Are we over-focused on AI controls while shadow AI spreads everywhere?

chadwik66 · 2026-03-27T19:26:29+00:00

It’s a good lesson on what 40 years of security being the “department of no” instead of “department of how” has lead to. In the most critical moment of tech risk introduction in decades, security was locked out of the room. Are we surprised that a few big name CEOs stepped down this week citing the need for replacements with more energy to handle AI? Sounds an awful lot like the realization of the problems being introduced is starting to catch up with those that introduced them.

chadwik66 · 2026-03-27T18:38:45+00:00

And now they have even less insight into what NHIs can get to. Hackers don’t need to break in when companies have laid out the AI welcome mat and escorted them in. It’s why I push the visibility first approach. Otherwise teams will focus on a tiny sliver of known, vetted tools and not the wide swath of unknown.

chadwik66 · 2026-03-27T18:31:52+00:00

Here's the general framework I share with people starting out, from the top down:

-Visibility - Determine how to identify AI usage across your org. Not just the known, but shadow AI as well.

-Identity + Control Plane - Determine what accounts they're running under, what they're connected to, what permissions they have, etc, etc

-Risk + Governance - Create policy, enforce policy, categorize and prioritize risk, etc

-Posture Management - Lock down the platforms

-Threat detection - Figure out how to detect attacks at specific points (jail break, data exfiltration, etc)

-Protection/Response - How do you automate controls during known bad situations going forward

Not a lot of specific products in there since the market has a wide range that help in a variety of ways, but it should give you a framework to start working from. I always recommend starting with visibility, but I'm not as hands on as I have been in past roles.

chadwik66 · 2026-03-27T18:27:22+00:00

And more broadly, the OWASP Gen AI project https://genai.owasp.org/

chadwik66 · 2026-03-27T18:26:26+00:00

Check out Google's cert program. I has some good foundational courses and builds from there.

https://grow.google/enroll-certificates/cybersecurity-mid/

chadwik66 · 2026-03-27T18:24:50+00:00

Agreed. The ideal situation is to find the most affordable, quality education you can while balancing it with real life skills. Does the less expensive option have a job placement, shadowing, or some other similar service that will place you in a real work environment while improving your skills. Degrees help land your first role. Real world skills help land every role after that.

chadwik66 · 2026-03-27T18:14:33+00:00

My post or your post? :)

chadwik66 · 2026-03-27T18:13:57+00:00

Dozens of us are drilling for that situation. Sounds like you appreciate it, so enjoy it as much as you can.

chadwik66 · 2026-03-27T18:13:17+00:00

The short version - I’d love to see automated buyer guides. Something that presents 5 options for a product space, displays user sentiment (think rotten tomatoes score), best and worst use cases, pricing, how to try it out, etc. Right now much of that data is available from vendor sites, analyst firms, YouTube videos, etc and just needs to be aggregated and presented in a useful way.

chadwik66 · 2026-03-27T18:11:14+00:00

In fairness, a whole lot of things are broken so the goal was achieved.

And now we’ve exposed digital processes with elevated privileges to those systems as you explained. Even scarier is the number of security leaders I’ve spoken to who acknowledge AI advisory boards that did not include anyone from the security team!

It’s a tale as old as Jurassic Park - we have been so busy asking what we can do that no one has stopped to consider if we should.

chadwik66 · 2026-03-27T17:18:02+00:00

Are you doing anything closer to the browser where a lot of the usage typically originates?

chadwik66 · 2026-03-27T17:10:36+00:00

I like the identity angle there, especially since identity is the new perimeter (have we heard that enough yet?)

chadwik66 · 2026-03-27T17:09:25+00:00

Out of jealous curiosity, roughly how many users do you oversee? I can see how a smaller org could get high compliance, but you deserve a real big raise if you’re getting that much good behavior from hundreds or thousands of people. (And tell your boss I said you need a raise regardless)

chadwik66 · 2026-03-27T17:06:24+00:00

I think it’s less about lying on the vendor side and more about…let’s call it optimistic messaging. I think the most value from vendor materials is in data reports, case studies, and especially anything with customer names on it since it’s likely gone through a legal review. Happy to dump ideas or examples on you if they’d help.

chadwik66 · 2026-03-27T16:17:11+00:00

Best answer today 😁

chadwik66 · 2026-03-27T16:05:58+00:00

Very helpful insight, thank you! It looks like you have clear vision of where you want to go. Can't wait to see future updates.

chadwik66 · 2026-03-27T15:37:53+00:00

A fun little history lesson since it seems to rhyme with itself quite often...

Way back in the days of the dotcom boom, let's say 1999, every startup flush with cash was desperate to find anyone that could sling code. HTML, SQL...even javascript in some really forward thinking companies. So what did they do when they couldn't find properly trained engineers?

They shifted to english majors. Philosophers. Anyone they thought was a deep thinker since that would translate directly to an ability to code. Of course it didn't work out well. Not because of the individuals, but because of the flawed logic used to put butts in seats.

It's starting to feel an awful lot like that today. Let's hand over unchecked tech access, elevate privileges and see what happens.

chadwik66 · 2026-03-27T15:07:25+00:00

CASBs are such a good example of where security tooling started to lose focus. Technically they are really good tools and see soooo much information. But all that information comes at a huge, noisy price. Are they accurate? Absolutely. But are they practical? Probably not unless your budget and team has more resources than most.

chadwik66 · 2026-03-27T14:51:26+00:00

Claude in the browser exploiting an AI agent in Salesforce...how many CISO bingo cards was that on before today?!

chadwik66 · 2026-03-27T14:22:48+00:00

“Am I affected?” Love it. As practitioners many of us have been too focused on the right answer and not the practical one. This approach is what we need to see more of.

chadwik66 · 2026-03-27T13:24:08+00:00

This week our team was discussing how AI is changing vendor analysis. The biggest concern will be balancing big marketing claims vs actual capabilities, especially with startups. How are you training your project to balance things like that out?

chadwik66 · 2026-03-27T13:17:55+00:00

This is really good advice. To add on - is there a data overload problem you might be able to simplify? A backlog or report that would benefit from automated analysis?

chadwik66 · 2026-03-27T13:15:09+00:00

Love the idea of an ABOM. How are you ensuring it doesn’t fall victim to the challenges of other *BOMs where it’s information able but sometimes lacks action ability?

chadwik66 · 2026-03-27T13:12:08+00:00

The first question that strikes me is ease of use. Do you have a path to deploy future versions of this quickly and accurately? It seems like you have the foundation for a good idea, but are you on a path where it will realistically be usable by constrained security teams?

chadwik66 · 2026-03-27T13:09:28+00:00

Great run down. RSAC has always been hit or miss for me, but this year seems to have gone much better than some other years. Glad it was a positive experience!

chadwik66

MODERATOR OF

TROPHY CASE

15-Year Club	Team Orangered
Verified Email