A CISO's Blueprint for AI Security (From ML to GenAI)
Is the current AI hype cycle different from the ones that failed before? How do you build a security program for technology that can't give the same answer twice? This episode features a deep-dive conversation with Damian Hasse, CISO of Moveworks and a security veteran from Amazon's Alexa team, VMware, and Microsoft.Damian provides a practical blueprint for securing both traditional Machine Learning (ML) and modern Generative AI (GenAI). We discuss the common pitfalls of newly formed AI Councils, where members may lack the necessary ML background to make informed decisions. He shares his framework for assessing AI risk by focusing on the specific use case, the data involved, and building a multi-layered defense against threats like prompt injection and data leakage.This is an essential guide for any security leader or practitioner tasked with navigating the complexities of AI security, from protecting intellectual property in AI-assisted coding to implementing safeguards for enterprise chatbots.Questions asked:(00:00) Introduction(02:31) Who is Damian Hasse? CISO at Moveworks(04:00) AI Security: The Difference Between the Pre-GPT and Post-GPT Eras(06:00) The Problem with New AI Councils Lacking ML Expertise(07:50) A History of AI: The Hype Cycles and Winters Since the 1950s(16:20) Is This AI Hype Cycle Different? The Power of Accessibility(20:25) Securing AI-Assisted Coding: IP Risks, Data Leakage, and Poisoned Models(23:30) The Threat of Indirect Prompt Injection in Open Source Packages(26:20) Are You Asking Your AI the Right Questions? The Power of "What Am I Missing?"(40:20) A CISO's Framework for Securing New AI Features(44:30) Building Practical Safeguards for Enterprise Chatbots(47:25) The Biggest Challenge in Real-Time AI Security: Performance(50:00) Why Access Control in AI is a Deterministic ProblemResources spoken about during the interviewTracing the thoughts of a large language model
-------- Ā
52:16
--------
52:16
Gen AI Threat Modeling vs. AI-Powered Defense:
Is generative AI a security team's greatest new weapon or its biggest new vulnerability? This episode dives headfirst into the debate with two leading experts on opposite sides of the AI dragon. We 1st published this episode on Cloud Security Podcast and because of the feedback we received from those diving into all things AI Security, we wanted to bring it to those who haven't probably had the chance to hear it yet on this podcast. On one side, discover how to leverage and "tame" AI for your defense. Jackie Bow explains how Anthropic uses its own powerful LLM, Claude, to revolutionize threat detection and response. Learn how AI can be used to:Build investigation and triage tools with incredible speed. Break free from the "black box" of traditional security tools, offering more visibility and control. Creatively "hallucinate" within set boundaries to uncover investigative paths a human might miss. Lower the barrier to entry for security professionals, enabling them to build prototypes and tools without deep coding expertise. On the other side, Kane Narraway provides a masterclass in threat modeling the new landscape of AI systems. He argues that while AI introduces new challenges, many are amplifications of existing SaaS risks. This conversation covers the critical aspects of securing AI, including:Why access, integrations, and authorization are the biggest risk factors in enterprise AI. How to approach threat modeling for both in-house and third-party AI tools. The security challenges of emerging standards like MCP (Meta-Controller Protocol) and the importance of securing the data AI tools can access. The critical need for security teams to adopt AI to keep pace with modern engineering departments. Questions asked:(00:00) Intro: Slaying or Training the AI Dragon at BSidesSF?(02:22) Meet Jackie Bow (Anthropic): Training AI for Security Defense(02:51) Meet Kane Narraway (Canva): Securing AI Systems & Facing Risks(03:49) Was Traditional Security Ops "Hot Garbage"? Setting the Scene(05:57) The Real Risks: What AI Brings to Your Organisation(06:53) AI in Action: Leveraging AI for Threat Detection & Response(07:46) AI Hallucinations: Bug, Feature, or Security Blind Spot?(08:55) Threat Modeling AI: The Core Challenges & Learnings(12:26) Getting Started: Practical AI Threat Detection First Steps(16:42) AI & Cloud: Integrating AI into Your Existing Environments(25:21) AI vs. Traditional: Is Threat Modeling Different Now?(28:34) Your First Step: Where to Begin with AI Threat Modeling?(31:59) Fun Questions & Final Thoughts on the Future of AI SecurityResourcesBSidesSF 2025 - AI's Bitter Lesson for SOCs: Let Machines Be MachinesBSidesSF 2025 - One Search To Rule Them All: Threat Modelling AI SearchĀ
-------- Ā
36:02
--------
36:02
Vibe Coding for CISOs: Managing Risk & Opportunity in AI Development
What happens when your product, sales, and marketing teams can build and deploy their own applications in a matter of hours? This is the new reality of "Vibe Coding," and for CISOs, it represents both a massive opportunity for innovation and a significant governance challenge.In this episode, join Ashish Rajan and Caleb Sima as they move beyond the hype to provide a strategic playbook for security leaders navigating the world of AI-assisted development. Learn how Vibe Coding empowers non-engineers to solve business problems and how you can leverage it to rapidly prototype security solutions yourself. Get strategies to handle the inevitable influx of AI-generated applications from across the business without overwhelming your engineering and security teams.Understanding the Core OpportunityAssessing the Real-World OutputManaging the "Shadow Prototype" RiskBuilding Proactive GuardrailsArchitecting for SafetyFor more episodes like this go to www.aisecuritypodcast.comQuestions asked:(00:00) Why Vibe Coding is a C-Suite Issue(02:34) The Strategic Advantage of Hands-On AI(04:20) Your AI Development Toolkit: Where to Start(12:08 Choosing Your First Project: A Framework for Success(16:46) The CISO as an AI Engineering Manager: A Step-by-Step Workflow(31:32) A Surprising Security Finding: AI and Least Privilege(36:47) Augmenting AI with Agents and Live Data(38:50) Beyond Code: AI Agents for Business Automation (Zapier, etc.)(43:30) The "Production Ready" Problem: Who Owns the Code?(53:25) A CISO's Playbook for Governing AI DevelopmentResources spoken about during the episode:AI Native Landscape - ToolsClineRoo-CodeVisual Studio CodeWindsurfBolt.newAiderv0 - VercelLovableClaude CodeChatGPT
-------- Ā
1:00:28
--------
1:00:28
Vibe Coding, Slopsquatting, and the Future of AI in Software Development
In this episode, we welcome back Guy Podjarny, founder of Snyk and Tessl, to explore the evolution of AI-assisted coding. We dive deep into the three chapters of AI's impact on software development, from coding assistants to the rise of "vibe coding" and agentic development.Guy explains what "vibe coding" truly is, a term coined by Andrej Karpathy where developers delegate more control to AI, sometimes without even reviewing the code. We discuss how this opens the door for non-coders to create real applications but also introduces significant risks.Caleb, Ashish and Guy discuss:The Three Chapters of AI-Assisted Coding: The journey from simple code completion to full AI agent-driven development.Vibe Coding Explained: What is it, who is using it, and why it's best for "disposable apps" like prototypes or weekend projects.A New Security Threat - Slopsquatting: Discover how LLMs can invent fake library names that attackers can exploit, a risk potentially greater than typosquatting.The Future of Development: Why the focus is shifting from the code itselfāwhich may become disposableāto the importance of detailed requirements and rigorous testing.The Developer as a Manager: How the role of an engineer is evolving into managing AI labor, defining specifications, and overseeing workflowsQuestions asked:(00:00) The Evolution of AI Coding Assistants(05:55) What is Vibe Coding?(08:45) The Dangers & Opportunities of Vibe Coding(11:50) From Vibe Coding to Enterprise-Ready AI Agents(16:25) Security Risk: What is "Slopsquatting"?(22:20) Are Old Security Problems Just Getting Bigger?(25:45) Cloud Sprawl vs. App Sprawl: The New Enterprise Challenge(33:50) The Future: Disposable Code, Permanent Requirements(40:20) Why AI Models Are Getting So Good at Understanding Your Codebase(44:50) The New Role of the AI-Native Developer: Spec & Workflow Manager(46:55) Final Thoughts & Favorite Coding ToolsResources spoken about during the episode:AI Native Dev CommunityTesslCursorBoltBASE44Vercel
-------- Ā
49:09
--------
49:09
AI in Cybersecurity: Phil Venables (Formerly Google Cloud CISO) on Agentic AI & CISO Strategy
Dive deep into the evolving landscape of AI in Cybersecurity with Phil Venables, former Chief Information Security Officer at Google Cloud and a cybersecurity veteran with over 30 years of experience. Recorded at RSA, this episode explores the critical shifts and future trends shaping our industry.Caleb, Ashish and Phil speak aboutThe journey from predictive AI to the forefront of Agentic AI in enterprise environments.How organizations are transitioning AI from experimental prototypes to impactful production applications.The three essential pillars of AI control for CISOs: software lifecycle risk, data governance, and operational risk management.Current adversarial uses of AI and the surprising realities versus the hype.Leveraging AI to combat workforce skill shortages and boost productivity within security teams.The rise of "Vibe Coding" and how AI is transforming software development and security.The expanding role of the CISO towards becoming a Chief Digital Risk Officer.Practical advice for security teams on adopting AI for security operations automation and beyond.Questions asked:(00:00) - Intro: AI's Future in Cybersecurity with Phil Venables(00:55) - Meet Phil Venables: Ex-Google Cloud CISO & Cyber Veteran(02:59) - AI Security Now: Navigating Predictive, Generative & Agentic AI(04:44) - AI: Beyond the Hype? Real Enterprise Adoption & Value(05:49) - Top CISO Concerns: Securing AI in Production Environments(07:02) - AI Security for All: Advice for Smaller Organizations (Hint: Platforms!)(09:04) - CISOs' AI Worries: Data Leakage, Prompt Injection & Deepfakes?(12:53) - AI Maturity: Beyond Terminator Fears to Practical Guardrails(14:45) - Agentic AI in Action: Real-World Enterprise Deployments & Use Cases(15:56) - Securing Agentic AI: Building Guardrails & Control Planes (Early Days)(22:57) - Future-Proof Your Security Program for AI: Key Considerations(25:13) - LLM Strategy: Single vs. Multiple Models for AI Applications(28:26) - "Vibe Coding": How AI is Revolutionizing Software Development for Leaders(32:21) - Security Implications of AI-Generated Code & "Shift Downward"(37:22) - Frontier Models & Shared Responsibility: Who Secures What?(39:07) - AI Adoption Hotbeds: Which Security Teams Are Leading the Way? (SecOps First!)(40:20) - AI App Sprawl: Managing Risk in a World of Custom, AI-Generated Apps
The #1 source for AI Security insights for CISOs and cybersecurity leaders.
Hosted by two former CISOs, the AI Security Podcast provides expert, no-fluff discussions on the security of AI systems and the use of AI in Cybersecurity. Whether you're a CISO, security architect, engineer, or cyber leader, you'll find practical strategies, emerging risk analysis, and real-world implementations without the marketing noise.
These conversations are helping cybersecurity leaders make informed decisions and lead with confidence in the age of AI.
USA