Podcasts
Data Security Decoded
Ep 51
Data Security Decoded 4.21.26
Ep 51 | 4.21.26

The Three-Layer Strategy for Autonomous Agent Governance with Joe Hladik and Amit Malik

Show Notes
Transcript

Joe Hladik: The ones who haven't faced a major crisis, especially startup companies, for instance, who are just starting companies from the beginning being an agentic rollout, I think we're going to see a lot of vulnerabilities coming. The same old problem hasn't changed. It comes down to maturity. How mature is your business? There's always going to be organizations that invest in that, and then there's always going to be the ones that don't. [ Music ]

Caleb Tolin: Hello, and welcome to another episode of Data Security Decoded. I'm your host, Caleb Tolin, and if this is your first time joining us, welcome to the show. Make sure you hit that subscribe button so you're notified when new episodes go live. And if you're a returning subscriber, thanks for spending some more time with us. Give us a rating, drop a comment below, let us know what you think about the episode. This is the best way to support the show, and it helps me understand what you want to hear more about. Today, Joe Hladek and Amit Malik from Rubrik Zero Labs return to expose the agentic paradox found in their latest report, The State of the Agent: Understanding Adoption, Risk, and Mitigation. We discussed why the majority of security and IT leaders expect AI to outrun the security guardrails and why even more now are starting to fear for their job security. Stay until the end to learn what the heck organizations can do to address the agentic paradox. Let's get into it. [ Music ] Well, thank you again for both of you joining the podcast. It's great to have you both again this time. And so I'm really excited to dive into some of the findings from the report that you recently put out. And what I want to start with is the report notes that 86% of leaders expected AI agents to outpace their security guardrails within the next year. So my first question, Joe, I want to direct this towards you. Looking at a high level, are we sprinting towards a cliff? Why is there such a high urgency to adopt this technology across the enterprise?

Joe Hladik: That's a big question. Well, I think the, if we're talking generally speaking, there's a lot of, before we get into security and all that, businesses are seeing a large benefit in what agent capabilities are, right. So like, if you can get rid of the buzzwords and what is an agent? It's an identity that, think of like a bot that you can task, and then that bot will then have access to LLMs. So it's a bot that can query LLMs, get an answer from it, and then execute the task based on that answer. So just like you using an LLM, you get the response and then like you can take action based on what the LLM provides you. An agent is effectively that. It's not a replacement for a human, but what it does is it's not necessarily like sentient and acting on its own entirely, it's still an autonomous routine that's like more like a bot. But what it is, it does use LLMs to get more information and then execute a task. So when you think about it, like from a business point of view, that's a very powerful tool because what you can do is you can automate literally everything. The problem comes into play when people try to automate everything because you need some level of control. Or I should say you need some level of command and control from a human perspective and what you're actually building or executing upon. So, if you have a whole hive of agents performing all these different tasks, for one, you want to know what they're doing and one, if they're doing the right thing. So there needs to be some level of integrity, right. So if we think about the CIA triad that everybody knows, confidentiality, integrity, and availability, those three aspects are very lacking right now for any sort of agentic AI implementation. For one, the confidentiality aspect of it is you have to have the right access privileges. One, in order for it to do the tasks that you've set out to do, but is it even authorized to do those tasks? And the problem, I think, is that a lot of employees, even the lowest level employees, have the power of agents at their disposal. And this is a paradigm shift because when any sort of automation in the past was implemented, it usually took leadership and leadership decision making to occur to enable engineering to automate tasks, right. Now, everybody in the lowest levels may have access to agents, and they will have all this autonomy infrastructure backing them up, and they may not have the authorization or the privileges granted to them to actually perform these tasks. So that governance is a problem. The integrity too, as well, like how do you know what the agents are interacting with? That's a big thing. As well as availability. So availability to me, which we'll talk probably more later, is more akin to what we're calling observability. So one, having visibility into what the agents are doing, but being able to observe all the actions that they're taking. That's another critical gap right now.

Caleb Tolin: Right. And if there's this really high sense of urgency amongst businesses in virtually every sector. So with all of these kind of hurdles that organizations need to overcome in terms of addressing governance, observability, all the things that you just mentioned, where is this urgency coming from? Why is it right now that we have to adopt this top technology when we have all of these other elements from a security perspective that really need to be addressed before this gets into production?

Joe Hladik: Well, I think the simple answer is revenue generation, profit, money, you know, like business incentives, right, growth, marketing, all those things, sales. It is such a critical change. It's like the birth of the internet, right. When you could put on a website like 20, 25 years ago, when you could just put your business on a website and start basically globalizing your business for essentially free versus having to pay a lot of money to open sales offices globally and all that stuff. Sure, companies still do that, but having a website, right, changed businesses forever. Same as social media. And you know this really well, Caleb, just the fact that like, you know, one tweet, it can go viral and completely change your business in a matter of minutes, right. This is a very similar paradigm shift. And I've already said that word twice, but like, that's effectively what this is. It's just like the internet, it's just like social media. This is just a modern version of what that paradigm is. And businesses are capitalizing on it at the cost of security. And ultimately, where does the stakeholder from security really reside within right now? You'll have businesses and organizations prioritizing agentic rollouts, but the ones that are listening to security are usually the ones that have experienced breaches before. They've experienced large amounts of loss. In terms of business continuity, maybe, you know, revenue being down for a month can really hurt, you know, an organization no matter what industry you're in. So if you've experienced that before, that threat is very real to you. So you're probably going to be taking a more cautious approach, working with, looping in your security team to the rollouts to be like, okay, well, how do we monitor, how do we detect, how do we respond? The same sort of mindset everybody would ask during any sort of application build. with DevSecOps, their whole life cycle and everything as well. But the ones who haven't faced a major crisis, especially startup companies, for instance, who are just starting companies from the beginning being an agentic rollout, I think we're going to see a lot of vulnerabilities coming out as a result of that. I think it's the same old problem. The same old problem hasn't changed. It comes down to maturity. How mature is your business? There's always going to be organizations that, you know, invest in that, and then there's always going to be the ones that don't. And then we're always going to be in this, you know, situation where Amit and I will have a job for the foreseeable future because that's just the way this works. And unfortunately, security's a very reactionary thing. You almost have to experience it to get it, if you know, you know, type of situation.

Caleb Tolin: Right, right. Well, I want to get into agentic-driven attacks, kind of like what you were just alluding to a moment ago, and also to note what you were just saying, too, about job security. That's another theme in the report as well that we'll get into. But before I do that and dive in further, I want to go back to what we were talking about governance and guardrails. And a question for you is, for the practitioner, how are you able to ensure that guardrails are in place when agents are designed inherently to find the most efficient path around obstacles. What are those policies? What does that governance framework necessarily look like for a business?

Amit Malik: Yeah, very interesting question, Caleb. I think the things that Joe talked about and the issues that we have in the agentic AI space, and especially when it comes to the security, because it's a relatively new stuff, like most of the traditional things that were there that we used to, the security community used to do might not really be applicable because the inherent nature of the probabilistic nature of the LLMs, right. So some of the guardrails will not really be there. But one interesting thing that we are talking about in our report is providing a very simple framework to CISO or the practitioner community that when they see the agentic AI as a system, right, they should kind of see it as a three layer approach. One is like two layer, which basically the actual hands of the AI, you know, agentic system that actually carry out the stuff. Let's say if you have to write a code or you have to read a database or you have to do your task, right. So these are the tools that actually carry out those things, right. And then cognitive layer is basically the brain, which is the LLM in nutshell that actually makes these decisions like which tool to invoke, and what really needs to be there, what task needs to be there, some reasoning has to be there. And then another very important layer that we are kind of stressing in the report is the identity layer, because most of the time people are, when looking at the agentic AI system, they are mostly talking about the tool and cognitive layer. There is not much focus on the identity piece, but we believe that it's very, very equally important that we kind of consider identity as a part of this framework. And from a guardrail point of view, as I described, if you divide the agentic system into these three layers, then each of these layers have its own issues and they kind of provide different set of challenges. Like when it comes to two layers, we have to be, it really depends on what type of tool. If it is a database, read and write tool, then we have to make sure that it's least privilege. It does not really alter anything in the database or stuff like that. And if it is like cognitive layer, then we have to make sure that the cognitive layer related attacks like prompt injection, indirect prompt injections, those are kind of mitigated. But from a guardrail point of view, these things are evolving right now, right. So what we recommend in terms of, or the proven methods that we have also provided in our report by the means of auditing the mainstream agentic applications like ChatGPT and Gemini, the majority of the test bed or the test cases that we have done, they obviously, I mean, the major provider have much more strong controls and the guardrails and they are not material risk for them. But if an organization is taking an agentic AI application and then they are deploying it, they should make sure that like sandboxing or the LLM guardrails and then the firewalls, those are in place and make sure that the input and output of each layer is basically properly audited. And another aspect of this is that human in the loop should also be there when we are kind of doing these type of things. So that, from a holistic point of view, I feel that this framework should provide working operational model to practitioners that they can leverage in terms of their threat modeling and deploying the guardrails for the agentic system.

Caleb Tolin: Absolutely. And another stat that stood out to me in this report was that a little bit less than half, it was 44% of respondents said that their biggest fear was compromised agent misuse or shadow AI. Honestly, I'm surprised that it was 44% and not a little bit higher. But also only 23% of leaders claimed that they had complete oversight of the agents in their environment. So my question for you, Amit, on this is what does that look like on the ground? How does a defender find an invisible agent that has hijacked and been used as somewhat of an insider threat now?

Amit Malik: Correct. I think this is a much, much bigger problem and we have seen that with the evidence of OpenClaw or the mood board that people are talking about that became very popular in terms of the commodity of the AI agents, right. So people were like installing it and then there were lots of risks that came out of it, like credentials got exposed or supply chain risk came when the other people tried to deploy the plugins for those things. So it is a very big risk in terms of looking from an organization point of view, because right now the agent is basically is nothing just an integration of an LLM and then tools, and you just do, you do and carry out your, your kind of stuff or the task that you do. Now, in terms of the observability, definitely there has to be the solutions that can really kind of identify this type of tooling in the environment. It's easier to identify the tools that are on, let's say, the cloud service providers because those are kind of more managed in terms of that. Let's say you do something on GCP or AWS and stuff like that. But if you are running something on your I would say on your laptop, then it's much difficult to kind of identify those things. Then it comes mostly on like how, based on the technology, how really we're going to identify those things.

Caleb Tolin: Wonderful, wonderful. So Joe, I do want to go back to you on this one. So the report outlines that 88% of leaders said that they wish they had an undo button to roll back agentic actions, but really none of them had the capabilities to do that. From a technical perspective, why is this so hard for organizations to roll back, whether it's a compromised agent, whether it's an AI agent going rogue, what's the guardrail there?

Joe Hladik: Well, one, I would probably say the problem is context. Back to what I said earlier with confidentiality, integrity and availability. Part of the problem, I think, is the second two in this regard, where integrity and availability. One, we don't have availability much in terms of telemetry. So tracking what all the agents are doing, for one, is going to increase the volume of logs immensely. So even if you were to log everything in every agent's doing, especially in a large enterprise, you're going to have a massive amount of logs generated. So for one, there needs to be an approach that somehow you aggregate all of that activity but not reduce the efficacy of what the context is provided in the logs themselves. So for one, that's going to take some work from security professionals and others to figure out like, okay, well, what types of attributes, what types of activities do you want to track? And how are you going to forensically trace it back to things like an agent, a specific agent or identity? So things like agent ID, timestamps, all the classic logging metadata is going to be necessary. But it's the aggregation that's going to be the challenge in terms of figuring out how to manage the volume. That's the first problem. Because without that, you don't have any context. And without context, you can't make any informed decisions on how to act upon an agent, whether the agent is being misused, whether it's acting maliciously, or whatever the case is, right. In order to understand what it's doing, for one, you need to understand which agent it is that's doing it. And then two, you have to understand the context of how it reached its decision to perform the action. So like, you know, like ChatGPT or any AI, you can like open up and see how like the LLM is reasoning through its sort of thought process, quote/unquote, to figure out what response it's going to give you. We almost need access and understanding to that for agents to actually see how they've reached the decision that they did. That would be another context point to then say, okay, this agent acted unintentionally but accidentally deleted an entire email database. I'm calling out an actual case that actually happened a few months ago, right. Where it wasn't, it was an inside threat technically, but it wasn't acting maliciously. It was just doing what it thought was the right thing to do or most efficient thing to do. Context is important in those things, type of situations, especially when we start getting into the realm of more sophisticated nation state level types of attacks that are going to be leveraging agents to do this type of thing. I still don't think espionage is going to be the top use case for agents because subtlety, stealth, all of those things are incredibly important. And if you have a large agent swarm acting autonomously, that might be a little more difficult to keep that sort of stealth in place. But everything else I think is open, whether it's like ransomware, destructive attacks, critical infrastructure attack, anything like that, completely open because subtlety, stealth is not necessarily key for those types of operations. And we've seen them already sort of starting to occur. So what I had just said with telemetry, that is what's going to inform us on what happened. But how do you stop it while it's happening? That's a different problem as well. So it will build on top of the telemetry. You need that context awareness. And then you also need to develop new detection measures that use that sort of telemetry to then inform you that an attack is happening. I think we're going to see an evolution of that as well, where there'll be a combination of maybe both, where you'll have AIs generating signatures based on artifacts that we're recognizing, and then also recognizing new behaviors that are tied to specific types of agents or threat actors or shadow AIs or whatever we want to call them. And I just see this as an escalation. It's much harder for the defender to identify every hole in the environment and then fill those holes to prevent the attacker from exploiting it. So the task, that's why the task is monumental, is defenders just have more to deal with. And it's a more complicated process to get an AI to solve that for you, even though AIs make it a lot simpler. A lot of the underground context that I just talked about needs to exist for the AI to act in a way that like, okay, now I understand that we need to defend this specific thing, identity space or different things like the network, for instance. I'm certain humans are not going to be able to defend it in the same way that AI would. So I think that's kind of where we're going to get at is we're going to see more AIs performing detection engineering type things is quickly rolling out new signatures, new anomalies, new types of things more in one package rather than them being separate.

Caleb Tolin: Right, Very interesting insights there, but yeah, I do want to shift gears a little bit and talk about another element in the report. And Joe, I'll direct this one to you. But it was 92% of IT and security leaders feared for their job security if their company suffers from an agentic driven breach. Now, I know Rubrik Zero Labs has tracked this idea of job security for quite a while now. And I want to kind of note like the change over time. So is the real fear driven by the complexity of AI, or is it really more this increasing legal and personal ramifications for CISOs post-breach? How has this fear index changed over the past several years as Rubrik Zero Labs has tracked it?

Joe Hladik: I don't think it's actually changed. I think it's actually just evolved. I think some CISOs, and especially the ones I've talked to, there's a lot of new things that are going to be in place to protect CISOs as well, especially when it comes to insurance policies. I've seen a lot of opportunities now where CISOs will also be covered just like other C-level officers. So I think that's a positive change and one that's absolutely needed. Because historically, I think one of the problems that's been faced is that CISOs didn't have this type of protection. And they can get personally sued, right. So if you're a security officer leading this organization, and then all of a sudden a breach occurs, and then you're personally liable for it, that's a big implication and also a major deterrent for a lot of talent to want to take on that type of position, right. Because if you can be personally liable for something, why would you want to sign up for that? So I think that is a major challenge that we're overcoming right now, where a lot of the damage has been done, I think, to many. And I think that the ones who, I don't want to say take on the most risk, but they take a lot out of it, will be protected in some ways and maybe incentivized like more talent to take on these roles. So that's a positive. I think we're also seeing the transition to that right now, so that could be also a reason why there's a lot of fear is that CISOs may not even know this type of stuff is available to them yet. So there's that aspect too. So beyond the technical, right, it really comes down to like how personally liable am I to my job, right. Because most of us have the benefit and the privilege to separate ourselves. So one, I think that's a major part of it. Two, AI is certainly on the mind, right. Because it's like, it opens up every, like potential sci-fi nightmare that I know I grew up on as almost bringing into reality. And like, how do you fight against that? There's, I think the one thing is to one, understand what is actually possible versus the science fiction. There's a lot of science fiction that has become truth, but there's still a lot that's still science fiction. So actually understanding what AI is truly capable of, that it's non-sentient, okay. No matter what viral news you see out there, like, sure, it might exist in some dark hole of the universe, I don't know. But as far as we know, it doesn't exist.

Caleb Tolin: We're not at age of Ultron quite yet.

Joe Hladik: Right, right. Which is a good thing, I think. They are, that's why I've been really making a point to say they are LLMs. They are extremely advanced machines that do pattern recognition, and they produce a pattern in return. They are not thinking like we think, even though we do have a part of that in our own brain, it's not the same thing. We have to understand the technology and really understand like what its capabilities are. And there are a lot of unknowns, but don't lose sleep over those. Like just, like that's the thing is like be, take control of what you have and know what your constraints are. And your constraints are usually going to be around your budget. At the end of the day, that's all we can do.

Caleb Tolin: Well, as we head into the final stretch here, Amit, I'm going to direct this one to you. Eighty-two percent of the leaders in the report said that all of the advice is too theoretical that they're seeing across the market in terms of agentic readiness and security. So let's get a little bit more practical. What are the three actions that defenders can take right now to improve their resilience and their AI readiness?

Amit Malik: Yeah, definitely. I think the technology is evolving right now. So that's why, I mean the frameworks are getting developed and then people are starting to deploy and all these things. So it's not as mature as it should be. So that's why the people are kind of facing the challenge. But from a practicality point of view I would definitely suggest that see the agentic systems not as a consolidated system but as a part of like in our framework we are saying three layers, but it depends on how, if we are looking at an attack pattern or let's say MITRE framework that are mostly driven by the type of attacks that are there. But see the problem from a different angle like what are the components that are there. I would rather say that stick to the architecture, say that just like in our case when we are saying that two layer, the cognitive layer and the identity layer, and then decide and look at each layer because each layer is having some different set of challenges. And they have the ability to do different level of damage at each layer. So look at the threat modeling of those things by looking at that part and then see where the challenges are and then trying to fix those. Like for example, like in two layer is very, very serious because that is actually the one that is carrying out the activity, right. It's interacting with your database, it is interacting with the internal stuff that you are trying to do. So make sure that it is running inside ephemeral containers, you have network segregations, you have firewalls in place, you are doing input and output validation of these things so that that the tool does not really do anything wrong as per the environment, right. So though we have described the recommendation in our report in more detail, and we have also given some insight into like how the mainstream platforms are actually kind of have implemented to some degree these controls. So I do feel that the workspace isolation and sandbox, this type of isolation is very, very essential in deploying these systems.

Caleb Tolin: Yeah. Right. And Joe, I'll go back to you for this one. What are two inconvenient truths that every security leader is ignoring right now that they shouldn't be about AI and human oversight.

Joe Hladik: Well, one, I would say probably the most inconvenient truth is probably the explosion of identities. It's just right now, I think we're trying to get a hold of like, what number it actually is, what's the ratio from human to non-human identity. I know, in past reports, we've given numbers, we've coded numbers from our partners as well. But I think we're at a point now where it's like, well, everybody has a different number. I think it's become a subjective thing in that you can thank AI for that, especially with the agents. I think, so that is an inconvenient truth, and I think it's obvious why. Identity management in itself becomes an insurmountable task. Well, I shouldn't say insurmountable. Everything is possible, right. What I think is happening is it's moving so quickly that it's making it harder to catch up and manage. That's kind of what I'm getting at. The reason is, is that agent identity is just like I've used this in the past, like elastic infrastructure in the cloud. You can have VMs spin up and spin down in a matter of seconds, just like identities. That's kind of the same thing. We're in this elasticity with identities right now. The second inconvenient truth is what I'll go back to the telemetry piece. There's going to be a lot of hard work here because it's a matter of, like, I posed a few of the technical challenges. There's a lot more. And it's something that my team or Amit, myself and others, we're currently trying to figure out. Like, how do we actually come up with actionable telemetry for agentic AI that one can handle the elasticity of different agents being created and destroyed and vice versa, all that stuff. That's another inconvenient truth because no matter what anybody says right now, like, oh, I have complete visibility into my environment. Okay, you have visibility, but we're talking about observability, right. And the reason is there's a key difference. Like you may see all of them, but you are you actually observing what they're doing, right. There's a big difference to that. And that's what I'm getting at is that's the second and convenient truth is like from visibility get to observability. So that's the range.

Caleb Tolin: Right. To your point earlier, the difference between visibility and observability is really like the context. Like, yeah, you can see that they're there and that they're doing things, but are they doing the things that you want them to? Are they doing things that you don't want them to? That context-rich insight is really the difference between the two terms for sure. Well, as we close out the conversation here, I'll ask both of you the same question. I'll start with you, Amit. What is the single most important message you want to leave with our listeners today?

Amit Malik: I think my message would be that AI is coming, definitely. Be responsible and deploy it with responsibility. That's what I would say. Otherwise, the consequences could be very, very, very, very dangerous. Yeah.

Caleb Tolin: Right. Joe, what is your single most important message that you want to leave with everyone today?

Joe Hladik: We live in a scary world. I think we need to take a deep breath and really reflect on all the decisions that are being made. And I'm not talking about like the greater, there's a lot of things happening. I want the scope down to just the AI problem. But I think it can relate to everything else as well. Reflect on the decisions you're making. There's a lot of doomsdayers as well as there always has, always has been with pretty much anything. That's unhelpful when you're constantly talking about how things are going to be destroyed, how jobs are going to be lost, how, you know, the world's going to end. That's never helpful. Just remember that and reflect on it and realize like how we can leverage AI in a positive, beneficial way. I want the benefits to be realized from AI for the world, but I think security has a major position to live in within this. Because without us, without us protecting critical infrastructure, hospitals and things like that, you still need humans to do this type of stuff. Because we're building these things, we should be in the loop on these things, right. It's like, I'll end it on this, right. It's like organizing a party and no one inviting you to the party you just organized, okay. You're being left out of the loop, right. No, you want to go to the party you organized, right. It's the same thing with AI, it's like if we're building all these things, you should be very smart in terms of looping in the human at different checkpoints to make important decisions. And that's the message I want to leave on is like, I'm tired of the doomsayers. I'm tired of like this apocalyptic scenarios. There's always things going down and there always will be, but there's also a lot of positives in the end of it. So I'll leave it there.

Caleb Tolin: Right. Well, what a wonderful sentiment to leave us on. So Amit, Joe, thank you both for your time today. It was really great having a conversation about this report. For those listening in, we'll link to the report in the show notes. And if you want to check out anything more about Rubrik Zero Labs, you can check out their website. And thank you again for joining us, both Joe and Amit, and until next time.

Joe Hladik: All right, thanks, Caleb.

Amit Malik: Thank you, Caleb. [ Music ]

Caleb Tolin: That's a wrap on today's episode of Data Security Decoded. If you like what you heard today, please subscribe wherever you listen and leave us a review on Apple Podcasts or Spotify. Your feedback really helps me understand what you want to hear more about. And if you want to reach out to me directly about the show, send me an email at data-security-decoded@n2k.com. Thank you to Rubrik for sponsoring this podcast. The team at N2K includes producer Liz Stokes and executive producer Jennifer Eiben, content strategy by Ma'ayan Plaut, sound designed by Elliot Pelzman, audio mixing by Elliot Pelzman and Tre Hester, video production support by Brigitte Criqui Wild and Sarelle Joppy. Until next time, stay resilient.

Data Security Decoded
Podcast Info
HOST(S):
Caleb Tolin
As the host of Data Security Decoded, Caleb Tolin dives deep with cyber experts to deliver actionable, vendor-agnostic insights to reduce data security risks and improve cyber resilience outcomes. Caleb asks the incisive questions that you need answered, extracting actionable guidance for defenders. Come be obsessed with improving your organization's cyber resilience.
Schedule: Two times per month. Every other Tuesday.
Credits: Data Security Decoded is a podcast by Rubrik.
Creator: Rubrik
Data Security Decoded