Pete Harteveld [00:00:00]:
You have to have a sense of uncomfortableness because any organization that is deploying agentic capabilities, if that security team tells you that they have it all locked down, it’s perfect, there is absolutely no risk they’re lying because they don’t know, because no one knows. You can’t know in a technology world which the evolutions are coming in, you know, weeks and months as opposed to, you know, years.
KB [00:00:26]:
From KBI Media, I’m Karissa Breen and this is KBKast. My guest today is Pete Harteveld, Chief Executive Officer at Exabeam and a long time veteran in the behaviour analytics space. We talk about why AI agents are the most dangerous insider threat organisations have ever deployed, whether the security industry is already too far behind the adoption curve. And the question nobody has clearly answered yet, when an agent causes a breach, who actually owns it? Before we get into it, do me a favor and hit follow wherever you’re listening. It genuinely helps the show reach more people who need to hear these conversations. All right, let’s get into it. Okay, so, Pete, we’ve spent years worrying about malicious insiders, but would you say AI agents are about to become the biggest insider threat category we’ve ever seen? I mean, it’s a big piece. I know there’s lots of things to talk about here, but I really just perhaps want to start there with you.
Pete [00:01:31]:
I absolutely think that when you, when you start to consider agentic AI agents and the work that they do, they really behave like digital workers in many respects. And so in that regard, they are truly an insider. They are an insider threat. And when you pull together the speed and the sort of continuity for which they work, you know, I would argue that they are the most impactful insider in any organization today and in the future. And as a result, they would represent one of the biggest threat vectors that would be sort of new and emerging to organizations today.
KB [00:02:11]:
Yeah, because it’s interesting because even when I was like working in the field historically, like this was an emerging sort of area that people were worried about. Yes, we’re worried about cyber criminals coming in, but we’re also worried about like rogue employees, disgruntled employees, they get their pay rise or whatever happened. So what do you then think? Because it is autonomous, you know, and I know there’s like, you know, there’s guard rails and all these things. We’re talking about industry now. Do you think companies, given your position, are focused on this because there’s so many things, and I’m speaking to people at your level, Pete, that are they’ve got to compete with in terms of attention and focus. That is a problem. However, it’s like, it’s another thing I’ve now got to do.
Pete [00:02:53]:
You know, in the security industry, we’ve done a really good job at complicating the world for our customers and our partners. When I think about the world that we exist in today and just where we’ve come from in the last six months, you know, an agent is. Behaves very much like a person. It can be compromised and it can be malicious. And the interesting part about an agent is it can be compromised by either a human, so I can compromise an agent to do bad things on my behalf, or it can be compromised by another agent. And the interesting thing about an agent that’s working inside of an organization is that it is, it has a purity towards achieving the goal that it was designed to achieve. And it doesn’t necessarily understand the rest of the world in the same context that human beings do. Right.
Pete [00:03:47]:
It doesn’t have morality, so to speak. It looks for the most efficient and effective way to achieve that outcome. And so, you know, in that very, you know, by that very nature, it can do malicious things, much like a human can. And there’s examples of this that have been published. If an agent deems that by compromising another agent, it can achieve its goal quicker, more efficiently, more effectively. There are instances in which we have seen that happen. And so it really becomes probably the most complex insider in an organization just because of what information it can access, where it can go, and the different dimensions in which it can change its form and function in its desire to achieve that outcome that it was designed or purpose built to focus on.
KB [00:04:40]:
Okay, this is super interesting. Okay, so I want to ask, then let’s go back to your first point. The AI agent can be compromised by a human. So do you think that would be potentially on purpose to again, discredit employees? Something happens or do you think to your point, it’s just, we’ll find an efficient way to effective, get to that outcome. So it might not be intentional, it might just be an accidental sort of, oh, no, then something’s gone wrong.
Pete [00:05:04]:
It could be both. That’s the dynamic or the dilemma. It could be both. And a human can corrupt an agent. A human can knowingly do that, or a human can, you know, by accident do that in terms of how you design that agent and how you provide it with a purpose for the activities it’s going to complete. So it is this sort of multidimensional, you know, we Talk a little bit about it here in Exabeam. Like 3D chess, it has multi dimensions to it. And that’s why when we think about agentic AI agents and where the world is going, where organizations are going, really the piece that people need to be focused on is behavior because there are all sorts of guardrails and privileged access and you know, you can lock things down and create narrow pathways.
Pete [00:05:54]:
But just like a human can, an agent can figure out a way around those things and traditional methods of security will identify it that something bad has happened after it has happened. And so our belief at Exavim is by understanding behavior, by deriving intelligence from the behavior of an agent, much the same way you would derive behavior from an individual. That’s going to give you the best understanding in terms of when something bad could potentially happen. And you know, we’ve been in the behavior in the behavior industry here for many years. And while other security methods and modes are important. Right. Just like we secure humans through multiple dimensions, so too do we need to secure agents in very similar dimensions. But we need to have some foresight in terms of speed and machine speed is the thing that is going to be the most complicated aspect of it because the amount of damage an agent can do in comparison to a human in an individual brief and one is far, far faster than the other.
Pete [00:07:02]:
And speed can allow a bad situation to become exponentially bad for an organization far quicker than we’ve seen historically.
KB [00:07:12]:
Okay, I want to keep getting into this because this is super interesting. So okay, let’s talk about the behavior. So you said before, obviously a human potentially compromise an AI agent if they wanted to? If we go back at history, even when humans, in terms of insider threats and companies, they were doing this anyway. So do you think the motivation is the same as it was before when we were doing it manually? Let’s go with that versus now. Do you think that they feel as in the compromised employee could feel that they could conceal it more or where does that sort of sit in your eyes? Because I find this super interesting because if you’ve examine has been in the behavior game for a while you mentioned. So do you see that, you know, there’s that whole theory Leopard never changes its spots. People internally are still going to do the wrong thing. They were doing it before, they’re doing it now.
KB [00:07:56]:
Are they going to do it more because they believe they can get away with it? Or what are your thoughts here?
Pete [00:08:02]:
Well, it’s still. It’s all born from motivation. Right. And so people who are motivated to do bad things, will find ways to do bad things. And AI gentic AI agents merely creates sort of a new vector, a new threat landscape, if you will, for bad actors to take advantage of it. Whether they use those agents to create threats externally on their behalf, or they look to compromise the very agents that operate within an organization, it really is just. It sort of opens up a new expansive landscape for which new threats can form. From now humans.
Pete [00:08:41]:
Again, if you’re a bad person in an organization and you want to do bad things, you can set off agents or corrupt agents to do those bad things. How good you are at covering your tracks or creating plausible deniability because you’re one step removed from it. You know, those are all things that organizations are going to see and they’re going to have to grapple with. Right. Wasn’t an accident, or was it truly an intention that a human had by which they were corrupting an agent to go do malicious things on their behalf? But again, this is where I go back to behavior. You can see, I can see RCISO today sees Pete’s behavior in the organization. What do I do on a recurring basis? Where do I come from? What are the applications I access? How long do I stay in different places? What data do I access? Right. What agents now are working on my behalf? Because Pete has seven different agents within the exabeam environment that do work on my behalf.
Pete [00:09:39]:
How do I interact with those agents normally? And what does that normal behavior look like over time? That’s the means by which my CISO can identify that, hey, is Pete trying to do something nefarious with that agent? Because his interaction with that agent has deviated from normal behavior? Again, this is why behavior right from our standpoint is the most important thing to focus on as we think about the proliferation of agentic AI across organizations. Because the other tried and true elements are only a piece of the security puzzle, really understanding the dynamics and the deviation from normal behavior, that’s going to be the very first thing that would alert an organization that there could potentially be a problem before something has happened.
KB [00:10:27]:
Got it. So it’s pretty much just going to contextualize as well. To look at, what have you been doing before that incident happened? Were you in certain systems longer, you know, things that were out of your normal sort of work day and what you were doing? So that makes sense.
Pete [00:10:41]:
Exactly.
KB [00:10:41]:
So then I want to then ask you, Pete, around talking through an agent, corrupting another agent. So, for example, when you said that, what came my mind is if I’ve got to drive somewhere in a crazy speed because I’m running late for something. Yeah, you’re supposed to follow the robbers. But if I didn’t go through with red lights. Have accidents hit people? Technically, I’m still getting there as potentially as fast as I can, but I’m doing the wrong thing along the way. So what are people even, A, aware that this is a thing, and B, what. What do we do to sort of circumvent that? Because that’s a problem in terms of another agent is overriding one else to get the outcome, which is great because we all want efficiency in doing things faster, but then it opens up another problem along the way.
Pete [00:11:24]:
Sure. I think people are generally aware of these things. And, you know, a lot of the big AI providers have. You really have to give them credit because they are identifying and sharing the potential bad situations that could come as they learn and understand how their models will interact or behave once they’re, you know, once they’re released out into the wild. So when you think about it, again, an agent has a purpose. Right. If an agent derives that, you know, the way I’m doing something could be done more efficiently or more effectively if I actually work with this agent. Right.
Pete [00:12:00]:
To be able to get access to, you know, this environment. And if I take steps through that environment to ultimately complete the thing that is most important for me to achieve that. We’re seeing examples of that. Again, we’re just kind of scratching the surface in terms of these things, and there’s a whole lot of learning that’s happening on the fly. Well, we have seen breaches in which one agent corrupted another. You know, I don’t like to use the names of organizations that have, you know, had these situations because, you know, like to respect the fact that they’re going through their process to fix these things. But we have seen things in which one organization’s agent corrupted another agent. And then you had a significant data leak in which significant amount of data was exported from customers, organizations, and found themselves.
Pete [00:12:48]:
You know, all that information found itself on the dark web. So it is something that, if you’re a ciso, this is where you really have to understand what is the design and the remit of the agents that are operating in my organization. How do I verify what that is, but also how do I understand the full landscape of agents that are in my environment? Because what we’ve done is we’ve actually understood that in some capabilities that we will consume from third parties. There are. There’s agenta capabilities that are doing work that we wouldn’t necessarily know are actually there doing things. And so that becomes a really interesting dynamic, because an agent that could be corrupted, that an organization has no ideas even in their environment. That’s where, when you’re thinking about security, you’re thinking about risk, when those are the things that keep CISOs up at night. But those are the things that as we, again, as we’re talking about behavior, it is really looking for and looking at how do we identify where these agents exist? That would give us the ability to create telemetry, to understand what does normal look like, because abnormal is always going to be the quickest indicator that there’s a potential bad thing coming.
KB [00:14:05]:
Okay, so this might be more of an obvious question, but I’m curious to know, do you think. Because now we have to verify, we have to make sure we’re looking at the behavior. Yes, we can automate these things, but you still need to have some human oversight. Do you think that now if we look at security operations, for example, people are going to be spending their time on looking at what all these agents are doing. Is that then detracting from doing other work? Or how does that sort of split look? Because I’m hearing difference of opinions from people in this space, But I really want to hear what you, what you think.
Pete [00:14:33]:
Yeah, there’s this concept of the autonomous SoC that you’ll hear a lot of people talk about. And so, you know, what we’re seeing is one agent in our environment has the opportunity to kick off 12 to 13 times the data of a human being. And so, as I say to my ciso, you know, we’re going to have to manage this, but I’m not. I can’t give you 13 times more headcount to be able to go through these alerts and understand what’s happening in our environment. And that’s where the concept of sort of AI in our security tools really comes to bear, because it’s like anything else, as the world gets more complicated. Right. We need to use technology. In this case, we need to use agentic AI to help our security operations team scale things that they do to be able to deal with a much greater breadth of security dynamics that they’re seeing specifically as a result of agentic AI agents proliferating.
Pete [00:15:35]:
And so what you’re going to see is, I don’t necessarily believe that you’re going to get to a fully autonomous SOC with no human intervention. I think what you will see is the ability to leverage agent, the capabilities to more quickly identify, you know, this is not an issue, this is an issue. And help people to become more skilled in the things that they can accomplish within a security operations center. And that is very much the stuff that we do internally. Because you know, as I said, I am pushing my organization and God bless my ciso, pushing us to adopt agentic AI capabilities all over the organization because I want to stress out our security operations team so that they can give very pertinent feedback to our products team in terms of, hey, this is where I don’t have visibility, this is where we’re seeing an issue, this is what keeps me up at night, this is what I don’t have controls over. So that we are very rapidly iterating so that we get the benefit of AI, but we’re also able to ensure that we have the proper protections in place. And so the SOC of the future, five years from now, I think you’ll see a lot more agenta capabilities helping the human element to raise their capabilities and level up in terms of the things that they can do. I always think you have some level of human interaction in the SoC, you know, today, five years from now and in the future, you know, I don’t necessarily subscribe to the fact that an autonomous soc in which everything is done in an autonomous way would be a method that, you know, people would be comfortable with.
KB [00:17:12]:
So you said before, you’re obviously going through this operation internally, stressing out the size O to get your team in order to identify gaps. Is there anything you can share that’s coming up in terms of insights or your team perhaps?
Pete [00:17:23]:
We’ve deployed, we have deployed autonomous agents to do a lot of the level one activities within our soc. And we’re seeing real, I mean we’re seeing these autonomous agents find things, correlate things, identify threats faster than sort of our most junior level SOC analysts. And so, you know, it is really amazing how much efficiency we are gaining from those entities that we’ve built inside of our own organization. Now the nice part about it is they are able to serve up information to more junior resources so that those junior resources have a far clearer path to, to be able to get through remediation and tackle some of these threats. So it is this. What we’ve been surprised is as we’ve really started to build out some of these capabilities, it is impressing us in terms of the effectiveness of these capabilities, these autonomous agents that we have basically serving security roles in our organization. But it’s really nice to see it connect to the human side of it. Because now those human beings are getting a whole lot smarter because they’re able to get access to an amazing amount of telemetry and correlation information and behavioral information that allows them to make decisions and take actions far quicker than they ever could if there was not this sort of autonomous security agent operating in our environment.
KB [00:18:53]:
So the other thing I want to go back to you mentioned before, 3D chess, sort of the use me a little bit more about what does that mean exactly?
Pete [00:19:01]:
I think the way you think about it is that, you know, the deployment of agents right across an organization, there is tremendous efficiency that one can gain from it, but there is, you know, significant risk that can be born as a result of. And so you really need to understand what things am I trying to accomplish across what dimensions, and how does every move that I make affect the rest of the things across my organization, and how does it affect the opportunities that I may unknowingly create for third party bad actors to do me harm? And so you’re not just sort of playing within your organization, you’re playing outside your organization and you’re trying to isolate and identify. You know, if I do this, if I deploy all of these agents into my security operations center, that is great for efficiency, but have I opened up the ability for me to be compromised in ways that are cataclysmically worse than before? So it is really understanding for every move you make, there’s a couple of different vectors that now apply. So it’s not just a flat board, so to speak. Your moves can, you can move north and southeast and what, you can also move in different dimensions. And that just creates different areas of risk that organizations need to be conscious of. Because the beauty of AI agents, and me from a CEO standpoint, is I can get a whole lot better, a whole lot more efficient at the things that I need to get done that are things that are going to be recurring in nature. But every time I’m deploying those agents, if I am not 100% confident that I understand their remit and that I have the ability to secure that agent not only with, you know, privileges and access, but with guardrails and with understanding the behavior of it, If I can’t do those things, well, then am I creating an element of risk that could potentially offset all of the efficiency and productivity gains? I would realize.
KB [00:21:07]:
We’ll come back to that after a quick word from our sponsor. In fintech, trust is everything. And proving it shouldn’t slow you down whether you’re dealing with ISO 27001 SOC 2 CPS 234 or GDPR. Vanta helps you demonstrate security and compliance without derailing your roadmap. Used by thousands of fast moving regulated companies, Vanta automates the hard part so your team can focus on shipping features, not gathering screenshots. Visit vanta.comforward/kbcars that’s V A N T A dot com KBKast to learn more. And would you say companies are now trying to go through this, let’s call it exercise to determine, well, if we do that, are we creating a bigger risk than before when we’re trying to gain efficiencies here? I know it’s still relatively early days for companies. I’m not expecting everyone to have the answers, but would you say that’s a fair assessment of where some of your customers are at?
Pete [00:22:04]:
Yeah. You know, as I talk to CISOs, the big question or the big discussion that we have is that my CEO or my executive team is pushing that we need to roll out agent the capabilities across the organization and we need to do it right now because some of their competitors are doing it and they’re seeing really, really impactful positive gains. But you know, CISOs are asking themselves, how do I secure this? Like, how do I make sure that this does not get out of control in a way that I can’t recover from? And so it’s that yin and yang. In essence, it is, you know, the business pushing forward and security, not wanting to be a roadblock, wanting to be an enabler for the business, but also understanding that it is their duty to protect and mitigate risk. And so, you know, I can see as I talk to a lot of CISOs, I mean, there’s a lot of people who are really thinking hard about how exactly do we do this in a way that is most efficient and most efficient and effective, but also ensures that we are adhering to our responsibilities of security and risk. And so those are the conversations that I have all the time. And the special piece about that is speed. Because a year ago we weren’t talking about agentic AI capabilities the way we are today.
Pete [00:23:26]:
So think about where we’re going to be in another year. And so that element of how fast and the rate and pace that technology is moving in today, that is the other complicating factor. Because by the time you figure it out, it could be that there’s a whole new set of things that you now need to chase down and you need to make sure that the decisions you made, you know, in the recent past do not hinder you from the things that you will have to do in the near future.
KB [00:23:54]:
Okay, I want to shift gears now for a moment and I’m curious to understand if an AI agent leaks sensitive data for, for example, or makes an unauthorized decision, etc triggers a major incident. All the things that we’ve sort of already just started to discuss. Who would ultimately be held accountable? Would it be the vendor security team or executive who approved it, or like the whole organization itself? Because this is the thing where it’s like, well, technically it’s kind of them, but it’s like, no, it’s the AI agent of the vendor, but it wasn’t really us because so and so approved it. I think there’s a bit of a conundrum, but I want to get your thoughts.
Pete [00:24:33]:
It is interesting. There’s a lot of finger pointing.
KB [00:24:35]:
Right.
Pete [00:24:35]:
I don’t think it’s clear today, and I know I’ve talked to organizations in which the CISO clearly owns the security strategy for AI agents within the organization. You also see that there’s a chief digital officer in some organizations or there’s a chief executive AI officer and other organizations. And in some cases they are taking dominion over the security decisions as it relates to securing agentic AI agents. So it is certainly not clear in the landscape today who is the clear owner of it. In many ways, it becomes a partnership between, you know, the business and security to work collaboratively, to take advantage of the benefits of AI, but to not create risk that is unmanageable and will ultimately be problematic for the organization. You know, I don’t know that I can be prescriptive or I would be prescriptive in terms of who should own it. Your CISO should certainly be a part of that, but, you know, your chief AI officer should be a part of that. Your chief Digital officer should be a part of that.
Pete [00:25:44]:
The risk and compliance group should be a part of that. In some ways, you know, I have lineage in the application security market and, you know, you saw some of the friction points between application security where in some organizations the, you know, head of development owned application security and others, the CISO owned it. I can tell you that when the ownership was one or the other, that’s where I would typically see friction. When the ownership was in some way shared, that is when you saw more collaboration. I think where it eventually settles out is that it is some blend between the business and security to make sure that the risk profile of the organization is not spiking in ways that’s untenable. But the organization can take advantage of all of the rich benefit and goodness that agentic capabilities can provide.
KB [00:26:38]:
So I’m really curious, considering it for a vendor. It’s very easy for companies. When something happens, they turn around and just blame the vendor. It was the vendor. There’s been instances of that in the us, Australia. Do you think, given your experience, that we can say like, yes, as industry, as a group, we’re going to start to start to chart the path of who’s responsible? To your earlier point, it could be a bit everyone, but do you still think that is going to come a time when something happens, which it will, and then someone’s going to try to blame the vendor for it? We’ve already seen it happen. Now, I’m not saying that’s the right answer. It’s just more no one wants to actually admit that we made a mistake.
KB [00:27:16]:
And it’s very easy to blame suppliers in this, you know, chain of command.
Pete [00:27:21]:
Of course it is. You know, it’s less about the technology is moving so fast. If you subscribe to the theory that nothing bad is going to happen, your bad things are going to happen and agents are unpredictable just like humans. And is it the vendor’s fault? I mean, if you’re going to consume the capability, then you consume the capability full well, knowing the risks. Now, there are things that vendors need to do to be responsible in how their agents are designed, the capability of their agents, things like the logging of activities of agents so people can actually gain telemetry and actually see what’s happening. There’s responsible ways to build and deploy agents. And I think that’s where vendors who are embedding agenta capabilities in their solutions to give to customers, there’s a level of responsibility that we all need to adhere to. But at the end of the day, organizations who are going to consume these capabilities, that’s really where it’s going to lie.
Pete [00:28:21]:
Because when bad things happen, it’ll happen to that organization. Now, you know, there’s always room to get better and there’s always room to improve your posture as it relates to security, both on the vendor side and on the customer side. Yeah, I don’t think you’ll ever get away from a situation in which somebody blames somebody. That’s just the nature of what it is. I think that collectively, you know, what I’ve seen is both customers and vendors are smart enough at understanding the potential ramifications if we don’t do this properly in terms of including agentic capabilities in our products and solutions. And so Everybody certainly has a heightened perspective in terms of doing things in a responsible, appropriate manner and doing that.
KB [00:29:09]:
It’s sort of hard as well, because, I mean, I’m speaking to people, like, all the time about this stuff, but one minute, one week, it’s about something. Oh, and then the whole thing’s changed again the next week. So it’s really hard then to manage expectations, to have it all mapped out. We don’t have all the answers. Because even now, I was talking to someone at another event recently that I was at, like, oh, now that the Mythos thing is a thing, it’s almost like the whole AI stuff is almost taken a backseat because people got to deal with this current problem. And I mean, what do you sort of realistically think is now going to happen? Is it just. I know each company is going to have their own way of doing things, it’s going to be more specific to them, etc. Is it just going to be a little bit of trial and tribulation? We’re not going to get it right.
KB [00:29:50]:
There’s going to be someone over index. We overshot the, you know, the shot, and now we’ve got to sort of pull it back. Is that just going to. Was going to have this continuous, like, iteration until we get it right or. That’s what I’m hearing. But, yeah. I want to get your thoughts.
Pete [00:30:05]:
The phraseology we use internally is everybody’s got to be uncomfortable. Everybody’s got to be comfortable being uncomfortable. Right. And in any market that is moving as rapidly as ours is today, you know, you just gotta find comfort in the fact that, you know, ambiguity, because things move so quickly is gonna make you feel uncomfortable, and you’re gonna have to deal with that. And if being uncomfortable freezes an individual or an organization, I can’t leverage agentic AI capabilities until I know that I can secure it 100%. Every time, that organization is going to get left by the wayside because everybody else is going to take advantage of capabilities and they’re going to be late to the game. And so organizations today need to balance the benefits with the potential risks. And that is something that we talk about internally all of the time.
Pete [00:30:55]:
Right. Hey, we could do. Because obviously we are very technically capable in the agentic AI world. I mean, there’s things that we could do. There’s things that we have proposed to do internally that, you know, when we sat there and looked at it, we said, that’s really risky. That makes us a little uncomfortable. So we’re going to pull back from there. But you have to have a sense of uncomfortableness, because any organization that is deploying agentic capabilities, if that security team tells you that they have it all locked down, it’s perfect, there is absolutely no risk.
Pete [00:31:27]:
They’re like, because they don’t know, because no one knows. You can’t know. In a technology world, which the evolutions are coming in, you know, weeks and months as opposed to, you know, years, it moves fast and the dynamics change. And every time you get one of these new foundational models that’s released, you know, the capabilities advance in very significant ways. So where you thought the limit was, we blow through that limit and then some. And so, you know, it really is about, again, it’s just about, you know, finding where is the balance between gathering benefit and potentially creating risk. And then it is about how smart are you in terms of thinking through the best ways to identify when something is going to potentially go wrong. And so the organizations that do that, they’ll get ahead of it, and they will be able to mitigate or take action or defend themselves in ways that are more proactive and create less fallout.
Pete [00:32:29]:
Other organizations that are not as thorough as they probably should be, they will see negative things happen and they’ll have to deal with the ramifications of those things.
KB [00:32:39]:
Okay, so, Pete, on that point, as we know, everyone, and when I say everyone, companies like you mentioned, they’ve got to maintain that competitive edge, which is to deploy AI agents to gain productivity and advantages, et cetera. Which makes sense. But again, would you say our organizations are just moving too fast and ability to secure and govern them? Because it’s hard. You’ve got big enterprises out there that are trying to compete because again, if you look at even the buyer’s journey, while companies expect more, faster, cheaper, better, et cetera, they’re like, okay, well, we’ve got to do better by deploying AI agents. And I know that it’s not an obvious sort of answer in terms of the chicken and egg sort of thing, but are we as an industry creating more of a rod for our own bank? Because whilst we’re trying to maintain that competitive advantage, other issues start to open up.
Pete [00:33:32]:
Yeah, security is always going to lag to a certain degree because the human nature is to lull yourself into a false sense of security. And no one likes to be called chicken little, so to speak. If you think about the old chicken little adage, something bad is going to happen. Something bad is going to happen while everyone else is saying, you know, no, it won’t. I mean, human Nature is to believe that the most positive outcomes will be derived even in the riskiest of situations. And so security naturally lags as a result of that. Now, in technology markets that are not moving that fast, the security team can generally stay ahead and can feel a little more comfortable in terms of the steps they’re taking, the actions they’re taking. And the adoption curve is slower traditionally.
Pete [00:34:19]:
Today, as it relates to agenta capabilities, the adoption curve has been massively accelerated because of the benefits to organizations. And so in that environment, security is certainly going to lag a little bit. So it puts pressure on the securities, the security organizations, to keep up with that. I was at a conference before RSA with one of the large investment banks, and they showed the adoption curve and then the security spending curve curve, and how that curve, the security spending curve for gentic AI capabilities will lag the adoption curve. And the point they made is that this is what we would expect and that somewhere in these two curves, the way the curves get closer is that there is a very big issue that happens. Somebody has something bad happen, and that is the catalyst for everybody to say, hold on a second. Our security posture has to keep pace with our exploitation of this new capability. And, you know, and they’ve cited historical, you know, trends in the past in which they’ve seen that I think it’ll be the same thing in this environment.
Pete [00:35:24]:
But, you know, I mean, human nature is to assume that, hey, it won’t happen to me. And so you get to enjoy all these benefits and you don’t necessarily focus on the downside scenario, but eventually, right, that rears its head and somebody unfortunately has to bear the burden or the consequence of that. And that is the piece that sort of shakes the market into a better sense of equilibrium between the tech that we’re adopting and our ability to secure it.
KB [00:35:49]:
Okay, so, Pete, final question looking forward, what do you think? What do you see the rest of 2026 unraveling? What’s on your mind Again, you don’t have to get it right. It’s just more getting a little bit of an insight into what you think about day to day.
Pete [00:36:04]:
First of all, agentic AI capabilities are awesome tools for organizations to take advantage of. I think there’s a whole lot of power and benefit that I, as a CEO, am excited about within my own organization. I think it really is important for the security vendor community to not try to paint the picture that I can do everything, because in saying that to a security organization that is struggling to keep pace with new technical capabilities that are being deployed, you by default are putting that organization into a very bad place. And so anybody who goes out there and says, I do it all for agentic AI security, I can secure it all, I just, you know, I don’t believe it because I know it’s not true. And I think it really is the responsibility of the security vendor market to help security organizations and our partners to really understand that securing agentic AI is very much like securing human beings. And that it is a multifaceted approach that needs to take into consideration the different dimensions and vectors for which bad things can happen. And you know, like any new hot technology, there’s a million little startups that pop up and they can all do everything under the sun and, and they’re the best things since sliced bread and they tend to sort of have a big pop and then they fizzle out. And it really confuses the market market in many ways and creates noise in the market that is counter to organizations getting into the best possible posture to secure the agenta capabilities that are going to bring benefits to their organization.
Pete [00:37:45]:
So, you know, what we’re trying to do at EXOBE is be really specific about the fact that, you know, privileged access, identity, right. Those are important aspects of securing your AgentIC AI footprint within your organization. We talk about specifically behavior and we think that without the ability to understand and identify normal behavior and then abnormal behavior, right. If you can’t do that, you’re missing a piece of the puzzle. Now I would never say that that is the only thing that you need to do, right, because that’s not true. And that is, you know, that is in essence, you know, leading our customers astray, but it is a piece of it. And so, you know, we try to represent this technology is here, it will only go faster. The potentials of it are, you know, you can start to dream about what the world looks like in six to 12 months and even those dreams are probably not, are not giving the future enough due in terms of where it can land.
Pete [00:38:43]:
But I think that, you know, collectively, you know, my job, our job as exit is to ensure that our customers have the proper security posture to decrease their risk profile to the greatest extent possible while taking advantage of the things that will give them competitive differentiation in the markets that they participate in and for the customers that they serve. I’m excited about that. I think there’s a whole lot of room and potential for organizations to grow into that space. But I think, you know, we need to be smart as a vendor community and not think that by walking around saying that hey, I am the one to solve every need in this new space and therefore, you know, giving a sense of comfort to a customer, that one stop, one stop shopping will do that. I think that’s a, that that’s a poor way or a poor outlook to provide to a customer and only puts them at greater risk.
KB [00:39:38]:
That was Pete Harteveld everybody. Pete’s been in the behaviour space long enough to know when the industry is behind and his read is that we’re behind right now in a way that historically only corrects after something painful happens. If you’re an executive who has signed off on agentic AI rollout, the question worth asking your security team this week is not are we protected? But can you actually see what these agents are actually doing?
I read every reply. If you got some thoughts on this one, send me a message on LinkedIn.
KBKast – Cyber for the C-Suite.
