I've secured thousands of technologies. I know what approach I should take. I know how to take this algorithm that is not deterministic and eventually make sure that there are no flows, no flows leading to a wrong answer. And the difference between AI and regular applications is that the input space for AI is not an application input space. It's the entire English language and all of its worlds and infinite combinations of inputs. And the output is as well. So when you try to control AI input and output, you. First of all, I understand that it's not really deterministic and it's impossible. And second of all is that you can't build a smart enough machine to control the inputs and outputs. So you would have to assume that an AI operate how, however it's going to operate, like with the underlying algorithms and challenges. And you need to find something to surround it with and to decide what's the level of trust that you want to give. I think that, yeah, my End let's
A
just go back to that level of trust because this is another problem with that seems to be applicable to AI and agents in particular. AI agents in particular, but maybe throughout AI haven't thought that through and that is that we have to give it astounding permissions. You can segment a network, you can say this program can only go to here. But to be useful and useful in a big sense and take over all of our work almost implies that we have to give these agents a massive amount of access that we wouldn't do in any other programmatic setting.
B
So I think that like everything, it's a matter of balance. Think about an X and a Y matrix that on 1x like the X axis. Sorry for my like lack of proper English, but text is access, meaning that how powerful is that agent going to be? And the why is autonomy meaning how free of reign am I going to be in that agent? Is it going to be something very controlled like a search line where I retrieve certain items and go through them as a human? Or is it going to be a full scale autonomous agent that can spawn sub agents that can work in teams and that's going to carry out very complex tasks. And you as an executive, as a person responsible for AI, you need to understand what's your risk appetite. In different business units. It's very different allowing an agent to do customer success than it is to allow an agent to do an IT help desk. Though both agents are very autonomous chatbots that interact with people. One can start and stop servers in your environment, shut down and create new infrastructure, lock you out. That's the IoT help disk. And one is responsible to carrying out customer tasks that are limited to a certain blast radius. And by that you can start to make more educated decisions on the level of access that you want to give that agent and the level of autonomy and trust that you want to do.
A
Yeah, and I think that's a very appropriate way to. I always look at security. I know that we want to think about security as tools for preventing things. I look at security as a way of managing the blast radius. And that is because no matter what you do, something's going to go wrong. The question is how big will it be? And I guess that's my approach to it. But that's because I learned from mistakes and I made a lot of them.
B
Yeah, so have I. Colossal number of mistakes. I think that what I'm best at is to fail faster like that. I don't do that. I try not to make the same mistake. Twice. But I do try to be very quick and nimble. But I would say that with AI at the center, let's utilize this new nuclear engine for processing and for the world. But let's put it in the right area. Let's decide what access do we want to give. So I approach AI. I never say to myself I can decide what the agent is going to do. I can just say I want the agent to be able to access this. I want it to be able to carry out that action. I want it to have this area that it can operate in, because I feel very confident in the ability to develop with an agent. But I maybe want a very much more limited agent when it's talking to my production environment. So I think that, like, I try to fit the type of the agent and the autonomy and the action that it can take, while acknowledging 100% that I can control the input and output. I just give it the right level of access. And I think that's the strongest approach to AI today, at least that I know of.
A
That's one. That's one piece of it for certain. And the other piece though is how do we insulate it from the outside influences? That becomes the difficulty because like I said, these things are reachable in so many different ways. We talk about reaching AI. Who'd have thought that if I put some text into a calendar invite and I asked Google to read it, it's going to take that text as an instruction. It's just a different world. Have you struggled with coping with that?
B
Absolutely. And I can even take an example and put it in numbers. The entire, like my entire last week was dedicated to analyze the phenomena that's called cloud code. Anthropic just published a press release saying that cloud code made $2.5 billion in revenue in its first year of existence. So people are denying the fact that autonomous AI agents exist. So let's look at that phenomenon. 70% of the Fortune 100 are using cloud code. It runs in their developer shells with full permissions. It can read their environment files, it can use the pre authenticated CLI tools on their computer. And there is a real exposure to everything a developer identity touches to cloud code, whether it's secrets underneath, whether it's API tokens or database connections. There is a really a very real access surface that is much broader than everyone thinks to AI does. So that's the one thing that I think that we are researching right now as a very interesting attack surface.
A
It's huge. And with Claude being able to go for A week unattended. You know that this thing is making a realm of decisions within that that are perhaps not even traceable by humans anymore. I'm not 100% certain. I know that Anthropic has done some great stuff to try and figure out how decisions get made by an AI, but it's. We're still in the clumsy, the same clumsy science as looking at human brains. We can't, it's not linear. So you grapple with this problem, this is a problem you have to grapple with. What would you speculate are the solutions to the challenges? First of all, what are the challenges? I think you've outlined those, I think. But how do you speculate on the solutions to those challenges?
B
That's an awesome question because it's right in the core of what we're trying to understand. Basically going into a future where you have multi day agents spending of course a long period of time, agent teams that are working together, you're trying to understand what you're going to do. So the first intuition that you would have is going to the input and output of the model like a well known fact is that above 85% of attacks or there is above 85% attack success rate against state of the art defenses of models inputs and outputs. So the model can't really protect itself. You need to treat it like you would treat any untrusted process. You need to control what it can access, you need to monitor what it does and you need to attribute the actions to real identities. So when people, organizations are trying to figure out what to do with that, they will go to the built in tools. Basically they would say okay, anthropic provided me with this tool. What do they give you? And it gives you real like they, they really are making an effort to give a compliance API to real time access to usage data and to content. But the gap, the real gap is the access, the identity. Who is doing which agent is doing what, where, where is it doing it and with whose access? Basically you might be able to get several bits and bytes of data that you will need to tailor together. But the real question is which agent used which credentials on which device and access which data on whose behalf. You need an identity layer that maps every agent, every sub agent, every entity connection as a govern, let's call it non human identity. And you pair that with tribution and least privilege enforcement and a good audit trend, you would be on the right path.
A
Interesting. So if you could propose to treat agents as identities and I'm going to expand This a bit and really take sort of a zero trust approach to them. And that is you have access, but should you be doing that? If you could get that sort of logic, yes, it's okay, you're authorized to do that, but should I let you. Which I think is. I think that's the biggest security question we have in zero trust is just because you have access doesn't mean you should or that you should be able to do this. You may be able to do this one. I did a story the other day. Some clerk has access to do a discount for refunds. That's a natural thing. Shouldn't do it 149 times in a week. So I think start to think of agents. Is that. Am I on the right track? If we start to think of agents in those lines, we might be able to start to find a solution.
B
I promise not to do a sense glitch. So I will just talk about.
A
No, no, you can tell us about your product. I just. If that's the line out there, I just. My audience is always sensitive. They never want to be sold to. But if you're obviously proud of your solution, as long as you don't have to kill me afterwards, you can tell us how you do it, that's fine.
B
I promise to live you alive, even if a little bit hurt. No, I'm just kidding. Yeah. So Token has invented an approach that's called intent based permission management. What's intent based permissions novel? Up until today, we had two types of identity. One was human. Human identity is a certain person with a certain role and a department and position. And we had workloads. Workload is a deterministic process like a script, a server cluster walking very through an organized pattern. An agent breaks both of these models because it works at the speed and scale of machines, as you said, but it has a human intent. So Token is the pioneer of taking that agent's intent, the reason that it was created for the role, the purpose. The tools that were given to the agent and correlating that to the real access layer, meaning identifying what the agent is exactly doing on which systems, in which phase, what the permissions are, what are the permissions that are given to it, what role, who. Which agents are administrators and who could pre escalate the. Which agent could escalate their own privilege to administrator. And to be able to fit between an intent of the agent to its permission is a very strong approach to AI because it lets the agents operate. You have your cloud code, your chatgpt, your perplexity or copilot, you can work with it. The agent is just limited in the terms of the access that it has. And by that you utilize the full power of AI, but you still hit the guardrail on what areas could that agent touch, what actions it could take, what data it could read. So that's a very a win win situation for both engineering or business users and the security team. Because I think that it creates a common language that does not limit the use of AI, it just puts it in the right place.
A
And for practical step word, how do you implement that?
B
So I have a long answer for that. But I would say that you need to create a layer after layer of an identity note. Basically you need the ability to identify an agent from its creation moment on your endpoint through the identity layer that serves it. You need to correlate between the credentials and the permissions and the authentication all the way to the resources being able to say and to answer confidently, what did an agent touch, on whose behalf, what data did it access, from which device did it came? Once you're able to answer that. There is so many useful applications like agent lifecycle management, identity threats detection and response, like least privilege and right sizing of permissions, but that really builds on a very strong data layer.
A
But it seems to me, and maybe I'm just not, maybe I'm oversimplifying or over complicating, but it seems to me like that's still a complex matrix to manage in that there are so many possibilities and so many moving parts. How can you keep control of that in real time?
B
So let me give you the secret sauce. It's impossible to protect AI without AI. Meaning that you need a product and a strategy that utilizes the power of AI to protect it. Meaning that we build the product with AI. There is a very smart agent that correlates the data, tailors it into a graph architecture, allows it to be expandable and have a mesh network effect. And by that you can integrate into the most core element of your identity layer and uncover all of the activity and the data that you need in order to create that data there. So I think the token is not only a pioneer in AI security, it's also a pioneer in AI adoption.
A
Yeah, so in, in the end you're saying we need AI to police AI
B
at that point, and smart people behind both. We need to be able to govern and to control and to put the right guardrails and to have an honest conversation that is saying this is not going away, we are hugging this. We're not pushing this.
A
Yeah. The smart people part of it is equally important. I agree. So can you. Just because we've talked about something that's fairly complex, can you. Is there a story or a use case that you've got that illustrates how this is working for you?
B
Absolutely. I think that. So there has been like a lot of news coverage of different events happening, whether it's vulnerabilities in AI frameworks or AI agents being used in the wrong way, like the ServiceNow agent. Close a good story about that. So I always think that the real story is what matters. We're working with a large software provider that the CEO of that provider very smartly said every department here needs to be AI native, meaning that we can stay behind. It doesn't matter if it's in our recruiting and HR processes, it doesn't matter if it's our sales teams, it doesn't matter if it's the engineering. Everybody needs to adopt AI. So from a 500 employee company, they ended up with 1500 agents. Each person on average had three agents to manage and to work with. And a phenomenon that we saw is that there's a real lack of awareness around access management, meaning that people, in order to enjoy the full fledged, let's say, the width and spectrum of everything that AI can offer, they provisioned so many administrative users, so many API keys that had the ability to take any action, whether it's on their code base, on their walkday instance, on their salesforce. And then you saw that eventually they ended up automating things that were very logical. Like for example, a deal preparation agent for a sales team. They're supposed to query data about a customer and process it and show it to you in a certain way. So why would that deal preparation agent be able to delete CRM records? Why would it be able to send emails? Why are you giving it so many permissions where the original intent is so narrow and understandable? That's where organization, I think fail today is to connect between their AI strategy and their identity. Access management technology.
A
Yeah, I think that's a perfect example. We've all heard of the person who put either cloud cowork on their machine and deleted their files. And you asked, why would you give something permission to delete your files without at least asking you do you really want to do that? So part of this appears to be sloppiness in some aspect. Does that make sense?
B
Sloppiness, excitement. I think that we are in a very strange period of our life where people are adopting there is a new genre of AI agents called CUA Computer use agents. An example is like Open Cloud or Cloud coworkers or like OpenCloud, the infamous Cloudbot which is basically an agent that is connected to each and every part of your life. It's exciting. No doubt, that's super exciting. But it's very scary as an end user. I think that's a very relatable use case for any person. It's not a corporate use case. It's just a bot that is connected to your email, to your WhatsApp, sometimes to your organizational slack, sometimes not to your telegram, to your SMS messages and on the other end to very useful applications. But it's very scary for me to think about personal people, whether it's my family, my friends, my coworkers installing it for their own personal use and also incorporate Xiaoping. It's a nightmare.
A
Yeah. And maybe I'm just old fashioned but simple things like they have a file called the soul now and it's not encrypted. Open me. We used to have a camera company in the old days with Christmas presents and their motto was Open me first. So you take all the pictures at Christmas. This Soul file just screams Open me first. I just that and beyond that and storing all the tokens where anybody can get to them is also and it's
B
not only locally open to the local machine. It's been shown to be very exposed to the Internet. People are by misconfigurations and by doing honestly naive thinking about security they've exposed that to the entire Internet. So now it's not only unencrypted on your local device, it's basically open to everyone.
A
Yeah. And I've said that OpenAI, which has now acquired OpenClaw has some real cleanup to do because again it's minimizing the blast radius. It'll always be a dangerous software I think but you could clean up a lot of this stuff very quickly.
B
I agree. I think that eventually I would like smart personal assistant. To be honest, I would love to use that. I'm a bit in my position in my hanging to the market. I feel uncomfortable today. But the fact is that I know that this technology is useful. I'm pretty afraid from the access patterns that it's the instantaneous giving of permissions to your entire communication. Personal data drive, files, notes. I don't know. I think that I need a more gradual approach to giving that up.
A
Yeah. And this slips in. I installed an agent, it was cowork and I'm absolutely convinced that it installed a piece of software on my Mac and it was my stupidity. I have laziness. I've got my regular Mac and it. I don't keep a lot of. It's a fairly insecure machine. Like it doesn't. I don't keep a lot of stuff on that. My regular Mac just because of who. I run a security podcast. People are after me all the time and they will get through and there's nothing I can do about that. But I do have another Mac which is not connected to anything, which just has no identities on it that are real or anything. And if I wasn't so freaking lazy, I would have. I would have done this experiment on there one time and you. I saw it right away uninstalled everything. But it's just. We want this to work and I did want it to work. I think Cowork is an absolutely brilliant piece and would save me a lot of time.
B
I would say that. Be a little bit more forgiving with yourself. I would say that it's not fair that you don't have a secure by default option to go in. Not all security must be after the fact. I do think there are dark patterns like the patterns to press row in allow in every AI agent could be driving people crazy. Why don't we have original boundaries for the access that it should have and shouldn't have and allow it to run freely. It should be sandboxed. It shouldn't be by default tempting to connect to all of the details to our life. You should have a kind of suite or kind of a menu that you could choose about how much access do you want to give that agent? And by that feel free to use it. I think that's a good compromise.
A
A lot of my listeners are in corporate cybersecurity right now and they're just trying to do a job every day, come in and protect people. What are you doing from your aspect in the security industry and what you've seen, what are the most important things that they should be doing right now?
B
So there are the. I think the easy things of being on the same side with their. Like eventually security is. It's a hard unthankful job at occasions. So you need to first of all make sure that you are on the side of your organization and not on the other side of the fence. But. And so that means advocating and being forward about your willingness for the organization to adopt AI. But once you did that, you need to establish an agreement which says, first of all, me as a security person should know about things happening. That means that I need a central inventory, that I need the ability to discover and to understand what people are using AI for. And second of all is that boundaries are very important in every relationship. Meaning that I need to be able to establish places where AI wouldn't go. I need to understand what types of access does an agent need. And I need to measure that policy and compare it to what we are doing on a daily basis. Meaning that on a daily basis I need to be able to identify which agents are out of boundaries, who caused the red line, and by that funnel them back in. Meaning that a little bit like human identity, we need a governance process that starts with discovery and a safe creation of agents. It follows with maintenance monitoring, the ability to answer about how well is our policy standing to practice. And eventually it also needs a secure decommissioning and like retirement process that allows you to deactivate stale agents, to deactivate identities that are not being used anymore, and to be able to close the loop and not build them unmanageable techniques. So I think that those are the core principles of processes that I would recommend security professionals to take.
A
And where do you think it. I know we're now talking not in terms of months or years, we're talking in terms of weeks. But what's the next big move that happens in the area of agents and agentic security?
B
So there's one thing that I saw over the last two weeks that blew my mind is agent teams. It's something that I think only cloud code had. But right now, each agent that you run locally can spawn multiple teams of agents that are carrying tasks. It could be used for development, it could be used for every part of your life. So that a crazy, I think advancement in technology and there are very big advancement to multi day autonomous tasks. Meaning that today an agent starts when you open your laptop lead and it ends when you close it. And today I think that like you're starting to ship and like you're starting to think how could I make this agent. Sorry for the connotation to a little bit of slavery here, but how could I make this agent work all night and all day? Why do I need to start it at the morning and tell it what to do? Could it carry out a multi day task of auditing me in terms of security? Could it carry to strategize for multiple days? It won't get tiring, I promise you that. And so I think that those two, like agent teams and multi day autonomous tasks are two things that I'M pretty excited about. Yeah.
A
And the reference to slavery, actually. We're starting to see in this AI world a work culture that we didn't have for a long time. It was In Asia, the 9, 9, 6. You work 12 hours a day. Everybody does a startup thing. We're starting to see ads in New York for companies that are saying, we're a startup and we want people who have this sort of culture. So I. I think in some aspect the idea that agents could take that need, because I understand it, they're rushes. You've got to get things done so that you can get funding. You have to stay ahead. I think if we could get agents who could do that sort of work, that might make the human experience a little better, I hope.
B
Absolutely. I want everybody to live like Tony Stark from Ironman. Tony Stark, me too. He started to. He had a suit that amplified it as a human. And then he had to work very hard in order to secure everything in the world. And then he invented Jarvis, his smart assistant. And Jarvis took care of a lot of things so Tony Stark could rest and enjoy his life. And then he invented Ironman autonomous suit, which makes him like, sit in the back, allow his Ironman agents to take care of the things that he thinks need to take care of and enjoy a good life. And I think that's what AI was invented for.
A
Yeah. And I just like to look like Tony Stark.
B
Me too. Me too.
A
Ido, this has been a fantastic piece. I want one more just thing from you before I let you go. And that is tell me what the contest. Tell me about. Are you excited about this and how'd you get into it and what are you. What are you thinking about it?
B
So RSA Innovation Sandbox, in my personal opinion, is the most important startup contest in security worldwide. RSA has been one of the highlight conventions of the security industry for years. And the innovation sandbox is really at the center that allows 10 companies out of, I think thousands or at least hundreds of companies that applied to showcase what they're doing to make a more secure world and, and show innovation and security. And so Token was selected as a top 10 finalist for the RSA Innovation Sandbox 2026. We're going to be in RSA late March and to show what we do. And I think that we are super proud of this achievement because there has been a security companies in the innovation sandbox before, meaning that they have not solved the challenge and there is still unanswered. They think that we are arriving at a time that AI has really matured into something that's, that's very popular. Anthropic expects a $14 billion run rate for cloud code in 2026. And I think that Token is going to be there to show that AI security is manageable and that we took a wrong approach to model and LLM security, talking about filtering the inputs and outputs of models. And we will show a different approach that focuses on the intent and access. I think that we are a very innovative company in the field of AI security and I hope and I know that's what will bring us the win in this competition.
A
So I'm pretty excited with the Olympics going on. You're going for the gold, eh? Yeah.
B
Yes, absolutely.
A
Absolutely fantastic. Just a terrific pleasure to meet you, Ido. My guest has been Ido Shlomo. He is the co founder and CTO of Token Security and that's our show. So love to hear what you thinking about this issue. If you're listening out there, we just scratched the surface today. Send us your comments, your questions, suggestions how we can handle this topic. You send them Tech Newsday, CA or dot com, take your pick. Just click on Contact us. If you're watching this on YouTube, put a comment under the video. I read them all, some with less interest than others. So if you're going to advise me on how to be a social media influencer, spare me the comment. But aside from that, I'm interested. And if, if seriously, if you disagree or agree, great. Love to have your comments find me there. And a lot of people track me down on LinkedIn. So hunt me down and we'll be fine. That's our show again. Have a great weekend. We'd like to thank Meter for their support in bringing you the podcast. Meter delivers full stack networking infrastructure, wired, wireless and cellular to leading enterprises. Working with their partners, Meter designs, deploys and manages everything required to get performant, reliable and secure connectivity in a space. They design the hardware, the firmware, they build the software, they manage deployments, they run support, they do it all. It's a single integrated solution that scales from branch offices, warehouses and large campuses all the way to data centers. Book a demo ad meter.com CST that's M E T E R.com CST I'm your host Jim Love. Thanks for listening.
Episode: Agentic AI Security Is Broken and How To Fix It
Host: Jim Love
Guest: Ido Shlomo, Co-founder and CTO of Token Security
Date: February 21, 2026
This episode dives deep into the security challenges posed by the rapid adoption of agentic AI—autonomous AI agents capable of taking real actions in corporate environments. Host Jim Love and guest Ido Shlomo (Token Security) discuss why current approaches to AI security have failed, how AI agents fundamentally break established security models, and what practical steps organizations can take to mitigate the risks. The conversation is candid, technical, and laced with real-world anecdotes and actionable advice.
Jim Love keeps the conversation relatable with analogies, humor, and personal admissions of security blunders. Ido is deeply technical yet enthusiastic, using vivid stories from gaming and national defense to ground cyber risks in reality. Both are pragmatic, stressing the inevitability of agentic AI and the futility of naïve restrictions.
This episode is essential listening for any cybersecurity professional grappling with the new realities of autonomous AI agents. It debunks myths about the controllability of these systems, argues for new identity- and intent-based models, and offers immediately actionable steps and frameworks for mitigation. With open acknowledgment of the community’s ongoing struggles and failings paired with practical optimism, it is both a warning and a guide for the next phase of AI security.