TechSpective Podcast

Most organizations believe they have a solid handle on their AI risk. According to a new report, that confidence may be misplaced. ArmorCode partnered with the Purplebook community to survey more than 650 cybersecurity leaders to produce the State of AI Risk Management 2026 report. The results reveal a disconnect that's hard to explain away. Nearly 90% of respondents said they had complete visibility into AI usage across their organizations. However, more than 60% of those same respondents said AI usage in their organizations is essentially ungoverned. These weren't different groups of people. Instead, it was the same respondents giving contradictory answers within the same survey. I talked with Mark Lambert, Chief Product Officer at ArmorCode, about what's behind that gap and what organizations can realistically do about it. This conversation took place on this episode of the TechSpective Podcast. Lambert wasn't surprised by the findings. The pressure organizations are under to capture productivity gains from AI is real. Normally, the instinct is to adopt now and figure out governance later. AI-assisted code generation is delivering meaningful output, and the business case is hard to argue with. However, the security implications are another matter. As Lambert explained, even if AI-generated code has half the vulnerability density of human-written code, a 4x productivity multiplier still nets out to more vulnerabilities reaching production. As a result, there are not fewer vulnerabilities. We also got into something I hadn't fully thought through before our conversation. Tools capable of discovering security flaws at a scale no human team could match are already here in limited form. Lambert described what he sees as a three-wave scenario for how this plays out — beginning with CVEs in critical infrastructure, moving to open-source vulnerabilities, and eventually reaching nation-state actors who've been capturing codebases for years. Now, these actors have the right tools to mine them for exploitable flaws. Most organizations are already struggling to keep up with patching. Additionally, the question of what happens when the volume of known vulnerabilities multiplies significantly is one that the industry doesn't have a good answer for yet. From there, we got into agentic AI, which is where the governance conversation gets complicated fast. I've been using the intern analogy a lot lately when talking about AI agents — you'd give them tasks, but you wouldn't hand them access to everything, and you'd review the output before it went anywhere it mattered. Lambert agreed with the framing. The problem, as I see it, is that the analogy breaks down at scale. Managing a handful of agents the way you'd supervise a new hire is workable. However, doing that with a hundred agents means the human review process becomes the bottleneck. Therefore, you've given back the efficiency gains you were after. Lambert and I worked through what governance actually looks like when agent deployments grow. This includes scoping agency based on business risk, making sure high-stakes decisions can be reversed, and building in the audit trail. He pointed to a fireside chat from RSAC. The question came up of whether two agents could theoretically handle Sarbanes-Oxley compliance between them. The concept highlights an important point about where the line between autonomous and human-reviewed needs to sit. The self-driving car comparison came up, too. The first time I used adaptive cruise control, I kept my foot next to the brake the whole time. Later, I've since ridden in Waymos, where I would have been fine falling asleep. That trust didn't come from a product announcement — it came from watching the system handle real situations over time. Lambert made the point that the same logic applies to AI agents in enterprise environments, which I think is right. Consequently, the organizations that will do this well are the ones that build trust in their agents. Lambert tied all of this back to ArmorCode's focus on unified exposure management — pulling data from hundreds of sources, applying business context, and using AI to prioritize what actually needs attention rather than just generating more alerts. Watch or listen to the full episode for the complete conversation.

Every few years, something comes along that reshapes the threat landscape and sends the industry scrambling for new tools, new frameworks, and new buzzwords. The perimeter died. Then it came back. Endpoints became the priority. Now they're not the whole story. Identity is the new battleground. AI is changing everything. And yet, the more I talk to people who've spent decades in the trenches, the more I keep hearing the same thing: the fundamentals still work. We just stopped trusting them. I had that conversation recently with Will Ledesma, a cybersecurity veteran with over 25 years in the field and a current role at N-able. Will also serves as a cyber warrior in the U.S. Air Force — and as a fellow Air Force vet, I can say the service tends to instill a certain appreciation for doing things right the first time. State of the SOC Report We talked about what N-able's latest State of the SOC report actually shows about where attacks are coming from — and the answer probably isn't what you'd expect if you've been following the conventional wisdom around endpoint protection. The data points somewhere else, and Will does a good job of explaining why that shift makes sense when you look at what's been happening across the business world over the last few years. From there, the conversation moved into identity — not just the username-and-password kind, but the full scope of what "identity" means in a world where your network includes laptops, IoT devices, cloud workloads, software applications, and increasingly, AI agents running on behalf of your employees. If an attacker can own any one of those identities, a lot of your other defenses stop mattering. Companies are bringing in AI tools at a rapid pace, leaning on them to augment their workforce and drive efficiency. That's fine. But what happens when those systems become mission-critical, and someone decides to take them out? Compliance and Security We also got into something I've been saying for years about compliance. Compliance and security aren't the same thing. You can check every box on a framework audit and still get breached — plenty of high-profile companies have proven that. The frameworks have value, but they're a floor, not a ceiling. And too many organizations treat them like the finish line. Will's framing for all of it comes back to defense in depth — a concept he learned early in his career and one that he argues is more relevant now, not less. The attack surface has expanded. The identities have multiplied. The stakes are higher. But the logic of layering your defenses, covering your fundamentals, and not betting everything on any one control? That hasn't changed. The episode is worth your time whether you're a practitioner, a leader trying to make sense of your security investments, or just someone trying to figure out what "cyber resilience" actually means when you strip away the marketing. Hint: it's bigger than cybersecurity.

There's a pattern that shows up in incident response work that nobody talks about in the vendor briefings. You bring in forensics after something goes wrong, and somewhere in that process, you find a tool — already deployed, already licensed, sometimes running for years — that had the data to catch what happened. Nobody was looking at it. In some cases, it wasn't even turned on the right way. Max Henderson runs global digital forensics and incident response at Kroll. He's seen this enough that it's not a surprise anymore. That's part of what makes him a useful person to talk to about Kroll's new cyber resilience research. He’s not reading a survey and drawing conclusions. Instead, he's comparing it against what he actually finds on cases. I had him on the TechSpective Podcast, and we started where I always start with someone who's close to research like this: not the findings, but what surprised him. His answer goes somewhere I didn't expect, and it reframes a lot of what follows. It's not about a specific attack type or a new threat category. Rather, it's about a structural problem in how organizations think about security investment. This is one that keeps showing up regardless of how much they've spent. The report itself covers 1,000 decision-makers across 10 countries. The headline numbers are familiar in their frustration — 94% treat cybersecurity as a top risk, budgets are up, nearly everyone has an incident response plan. And yet 72% still report misalignment between security priorities and business decisions. That gap has a real explanation. Max gives it one that makes more sense than the usual "leadership doesn't get it" framing. We spent some time on the confidence problem. Organizations consistently overestimate their readiness — not because they're being dishonest, but because of how the question gets asked internally and who's answering it. The gap between saying you can quantify cyber risk and actually being able to do it when something happens is significant. Max has watched that gap reveal itself in real time during incidents. This happens in rooms with executives who are hearing for the first time how long they might be down. The speed problem isn't getting better. Kroll's data on outbreak times is uncomfortable, and the percentage of organizations that feel equipped to respond within that window is even more uncomfortable. AI is part of why timelines are compressing — but not in the way most people fixate on. The most effective attacks Max is seeing right now don't involve sophisticated AI-enhanced exploits. Instead, they involve someone picking up the phone. The gap between where organizations focus their security investment and where they're actually getting hit is one of the more consistent findings across Kroll's casework. The AI discussion goes a few directions. There's the attacker side, which is getting more attention. But there's also what happens when organizations build out powerful AI infrastructure internally. What that looks like as a target is important, too. Max made a point about MCP servers specifically that I hadn't heard framed that way before — the security risk isn't necessarily about abusing the AI itself, it's about what you've handed to whoever can get onto that system. There's also a thread on agentic AI and the forensic problems it creates. I think that is going to become a much bigger conversation. I asked him at the end where he'd tell an organization to start. One priority, 80% of the way there. The answer connects back to where we opened. Full episode on YouTube and wherever you get podcasts.

I keep having versions of the same conversation. The names and logos change, but the underlying tension doesn't: organizations are deploying AI agents fast, they're deploying them into production, and a lot of them weren't ready when they did it. Monte Carlo's co-founder and CTO Lior Gavish joined me on the TechSpective Podcast recently, and we got into why that's happening and what it actually means. Monte Carlo published the Agents in Production report, and the numbers are worth paying attention to. Nearly half of enterprises surveyed already have agentic solutions running on mission-critical work — not pilots, not proofs of concept. And somewhere around three-quarters of them said they deployed before they felt ready. That's not a surprise, exactly. The pressure to move is real. Boards are asking about AI strategy. CEOs are mandating adoption. The competitive argument for waiting is getting harder to make. But there's a difference between accepting that reality and assuming the governance infrastructure you need is going to materialize on its own. Part of what makes agents different from every other enterprise tool is that they don't follow a script. You can sandbox traditional software, test it, QA it, and have a reasonable expectation that what you tested is what you're deploying. Agents take a natural language objective and go find a path. That path isn't always the one you'd have chosen. Lior put it plainly — agents are optimizing for the mission, not for whatever guardrails you assumed were obvious. If they can reach data that technically sits within their access permissions, they'll reach it. If they can route around a limitation by working through another agent, some of them will figure that out. The other layer is that these systems are probabilistic. You can trace what went wrong after the fact, but the trace doesn't give you control. Run the same agent on the same task tomorrow, and you might get a different path. The audit log is evidence, not a fix. Where Lior and I spent a lot of time is the scale problem. One agent, you can watch. You can inspect every decision, every tool call, every output — same way you'd stay close to a new hire you're still calibrating. But the organizations moving aggressively aren't staying at one agent. They're heading toward dozens, then hundreds, and at that point, the pilot-phase approach of eyeballing everything stops being an option. The answer isn't to slow down across the board. What Lior kept coming back to was reversibility — don't hand agents tasks where a wrong decision can't be unwound — and visibility, meaning you need enough observability to catch drift before it becomes a problem you're explaining to someone else. There's an analogy from the conversation that stuck with me. You jumped in the car, hit the gas, and now you're trying to install brakes while it's moving. That's a pretty accurate description of where a lot of enterprises actually are. The question isn't whether to deploy anymore. It's whether you can see what your agents are doing well enough to catch a problem before it becomes one you can't walk back. That's what we got into. Give it a listen.

There's a moment in my conversation with Bob Bobel where he mentions that customers are having a harder time finding people who actually know Active Directory. Not cloud identity — the old on-premise stuff that most large organizations still run. Even if they've also got Entra ID and Office 365 sitting on top of it, they maintain those older systems. That expertise is retiring. Moreover, it's not being replaced fast enough. Bob is the CEO of Cayosoft, which builds management, auditing, and recovery tools for Microsoft environments. He's been in this space for a long time — long enough to have sold to some of the same agencies he's selling to now. This is nearly two decades later. He started the company on his 401k. Interestingly, his wife apparently still doesn't know about it. We covered a lot of ground in this episode. Some of it is squarely in the weeds of Microsoft infrastructure — hybrid environments, the gap between what native tools can do and what organizations actually need, and why change auditing matters more than most IT teams realize. Some of it is broader. For example, we discussed AI, the ecosystem of companies that build businesses around Microsoft's footprint, and what federal agencies are actually looking for when they go shopping for tools in this space. The recovery conversation is worth your time on its own. Bob tells the story of how Cayosoft ended up building their patented approach to Active Directory recovery — it starts with a phone call at 3 am. There was a demo coming up in four days, and no hardware anywhere near Key West. The problem they had to solve in that moment turned into something they still consider one of their core differentiators. I'll let him tell it. On AI, Bob is more measured than most people I talk to right now. He's not skeptical of it, but he's also not pretending it's ready to run your identity infrastructure. His argument is that the more realistic near-term use case is capturing what experienced engineers know before they retire. He believes in embedding that institutional knowledge somewhere useful rather than just losing it. Cayosoft recently filed a patent around that idea. He explains the thinking behind it, and also where he thinks the hype is running ahead of reality. There's also a good thread in here about what it actually means to build a company inside someone else's ecosystem. I used to work at a company that was tightly coupled to AWS, so I know that tension. There's always the question every year of whether the platform you're built on is going to decide to build what you do. Bob has a pretty clear-eyed take on the Microsoft version of that dynamic. It's a good conversation. Check it out wherever you listen to (or watch) podcasts.