Risky Bulletin Episode Summary: "Sponsored: Rad Security on New AI Adoption Risks for Enterprises"
Release Date: February 16, 2025
Host: Katalin Campano
Guest: Jimmy Mesta, CEO and Co-founder at Thread Security
Introduction to AI Adoption Risks
In this insightful episode, Katalin Campano interviews Jimmy Mesta, CEO and Co-founder of Thread Security, to delve into the emerging risks associated with the adoption of Artificial Intelligence (AI) in enterprise environments. The discussion centers around the vulnerabilities introduced by untested AI assistants and the broader implications for cybersecurity.
The Perils of Untested AI Assistants
Jimmy Mesta initiates the conversation by referencing his recent LinkedIn post, where he cautions companies against the unchecked deployment of AI assistants within their services. He explains, “[...] the whole premise of AI audio chat apps, you know, AI BDRs, AI sales reps, things like that is pretty compelling. But the problem is at least what we're finding in the early days of this is that they're not super secure” (00:44). This highlights the initial security oversights in AI integrations, particularly in roles that handle sensitive data.
Thread Security and Rad Security's Dual Approach
Mesta elaborates on Thread Security's strategy to both incorporate AI into their products and develop solutions to protect against AI-related threats. He states, “We are doing both right now” (00:44), emphasizing a dual-focus approach. This involves creating secure AI frameworks while simultaneously building tools that safeguard existing AI systems.
Addressing Shadow and Rogue AI
A significant portion of the discussion revolves around the concept of "shadow AI" and "rogue AI"—AI elements within an organization that operate outside of official oversight. Mesta explains, “We are building out of the gate a lot of CISOs these days are worried about what we're calling shadow AI, rogue AI, you know, untracked AI elements” (02:46). Rad Security aims to provide a comprehensive AI asset inventory, enabling organizations to identify and manage these elusive AI components effectively.
Technical Solutions: Leveraging EBPF and Real-Time Detection
To tackle the security challenges posed by AI, Thread Security employs advanced technologies like Extended Berkeley Packet Filter (EBPF) for deep system monitoring. Mesta notes, “We use EBPF and other sort of ingestion formats to understand even as far as like there's a workload that's reaching out to OpenAI and it's using a certain model” (04:01). This allows for precise tracking of AI interactions with sensitive data, ensuring compliance with data protection standards such as PII, PCI, and HIPAA.
The Complexity of Managing AI Tools
Mesta identifies the unique challenges in securing AI, which extend beyond traditional cloud infrastructure. He mentions, “It's just emergence of other AI tools that connect to systems that aren't necessarily AI” (04:56), pointing to the integration of AI with non-AI systems like databases and notebooks. This cross-functionality complicates data lineage tracking and governance, necessitating robust technical controls.
Human Factors vs. Technical Controls
While acknowledging the importance of training, Mesta emphasizes that technical safeguards are indispensable. He asserts, “People are going to sign up for tools that make their lives easier... I don't think we're going to be able to stop that through training” (06:09). This underscores the necessity for automated technical measures to complement human training in mitigating AI-related risks.
Risks of Open Source and Third-Party AI Models
The conversation addresses the vulnerabilities associated with open-source AI models and third-party vector databases. Mesta warns, “Open source is a good thing in general, but... you don't know everything that they do” (07:13), highlighting the security uncertainties inherent in publicly available AI models. Additionally, the use of third-party vector databases introduces risks related to data isolation and usage, complicating data security further.
Regulatory Frameworks and Compliance
Mesta discusses the role of emerging regulatory frameworks such as the EU AI Act and the NIST AI Risk Management Framework in shaping AI security practices. He comments, “We have that capability in our product today... they are, they are useful” (09:00). However, he also cautions that compliance alone does not guarantee security, advocating for more technical regulations to effectively govern AI usage without stifling innovation.
The Threat of AI-Driven Cyberattacks
A critical highlight of the episode is the exploration of how threat actors are leveraging AI to enhance the sophistication and speed of cyberattacks. Mesta observes, “The usage of AI has really enabled just speed” (10:18), noting that AI facilitates more intelligent phishing campaigns, automated voice attacks, and adaptive exploit techniques. This evolution necessitates equally advanced defensive measures.
Adapting Cybersecurity Strategies to Combat AI Threats
Concluding the discussion, Mesta emphasizes the urgent need for the cybersecurity industry to adopt AI-driven defenses. He states, “you have to actually be defending the AI attacks with AI” (10:18). This paradigm shift involves utilizing real-time detection and high-efficacy AI tools to counteract the rapidly evolving AI-powered threats, ensuring that security measures keep pace with the sophistication of attacks.
Final Thoughts
Jimmy Mesta's insights shed light on the multifaceted challenges of integrating AI into enterprise systems securely. From addressing shadow AI and enhancing regulatory compliance to combating AI-driven cyber threats, the episode underscores the imperative for comprehensive, technically robust security strategies in the age of AI.
Timestamps
- 00:44 – Introduction to AI assistant security issues
- 02:46 – Discussing shadow and rogue AI
- 04:01 – Technical solutions using EBPF
- 04:56 – Managing AI tools and cross-system integrations
- 06:09 – Balancing human training with technical controls
- 07:13 – Risks of open-source and third-party AI models
- 09:00 – Regulatory frameworks and their impact
- 10:18 – AI in cyberattacks and the need for AI defenses
This episode provides a comprehensive overview of the current landscape of AI adoption in enterprises, highlighting both the opportunities and the significant security risks. By integrating expert perspectives from Jimmy Mesta, listeners gain a nuanced understanding of how to navigate and mitigate the complex challenges posed by AI in the cybersecurity realm.