#348 AI Agents in Your Systems: Speed, Security, and New Access Risks with Jeremy Epling, CPO at Vanta
Summary
Jeremy Epling, CPO at Vanta, discusses the dual nature of AI agents in cybersecurity, highlighting their potential for automating tasks like evidence collection and security questionnaires, while also introducing new risks such as data exfiltration and advanced attacks. A Vanta State of Trust Report survey revealed that 79% of organizations use agentic AI, but only 45% have adequate compliance tools, and over half feel AI innovation outpaces their security capabilities. Epling emphasizes the need for robust data governance, human-in-the-loop systems for review and approval, and a focus on high-quality, accurate AI responses, even if it means refusing to answer questions with low confidence. Vanta's AI agent automates security questionnaires, vendor assessments, and policy management, aiming to transform security teams from cost centers into value drivers by linking their efforts to business revenue.
Key takeaway
For CTOs and security leaders evaluating AI agent adoption, prioritize solutions that offer granular control, emphasize read-only operations by default, and integrate human-in-the-loop review-and-approve flows. Your focus should be on AI tools that demonstrate high accuracy and provide clear citations, even if it means less coverage, to build trust and mitigate the significant new data leakage and attack surface risks that AI agents introduce into your systems.
Key insights
AI agents offer significant automation benefits in security but introduce critical new risks requiring proactive governance and human oversight.
Principles
- Prioritize read-only AI actions, requiring opt-in for write access.
- Accuracy is paramount; refuse low-confidence AI answers.
- Clean data sources are more critical than ever for AI reliability.
Method
Vanta's AI agent development involves building a golden dataset, continuous prompt tuning with GRC subject matter experts, and integrating citations to build trust. It uses a multi-agent system to federate tasks and employs Langsmith for ongoing evaluation of accuracy and conciseness.
In practice
- Implement review-and-approve workflows for AI-driven security decisions.
- Use AI to automate tedious security questionnaires and vendor assessments.
- Establish clear data governance policies to prevent trade secret leakage.
Topics
- AI Agents
- AI Security Risks
- Data Governance
- Security Automation
- Compliance Frameworks
Best for: CTO, VP of Engineering/Data, Director of AI/ML, AI Security Engineer, MLOps Engineer, AI Product Manager
Related on AIssential
Editorial summary, takeaway, and curation by AIssential. Original article published by DataFramed.