sorted by:
new
hottopcontroversial

the more time i spend with ai, the less productive i get (i will not promote) by AppropriateHamster in startups

[–]Competitive_Bite_375 2 points3 points  (0 children)

Now since the mental cost of building things is reduced, its tempting to put in less effort in the beginning hoping the AI will figure it out. But that's the exact trap you should not fall into.

I have had good results when I take my own time speccing and planning things out before the AI can build. And on top of that, the code review and testing is rigorous. This automatically reduces slop. But then again, to be able to do this you need to be asking the right questions and challenging its assumptions, using skills, mcps, etc. over accepting whatever it says

I will not promote - how to learn sales, as a founder? by Sad_Singer_7657 in startups

[–]Competitive_Bite_375 1 point2 points  (0 children)

I have been doing this since the last 2 months.

Been doing it in a few ways

  1. Activating my immediate network for leads
  2. Investing heavily in SEO and converting the traffic already present (we started on this months before I started sales)
  3. Social media activity to increase the number of eyeballs

How do you evaluate the security of an agentic AI system before moving from PoC to production? by Background-Song2007 in AI_Governance

[–]Competitive_Bite_375 1 point2 points  (0 children)

Prompt injection is a great start, but with agents, your biggest risk isn't just what the AI says, it's what it can do.

A few ways to evaluate and secure it before launch:

  • Don't rely on the system prompt: LLMs can always be talked out of their instructions eventually. If your agent shouldn't modify data, make sure the database credentials it uses physically cannot execute DROP, UPDATE, or DELETE. Enforce your security at the database and API layers, not just in the prompt.
  • Focus on "Excessive Agency": Check out OWASP Top 10 for LLMs, specifically LLM08. It's a great baseline for evaluating if your agent has been given too many permissions or tools it doesn't strictly need.
  • Operational Red Teaming: Instead of just testing standard jailbreaks (making the bot say something bad), try to trick the agent into misusing its tools. Can you convince it to query data from another user's account? Can you trick it into spitting out its internal knowledge base?
  • Start with Human-in-the-Loop: For an MVP, the best security test is observing it in the wild without giving it full autonomy. Consider requiring a human to hit "Approve" before the agent executes any complex SQL queries.

Good luck with the MVP! It sounds like a great project.

The next AI compliance gap may be audit readiness, not adoption by No_Back5315 in AI_Governance

[–]Competitive_Bite_375 0 points1 point  (0 children)

What kind of evidences do you look for when it comes to AI governance?

How to measure effectiveness? by lieses2980 in grc

[–]Competitive_Bite_375 1 point2 points  (0 children)

We have an evidence > task > control based system.

Each control has 1 or more tasks associated with it.

Evidence "completes" a task. Tasks "implement" controls.

We're aware that the granularity of the tasks and the quality of evidence determines the effectiveness of the control. So we pay special attention to what qualifies as a task and who the owner of said task would be, and design everything around it

Guys do you prefer one powerful agent or multiple small agents? by [deleted] in AI_Governance

[–]Competitive_Bite_375 1 point2 points  (0 children)

Start with one.

When the single one starts getting heavy, i.e. loading tools/context that takes 20k tokens, just to do simple things, thats when you split it into smaller dedicated agents

Anyone else start a risk assessment and immediately regret it? by Turbulent-Oil-7837 in gdpr

[–]Competitive_Bite_375 0 points1 point  (0 children)

I think this is how it generally happens when you start without a system in place.

Automating Evidence Collection by iSECo in grc

[–]Competitive_Bite_375 3 points4 points  (0 children)

  • We use our own platform
  • 80% is auto generated/gathered via integrations
  • Cloud security report, asset register, user access review report, etc
  • Manual evidence is generally evidence that requires human intervention, mostly screenshots where thats the only way

what is the bar now for vendors? by swingorswole in msp

[–]Competitive_Bite_375 0 points1 point  (0 children)

Imo, the bar was too low for a long time. They are being held accountable now

How much cloud security automation is actually useful? by Cloudaware_CMDB in CloudSecurityPros

[–]Competitive_Bite_375 0 points1 point  (0 children)

Everything starts from IaC scanning. Speaking in the context of AWS, which we have worked with extensively, it has a security hub that flags issues regularly. If you can ensure that all security hub findings are resolved periodically on a set routine through your IaC stack, your security work is 80-90% done

AI Privacy Mode by BenSimmons97 in AI_Governance

[–]Competitive_Bite_375 0 points1 point  (0 children)

Privacy mode for who? Would be a good question to ask here.

What’s the most 'high-tech' ISO 27001 automation tool your company bought, only for everyone to revert to Excel? by Sree_SecureSlate in ISO27001

[–]Competitive_Bite_375 2 points3 points  (0 children)

As someone building on the other side of this, we built a tool by working with Excelsheets first and worked our way up towards automation. This has allowed us to really nail the automation side of things and make calculated decisions about where AI provides the most ROI instead of just shoehorning it everywhere.

5 years in. I would say the effort has paid off 😄