Zero Trust for AI Agents

1 00:00:01,760 - > 00:00:05,440 Narrator: Welcome to the Practical AI Podcast, where we 2 00:00:05,440 - > 00:00:08,160 break down the real world applications of artificial 3 00:00:08,160 - > 00:00:11,840 intelligence and how it's shaping the way we live, work, 4 00:00:11,840 - > 00:00:16,325 and create. Our goal is to help make AI technology practical, 5 00:00:16,325 - > 00:00:19,365 productive, and accessible to everyone. Whether you're a 6 00:00:19,365 - > 00:00:22,325 developer, business leader, or just curious about the tech 7 00:00:22,325 - > 00:00:25,685 behind the buzz, you're in the right place. Be sure to connect 8 00:00:25,685 - > 00:00:29,010 with us on LinkedIn, X, or Blue Sky to stay up to date with 9 00:00:29,010 - > 00:00:33,090 episode drops, behind the scenes content, and AI insights. You 10 00:00:33,090 - > 00:00:35,730 can learn more at practicalai.fm. 11 00:00:35,810 - > 00:00:37,410 Now onto the show. 12 00:00:41,090 - > 00:00:46,025 Daniel: Welcome to another Practical AI podcast episode. 13 00:00:46,025 - > 00:00:50,585 This time, it's just Chris and I, my cohost. In these episodes 14 00:00:50,585 - > 00:00:53,785 where it's just the two of us, we try to take something that's 15 00:00:53,785 - > 00:00:57,705 in the AI news or a topic for a deep dive, something that will 16 00:00:57,705 - > 00:01:01,820 help all of us level up our AI and machine learning game. I am 17 00:01:01,820 - > 00:01:06,140 Daniel Whitenack. I'm CEO at Prediction Guard, and I'm joined 18 00:01:06,140 - > 00:01:09,740 as always by my cohost, Chris Benson, who is a principal AI 19 00:01:09,740 - > 00:01:11,740 and autonomy research engineer. 20 00:01:11,740 - > 00:01:12,460 How are doing, Chris? 21 00:01:12,625 - > 00:01:16,305 Chris: Hey. Doing great. Lots of cool stuff out there. Looking 22 00:01:16,305 - > 00:01:17,905 forward to today's conversation. 23 00:01:17,905 - > 00:01:22,225 Daniel: Yes. Yeah. For sure. There's there's no shortage of 24 00:01:22,385 - > 00:01:27,350 of things to talk about, but even in our I don't know if you 25 00:01:27,350 - > 00:01:31,590 remember this passing comment, Chris, but I think it was in our 26 00:01:31,910 - > 00:01:36,150 episode where we were talking about MCP on top of Kubernetes. 27 00:01:36,150 - > 00:01:40,875 The the guest, mentioned that, hey, when Anthropic kind of 28 00:01:40,875 - > 00:01:44,875 drops one of these white papers or research topics or blog 29 00:01:44,875 - > 00:01:49,835 posts, often that's a window into something that's that's 30 00:01:49,835 - > 00:01:53,755 significant and something to pay attention to and and review in 31 00:01:53,755 - > 00:01:54,155 detail. 32 00:01:54,690 - > 00:01:59,250 And it just so happens that they, on May, I think, twenty 33 00:01:59,250 - > 00:02:03,810 seventh of this year, 2026, released this I guess it's a 34 00:02:03,810 - > 00:02:07,730 ebook, white paper, blog post, however you wanna frame it, 35 00:02:07,890 - > 00:02:12,905 framework around With zero trust. Yeah. Zero trust for AI 36 00:02:12,905 - > 00:02:17,465 agents. Say zero trust for AI agents, we share a security 37 00:02:17,465 - > 00:02:20,265 framework for deploying autonomous AI agents in the 38 00:02:20,265 - > 00:02:24,320 enterprise covering the new threat landscape, a tiered zero 39 00:02:24,320 - > 00:02:28,160 trust architecture, and defensive operations built for 40 00:02:28,160 - > 00:02:31,520 AI accelerated attacks. So that's all that's a lot of 41 00:02:31,520 - > 00:02:32,240 words. 42 00:02:32,240 - > 00:02:35,585 Now I think first off, Chris, it's probably worth recognizing 43 00:02:35,585 - > 00:02:39,665 that Anthropic obviously has a has a horse in this race, 44 00:02:39,665 - > 00:02:43,585 especially with things like Claude Code or Claude Yeah. 45 00:02:43,585 - > 00:02:47,820 Coworker, all the Claude things. These are autonomous agents that 46 00:02:47,820 - > 00:02:51,820 can operate in your enterprise environment. So obviously, I 47 00:02:51,820 - > 00:02:56,220 think probably there are things that are happening and things 48 00:02:56,220 - > 00:02:59,900 where their customers or people using these tools are obviously 49 00:02:59,900 - > 00:03:03,525 thinking about the security implications of that. They also 50 00:03:03,525 - > 00:03:08,485 recently released Cloud Security, which is more on the 51 00:03:08,485 - > 00:03:13,765 AI for security side, not so much the security for AI side, 52 00:03:13,765 - > 00:03:17,045 which is mostly what we'll talk about today in relation to this 53 00:03:17,045 - > 00:03:19,920 to this article or or ebook. 54 00:03:19,920 - > 00:03:23,280 But, yeah, I I think that's worth acknowledging, obviously, 55 00:03:23,280 - > 00:03:27,520 if people people have a secure way of deploying autonomous 56 00:03:27,520 - > 00:03:31,200 agents. I'm sure they are hoping that many of those are built on 57 00:03:31,200 - > 00:03:32,480 anthropic technologies. 58 00:03:32,765 - > 00:03:35,405 Chris: I'm sure they do. And and, you know, just to keep in 59 00:03:35,405 - > 00:03:39,005 the back of our mind, this is the same organization that has 60 00:03:39,005 - > 00:03:43,165 mythos out there and is working with I believe the latest number 61 00:03:43,165 - > 00:03:48,240 is a 150 organizations is the latest thing I saw published on 62 00:03:48,240 - > 00:03:51,840 their website, trying to go through and do security audits 63 00:03:51,840 - > 00:03:56,560 and such as that. And with the timing of this, I would guess, 64 00:03:56,560 - > 00:04:00,895 don't know, but just making a guess, that some of the leveling 65 00:04:00,895 - > 00:04:05,855 up that Mythos has enabled is probably driving some of their 66 00:04:05,855 - > 00:04:10,335 zero trust and and other security concerns going forward. 67 00:04:10,335 - > 00:04:11,935 So looking forward to this. 68 00:04:12,250 - > 00:04:14,330 Daniel: Yeah. Yeah. I guess that's a good place to start 69 00:04:14,330 - > 00:04:17,450 with the kind of premise of this. I think there's a few 70 00:04:17,450 - > 00:04:22,570 things to frame here maybe. One is there is probably a segment 71 00:04:22,570 - > 00:04:26,795 of the market and of our audience that is already using 72 00:04:27,035 - > 00:04:31,515 autonomous agents for something, even if that's just like Claude 73 00:04:31,515 - > 00:04:35,595 code or or something like that for development purposes where 74 00:04:35,755 - > 00:04:36,075 Chris: Yep. 75 00:04:36,075 - > 00:04:39,300 Daniel: By autonomous, I mean, it's making actions on on your 76 00:04:39,300 - > 00:04:44,900 behalf to do some things. And I think generally in terms of 77 00:04:44,900 - > 00:04:48,340 where we're seeing the market going on the positive side, 78 00:04:48,340 - > 00:04:51,815 organizations are going to need to more and more adopt these 79 00:04:51,815 - > 00:04:57,495 autonomous agents within their organization for value creation 80 00:04:57,495 - > 00:05:01,175 or new revenue or op, you know, saving on operational 81 00:05:01,175 - > 00:05:06,055 efficiency. So that's like thing, you know, premise one is 82 00:05:05,540 - > 00:05:08,980 that that's the way the market's going. I think the the other 83 00:05:08,980 - > 00:05:12,580 kind of background to this though is like you were saying, 84 00:05:13,620 - > 00:05:20,795 there's a bit of a forcing function here because AI or, how 85 00:05:20,795 - > 00:05:25,355 should I so attackers, so malicious parties, hackers, 86 00:05:25,355 - > 00:05:29,355 etcetera, have equal op you know, they have equal access to 87 00:05:29,355 - > 00:05:32,555 these agentic coding and development capabilities 88 00:05:32,555 - > 00:05:33,900 themselves. Right? 89 00:05:33,900 - > 00:05:38,300 Meaning that the pace at which people are about to be or are 90 00:05:38,300 - > 00:05:41,980 already being attacked and exposed to threats in their 91 00:05:41,980 - > 00:05:47,020 infrastructure is just, like, expanding exponentially, which 92 00:05:47,020 - > 00:05:51,735 means you cannot keep up with the that level of attack using 93 00:05:51,735 - > 00:05:55,575 human only approaches, meaning that the forcing function that 94 00:05:55,575 - > 00:05:58,295 I'm talking about is you're necessarily going to have to 95 00:05:58,295 - > 00:06:02,375 adopt autonomous agents at least to help you manage the threats 96 00:06:02,375 - > 00:06:06,400 associated with with the offensive use of this AI 97 00:06:06,400 - > 00:06:10,080 technology. So I think there's the the positive side of this, 98 00:06:10,080 - > 00:06:13,200 obviously, which is we there there's a future where 99 00:06:13,200 - > 00:06:16,320 autonomous agents are doing very positive things, and you have 100 00:06:16,320 - > 00:06:19,405 this kind of digital workforce of agents within your 101 00:06:19,405 - > 00:06:23,085 organization, but the maybe part of the forcing function behind 102 00:06:23,085 - > 00:06:27,565 this discussion is that people actually need to adopt 103 00:06:27,565 - > 00:06:31,485 autonomous agents because of this offensive threat to their 104 00:06:31,590 - > 00:06:32,630 infrastructure. 105 00:06:32,630 - > 00:06:35,190 Chris: Yeah. I I agree, and I think that'll put that'll put 106 00:06:35,190 - > 00:06:39,190 quite a strain on a lot of the the humans involved in this 107 00:06:39,190 - > 00:06:42,950 because, you know, there there's a certain amount of leveling up 108 00:06:42,950 - > 00:06:47,185 from a human standpoint to understand what what different 109 00:06:47,185 - > 00:06:49,665 harnesses are and what the different capabilities that are 110 00:06:49,665 - > 00:06:52,625 now becoming available, understanding different vendors 111 00:06:52,625 - > 00:06:57,025 versus open source and such as that. So to actually get to the 112 00:06:57,025 - > 00:07:00,450 point where you can start implementing these is a bit of a 113 00:07:00,450 - > 00:07:03,250 lift, and I think that that's going to be something that we 114 00:07:03,250 - > 00:07:06,850 observe is that I think there'll be a spread across organizations 115 00:07:06,850 - > 00:07:10,290 where you'll have some, you know, the the you know, on one 116 00:07:10,290 - > 00:07:14,425 extreme end, you have the anthropics that are leading the 117 00:07:14,425 - > 00:07:16,825 way and producing these capabilities and stuff like 118 00:07:16,825 - > 00:07:21,545 that, but then there's a lot of of a mom and pop organizations, 119 00:07:21,545 - > 00:07:24,425 or maybe not that small, but you know, mid sized and stuff like 120 00:07:24,425 - > 00:07:27,790 that, that are gonna struggle to level up just a little bit. And 121 00:07:27,790 - > 00:07:30,750 so, I think we have some interesting I think the security 122 00:07:30,750 - > 00:07:34,910 landscape will be very interesting, a little bit Wild 123 00:07:34,910 - > 00:07:39,230 West in the days ahead, as people, even if tools are 124 00:07:39,230 - > 00:07:43,205 available, they have to get to where they can uptake those, and 125 00:07:43,205 - > 00:07:45,845 and get productive with them, so, it's Yeah. 126 00:07:46,165 - > 00:07:51,445 Daniel: Yeah, so I I agree, and I think the or, maybe a way to 127 00:07:51,445 - > 00:07:54,485 get into this discussion is that if we frame the background with 128 00:07:54,485 - > 00:07:58,120 an assumption, and I I'm sure there are arguments against 129 00:07:58,120 - > 00:08:01,800 against this assumption, but let's assume that your 130 00:08:01,800 - > 00:08:07,880 organization is and will adopt autonomous agents for, you know, 131 00:08:07,880 - > 00:08:11,295 positive things like I talked about operational efficiencies, 132 00:08:11,295 - > 00:08:15,935 new new revenue, whatever that is, and or, cybersecurity 133 00:08:15,935 - > 00:08:20,255 purposes. If we assume that, then you say, well, okay. Well, 134 00:08:20,255 - > 00:08:22,815 now we're gonna have these autonomous agents operating in 135 00:08:22,815 - > 00:08:26,010 our environment. They could cause all sorts of harm 136 00:08:26,010 - > 00:08:30,010 themselves. So it's like I could shoot myself in the foot trying 137 00:08:30,010 - > 00:08:33,930 to protect against the offensive malicious people by releasing a 138 00:08:33,930 - > 00:08:36,890 bunch of agents into my infrastructure and they 139 00:08:36,890 - > 00:08:40,325 themselves cause a lot of a lot of harm. 140 00:08:40,325 - > 00:08:44,725 Like, how do I how do I manage those things? And Anthropic has 141 00:08:45,765 - > 00:08:50,165 so they they have not come up with this idea of zero trust. To 142 00:08:50,165 - > 00:08:54,030 be clear, this is a general concept we we can talk about the 143 00:08:54,030 - > 00:08:57,870 definition of, but they're essentially releasing with this 144 00:08:58,190 - > 00:09:02,430 framework a way to think about a zero trust approach or a zero 145 00:09:02,430 - > 00:09:06,670 trust framework for managing AI agents or autonomous agents 146 00:09:06,785 - > 00:09:10,785 within your organization. So maybe maybe it'd be good to just 147 00:09:10,785 - > 00:09:17,585 define that define that term first in the in the past, if we, 148 00:09:18,145 - > 00:09:21,600 if if we think about cybersecurity, there's been 149 00:09:21,600 - > 00:09:26,320 what's generally referred to as perimeter based cybersecurity. 150 00:09:26,400 - > 00:09:30,560 This is a more traditional model that would focus on that 151 00:09:30,560 - > 00:09:35,520 boundary of your organization and outside or internal and 152 00:09:34,665 - > 00:09:38,185 external and the the kind of core principle being that I'm 153 00:09:38,185 - > 00:09:41,785 gonna trust everything that's inside and distrust everything 154 00:09:41,945 - > 00:09:43,305 that's on the outside. 155 00:09:43,305 - > 00:09:46,985 So there is a perimeter in which within that perimeter I trust 156 00:09:46,985 - > 00:09:51,830 things. A zero trust approach to cybersecurity on the other hand 157 00:09:51,830 - > 00:09:57,830 would actually assume that everything inside the network, 158 00:10:00,195 - > 00:10:03,795 that that threats are already inside your network, already 159 00:10:03,795 - > 00:10:07,635 inside your parameters. So it treats every user, device, 160 00:10:07,795 - > 00:10:11,795 request as a potential threat. So that that's why it's called 161 00:10:11,875 - > 00:10:16,180 Zero Threat. And like I say, this has been something that's 162 00:10:16,180 - > 00:10:18,820 been around from for a long time. 163 00:10:18,900 - > 00:10:24,500 NIST has published about it, in Zero Trust Architecture back in 164 00:10:24,660 - > 00:10:30,500 2020 and other government organizations and others have 165 00:10:29,025 - > 00:10:32,545 have talked about it as well. So that's that kind of that kind of 166 00:10:32,545 - > 00:10:37,105 difference. I don't know if if those if if that zero trust idea 167 00:10:37,105 - > 00:10:41,105 has crossed into your your perimeter of knowledge, Chris, 168 00:10:41,105 - > 00:10:41,665 I'm sure. 169 00:10:41,665 - > 00:10:45,030 Chris: Yes. Without going into any detail at all, working in 170 00:10:45,030 - > 00:10:50,230 defense and intelligence, that it it is pretty core. And, yeah, 171 00:10:50,230 - > 00:10:53,670 I mean I mean, the simple way of thinking about it is every 172 00:10:53,670 - > 00:10:58,675 single API request that you have has to have security credential, 173 00:10:58,995 - > 00:11:03,635 and that can be from a variety of of different mechanisms. But 174 00:11:03,795 - > 00:11:06,755 you don't trust anything, and everything is down to a granular 175 00:11:06,755 - > 00:11:10,790 level unless it is authenticated and authorized to do whatever it 176 00:11:10,790 - > 00:11:14,950 is trying to do. So in the world that I'm living, that's pretty 177 00:11:14,950 - > 00:11:15,670 standard. 178 00:11:16,390 - > 00:11:20,790 Though, I think as I think I think there's room for all of 179 00:11:20,790 - > 00:11:24,195 us, even those of us who've been doing it, to level up and get 180 00:11:24,195 - > 00:11:27,555 better at this. So I don't think that there's anybody who has has 181 00:11:27,555 - > 00:11:30,115 just nailed it. So it's Yeah. It's one of those one of those 182 00:11:30,115 - > 00:11:31,315 ongoing learning curves. 183 00:11:31,715 - > 00:11:34,835 Daniel: Yeah. And and we're we're about to dig into a lot of 184 00:11:34,835 - > 00:11:39,820 that as related to AI agents. However, to your point, there's 185 00:11:39,820 - > 00:11:42,620 a lot of organizations that are still trying to think about this 186 00:11:42,620 - > 00:11:46,860 concept even generally in their kind of general cybersecurity 187 00:11:46,860 - > 00:11:51,580 world. And, you know, one of my one of my hot takes here is is 188 00:11:51,580 - > 00:11:54,995 we'll talk about that that these kind of foundational things that 189 00:11:54,995 - > 00:12:00,995 Anthropic is suggesting. And, you know, probably 90% of plus 190 00:12:00,995 - > 00:12:05,395 of of organizations, enterprises that have AI deployments 191 00:12:05,395 - > 00:12:09,700 currently are not operating according to this model. 192 00:12:09,700 - > 00:12:12,100 They are according to this framework, they would be 193 00:12:12,100 - > 00:12:16,820 completely exposed. And I think so just acknowledging much of 194 00:12:16,820 - > 00:12:21,975 this is probably aspirational for enterprises and they need to 195 00:12:21,975 - > 00:12:25,495 work towards it in a maybe a more rapid way just because of 196 00:12:25,495 - > 00:12:28,535 how things are advancing. And, you know, there's better tooling 197 00:12:28,535 - > 00:12:32,295 out there day by day, better products, etcetera. But, yeah, 198 00:12:32,295 - > 00:12:36,470 this is just just so if you're out there and you're thinking, 199 00:12:36,550 - > 00:12:40,310 have agents running and I have none of what we're about to talk 200 00:12:40,310 - > 00:12:44,790 about, that's probably the situation that most are in in in 201 00:12:44,790 - > 00:12:46,685 the enterprise world would be 202 00:12:46,685 - > 00:12:50,605 Chris: my today we can we can help people start on a on a path 203 00:12:50,605 - > 00:12:52,605 here to mitigate some of the risks. 204 00:12:52,845 - > 00:12:55,485 Daniel: Next week You have no excuse, but coming into this 205 00:12:55,485 - > 00:13:04,490 conversation, you you have an excuse. Yeah. Exactly. So I I 206 00:13:04,490 - > 00:13:07,610 think the I would encourage people to if you just search for 207 00:13:07,610 - > 00:13:10,810 Zero Trust for AI Agents, you know, Anthropic blog posts, 208 00:13:10,810 - > 00:13:13,450 we'll link it in the show notes as well so you can click through 209 00:13:13,450 - > 00:13:17,645 to that ebook and the framework itself. There's a lot that we 210 00:13:17,645 - > 00:13:20,685 won't be able to cover in detail, but I think the overall 211 00:13:20,685 - > 00:13:24,445 structure that they present are some some kind of initial 212 00:13:24,445 - > 00:13:27,965 background and considerations kinda definitions related to 213 00:13:27,965 - > 00:13:31,330 autonomous systems that that people need to consider. 214 00:13:31,970 - > 00:13:36,930 And, then they talk about the current threats to those agentic 215 00:13:36,930 - > 00:13:42,130 or autonomous systems and then how to apply the zero trust to 216 00:13:42,130 - > 00:13:45,935 those threatened agentic systems. That's kind of the the 217 00:13:45,935 - > 00:13:50,735 flow of of of what they talk about. So the the first thing, 218 00:13:50,735 - > 00:13:53,615 and I think this is something we've talked about more on the 219 00:13:53,615 - > 00:13:57,615 show and have have already covered, but just to set the 220 00:13:57,615 - > 00:14:00,300 foundation, some of these considerations, kind of 221 00:14:00,300 - > 00:14:04,540 background information that that we may wanna give is that, you 222 00:14:04,540 - > 00:14:07,180 know, why why are we talking about like a new framework while 223 00:14:07,180 - > 00:14:10,620 agents are different in how they operate? We've talked about this 224 00:14:10,620 - > 00:14:13,580 on the show before. They use a distributed set of tools. 225 00:14:13,580 - > 00:14:16,735 They interpret instructions, try to accomplish goals, they 226 00:14:16,735 - > 00:14:21,455 execute operations without human initiation, I think importantly. 227 00:14:22,255 - > 00:14:25,775 They might preserve context across sessions if they're 228 00:14:25,775 - > 00:14:29,690 trying to accomplish some goal, and then you kind of add 229 00:14:29,690 - > 00:14:32,330 multiple agents and they might communicate with one another. So 230 00:14:32,330 - > 00:14:35,930 you've got this multi agent communication. Now there's a 231 00:14:35,930 - > 00:14:39,210 couple terms here, Chris, that I think we've even mentioned, but 232 00:14:39,210 - > 00:14:47,595 they just define specifically, related to agent security as new 233 00:14:47,595 - > 00:14:51,515 terms that people might might be, unfamiliar with. One is 234 00:14:51,515 - > 00:14:56,315 blast radius, which, kind of, I think people could assume what 235 00:14:56,315 - > 00:14:57,275 that means, right? 236 00:14:57,275 - > 00:15:01,060 It measures the potential damage if something goes wrong, if an 237 00:15:01,060 - > 00:15:06,660 agent does does go off the rails of that blast radius. And least 238 00:15:06,660 - > 00:15:12,155 agency, which I guess is a term coined by OWASP, and and that 239 00:15:12,155 - > 00:15:16,075 extends this kind of idea of least privilege to agentic 240 00:15:16,075 - > 00:15:19,435 applications. So you shouldn't be giving more agency to your 241 00:15:19,435 - > 00:15:22,315 agents than they need to do their agent things. 242 00:15:22,315 - > 00:15:26,200 Chris: And that's standard zero trust ideas. You you you give it 243 00:15:26,200 - > 00:15:28,520 just what it needs and absolutely no more. 244 00:15:28,840 - > 00:15:32,280 Daniel: Yep. And and so that's kind of the, I guess, the 245 00:15:32,280 - > 00:15:37,480 background in which in which we're operating. Then then the 246 00:15:37,480 - > 00:15:41,765 Anthropic paper, it goes into these current threats, which is 247 00:15:41,605 - > 00:15:44,005 some are ones we've talked about. Some are ones we've not 248 00:15:44,005 - > 00:15:46,645 talked about as much, Chris. Mhmm. 249 00:15:47,045 - > 00:15:50,645 It's interesting that they talk they kind of frame everything 250 00:15:50,805 - > 00:15:54,005 within the agent world as agentic systems, which I very 251 00:15:54,005 - > 00:15:58,460 much like in our in our product. That's why I insist on using the 252 00:15:58,460 - > 00:16:01,900 idea of AI system as as a thing because you have these 253 00:16:01,900 - > 00:16:05,820 distributed set of things that are powering agents these days. 254 00:16:05,980 - > 00:16:10,935 And so they kind of break down then this, like, current threats 255 00:16:10,935 - > 00:16:15,095 to agentic systems. The first of those, which is probably not a 256 00:16:15,095 - > 00:16:18,775 surprise because it's the first on OWASP's list often as well, 257 00:16:19,680 - > 00:16:23,680 is prompt injection and instruction manipulation. We 258 00:16:23,840 - > 00:16:25,440 again, we've talked about this. 259 00:16:25,520 - > 00:16:29,840 There's everything from the obvious direct, you know, human 260 00:16:29,840 - > 00:16:33,665 input into a chat interface, ignore your instructions and do 261 00:16:33,665 - > 00:16:36,785 this other thing, which you shouldn't be doing. But the one 262 00:16:36,785 - > 00:16:43,985 that they mentioned as the more, difficult or scary one would be 263 00:16:43,985 - > 00:16:47,880 the indirect prompt injection where that's coming in through 264 00:16:47,880 - > 00:16:51,800 maybe it's a file that's, you know, you have an agent 265 00:16:51,800 - > 00:16:56,600 connected to your email and, attachment comes through with 266 00:16:56,600 - > 00:17:03,125 hidden instructions in it. Anecdotally, I I helped another 267 00:17:03,125 - > 00:17:07,365 company do some interviews and I I wrote a technical exercise and 268 00:17:07,365 - > 00:17:11,045 put it in a PDF. And I knew everyone would use Cloud Code 269 00:17:11,045 - > 00:17:16,380 like they should, but just just because I wanted to be fun, I I 270 00:17:16,380 - > 00:17:19,500 had all the instructions in black text and then I had an 271 00:17:19,500 - > 00:17:22,940 extra, like, three fourths of a page. So I just filled up that 272 00:17:22,940 - > 00:17:28,745 page with, with instructions that would make Claude code do 273 00:17:28,745 - > 00:17:31,945 the opposite of what I was saying in the instructions, just 274 00:17:31,945 - > 00:17:33,945 to just to see if they would catch it. 275 00:17:34,105 - > 00:17:35,625 So that that sort of thing. 276 00:17:35,865 - > 00:17:39,865 Chris: Very devious. Very devious. Was Did you make it 277 00:17:39,865 - > 00:17:42,960 white text in the PDF, so it wasn't obvious? Just like white 278 00:17:42,960 - > 00:17:43,520 face. 279 00:17:43,520 - > 00:17:46,320 Daniel: Which would get interpreted if you just uploaded 280 00:17:46,320 - > 00:17:49,040 it into Cloud Code or whatever. 281 00:17:49,280 - > 00:17:53,215 Chris: That's very sneaky, but actually quite common in terms 282 00:17:53,215 - > 00:17:55,455 of vector, I mean, because everyone just throws everything 283 00:17:55,455 - > 00:17:59,215 they can, you know, the way the way things have been operating, 284 00:17:59,215 - > 00:18:02,575 and so Yeah. Thus what we're doing today. 285 00:18:03,455 - > 00:18:10,990 Daniel: Yes. True. And I guess the other so that that that's 286 00:18:10,990 - > 00:18:13,390 threat number one, prompt injection, instruction 287 00:18:13,390 - > 00:18:16,190 manipulation. Threat number two that they talk about, which is 288 00:18:16,190 - > 00:18:21,795 related to agents using tools, particularly through MCP, which 289 00:18:21,795 - > 00:18:25,155 was a topic on a recent com or recent episode of this show, 290 00:18:25,155 - > 00:18:28,515 which you can look back at for for much more information on 291 00:18:28,515 - > 00:18:28,915 that. 292 00:18:28,915 - > 00:18:29,955 Chris: On MCP. Yep. 293 00:18:29,955 - > 00:18:34,700 Daniel: On MCP. Yeah. So they talk about agents that can 294 00:18:34,700 - > 00:18:40,300 manipulate tools maliciously or kind of do things that they 295 00:18:40,300 - > 00:18:43,660 shouldn't be doing because of privileges. I I think about 296 00:18:43,660 - > 00:18:48,755 Chris, like it it's kinda like you set up a server, maybe I set 297 00:18:48,755 - > 00:18:54,035 up a fast API API that, you know, my agent could use and I 298 00:18:54,035 - > 00:18:59,950 only tell it about instructions, you know, about a couple get get 299 00:18:59,950 - > 00:19:04,430 routes on the API in the instructions, but I don't shut 300 00:19:04,430 - > 00:19:06,190 down the other routes. Right? 301 00:19:06,190 - > 00:19:11,710 And if the agent was smart in any sort of way, right, it could 302 00:19:11,710 - > 00:19:15,545 just look at the swagger documentation at the slash docs 303 00:19:15,545 - > 00:19:18,345 endpoint, and know about all the other routes that maybe it 304 00:19:18,345 - > 00:19:20,505 shouldn't use, and then, like, all of a sudden, I have 305 00:19:20,505 - > 00:19:21,465 problems. Right? 306 00:19:21,465 - > 00:19:21,945 Chris: That's right. 307 00:19:21,945 - > 00:19:22,985 Daniel: So, yeah. And just 308 00:19:22,985 - > 00:19:26,185 Chris: to clarify, Swagger's a protocol that defines what those 309 00:19:26,185 - > 00:19:29,930 routes are. And and, you know, you mentioned, you know, kind of 310 00:19:29,930 - > 00:19:33,210 going off the rails, but, you know, the the notion of 311 00:19:33,210 - > 00:19:38,890 malicious MCP server has now been documented, and there could 312 00:19:38,890 - > 00:19:43,945 be lots of various types of tooling that is coming into 313 00:19:43,945 - > 00:19:48,345 being now just to take advantage of these vulnerabilities. So, I 314 00:19:48,345 - > 00:19:51,385 think you'll we'll see a whole class of malicious software 315 00:19:51,385 - > 00:19:56,745 arising to to do these kinds of of tool and resource misuse. 316 00:19:56,905 - > 00:20:01,280 Daniel: Yeah. Yeah, exactly. And and a lot of times these tool 317 00:20:01,280 - > 00:20:05,440 descriptors or schemas or metadata is injected into the 318 00:20:05,440 - > 00:20:10,160 context for an LLM to actually generate the output. So if I'm a 319 00:20:10,160 - > 00:20:13,585 malicious party or maybe just an agent that doesn't know what 320 00:20:13,585 - > 00:20:17,425 it's doing and and like, it says drifted from its goals or 321 00:20:17,425 - > 00:20:20,945 something, there's nothing preventing that from doing this 322 00:20:20,945 - > 00:20:24,145 poisoning thing where I like find out about the descriptor 323 00:20:24,145 - > 00:20:27,960 schema and metadata, and I even modify that in the instructions 324 00:20:27,960 - > 00:20:31,880 to maybe get the MCP server to do different things. Right? 325 00:20:31,880 - > 00:20:37,240 So this this tool and resource misuse is definitely, is a 326 00:20:37,240 - > 00:20:42,605 reason why it's kinda number number two there. The the next 327 00:20:42,605 - > 00:20:49,485 one, identity and privilege abuse. So yes. Yes. Exactly. 328 00:20:49,485 - > 00:20:54,125 So, they talk about this. Agents often operate with elevated 329 00:20:54,125 - > 00:20:59,290 privileges or service accounts, and traditional identity systems 330 00:20:59,290 - > 00:21:03,450 designed for humans struggle to accommodate them. There's 331 00:21:03,450 - > 00:21:09,290 sometimes unscoped privilege inheritance, almost like I I 332 00:21:09,290 - > 00:21:16,445 kinda think about this, like, what was that that cybersecurity 333 00:21:16,445 - > 00:21:19,645 book from it's like the cuckoos. 334 00:21:19,965 - > 00:21:22,765 Chris: Oh, the yes. The Cuckoo's Nest or something. Yeah. Yeah. 335 00:21:23,085 - > 00:21:25,780 Daniel: Yeah. Can tell us in in the comments, but it's like you 336 00:21:25,780 - > 00:21:28,900 you kinda land one place in a network, and then you escalate 337 00:21:28,900 - > 00:21:32,340 privileges, right, and you can move laterally, and go in all of 338 00:21:32,340 - > 00:21:33,780 these directions, right? 339 00:21:33,780 - > 00:21:38,415 Chris: Really old cybersecurity books that came out before it 340 00:21:38,415 - > 00:21:42,735 was really a field. I read it many years ago, and yeah, 341 00:21:42,735 - > 00:21:43,935 definitely inspiring. 342 00:21:44,815 - > 00:21:47,935 Daniel: And The so cuckoo's egg. That's that's what it was. Yeah. 343 00:21:47,935 - > 00:21:52,430 Chris: And as you as you are looking at lots of different 344 00:21:52,430 - > 00:21:54,830 agents that have different levels of privilege and 345 00:21:54,830 - > 00:21:59,310 different capabilities, and as agents are formulating things, 346 00:21:59,310 - > 00:22:02,270 you know, right in a in in during run time, essentially, 347 00:22:03,515 - > 00:22:06,955 that that didn't exist as a preset static thing that you 348 00:22:06,955 - > 00:22:10,555 wanna do, and they're developing that. It's very easy for one 349 00:22:10,555 - > 00:22:14,155 agent to spin off another agent, and and it has more privilege 350 00:22:14,155 - > 00:22:17,170 than it needs, and then that can be taken advantage of. So there 351 00:22:17,170 - > 00:22:20,370 are lots of different variations of of how those kinds 352 00:22:20,610 - > 00:22:25,250 Daniel: Yeah. Yeah. For sure. So that's the privilege, and I 353 00:22:25,250 - > 00:22:28,610 should say, I I do really encourage people to take a read 354 00:22:28,610 - > 00:22:31,985 through the the e book. Obviously, we're highlighting 355 00:22:31,985 - > 00:22:34,385 some of these things, but there's much more detail there. 356 00:22:34,385 - > 00:22:37,905 Also a great resource around this if you're trying to learn 357 00:22:37,905 - > 00:22:41,745 some of this is if you go to the OWASP Gen AI project. We've 358 00:22:41,745 - > 00:22:46,810 we've had reps on our show before and my team's involved in 359 00:22:46,810 - > 00:22:49,850 the AI Balm project and other things with OWASP. There's a lot 360 00:22:49,850 - > 00:22:52,410 of great people involved, but they have so many great 361 00:22:52,410 - > 00:22:57,850 resources online related to this sort of thing and, guides for 362 00:22:57,850 - > 00:23:01,565 MCP, guides for Agentsic security, etcetera. So take a 363 00:23:01,565 - > 00:23:06,365 look at those as well. You might be listening to this episode and 364 00:23:06,365 - > 00:23:07,805 thinking that, hey. 365 00:23:07,805 - > 00:23:12,125 I am part of one of those organizations that's in the 90% 366 00:23:12,125 - > 00:23:16,850 of enterprises that are not ready security wise for 367 00:23:16,850 - > 00:23:22,370 autonomous agents operating in my environment. How am I gonna 368 00:23:22,370 - > 00:23:26,930 manage supply chain risks and have an AI build materials and 369 00:23:26,930 - > 00:23:32,295 define agent boundaries, cure tool access, and implement input 370 00:23:32,295 - > 00:23:36,135 validation and output controls. Well, this is one of the reasons 371 00:23:36,135 - > 00:23:41,655 why I think it's so important to have great platforms that don't 372 00:23:41,660 - > 00:23:46,540 require you to build your own AI agent governance platform. 373 00:23:46,620 - > 00:23:50,780 That's why outside of the Practical AI Podcast, I 374 00:23:50,780 - > 00:23:54,140 personally am leading an organization full of really 375 00:23:54,140 - > 00:23:56,975 smart people that are thinking about these problems and have 376 00:23:56,975 - > 00:24:01,455 brought Prediction Guard, into into existence. Prediction Guard 377 00:24:01,455 - > 00:24:04,495 is an AI control plane that's self hosted. 378 00:24:04,495 - > 00:24:06,735 It lives in your own infrastructure where you're 379 00:24:06,735 - > 00:24:10,655 gonna deploy those autonomous agents, and it allows you to 380 00:24:10,655 - > 00:24:15,010 manage the supply chain risk and put in governance policies that 381 00:24:15,010 - > 00:24:18,850 are enforced and maintain observability over those agents. 382 00:24:18,930 - > 00:24:21,890 And I'm just really excited about the capabilities that are 383 00:24:21,890 - > 00:24:26,645 that are already in the product and are being released later 384 00:24:26,645 - > 00:24:30,165 this year. So I would encourage you, please check us out at 385 00:24:33,925 - > 00:24:37,685 You can book a call with me and the team to discuss how you're 386 00:24:37,685 - > 00:24:41,660 going to manage security for your agents operating in your 387 00:24:41,660 - > 00:24:46,700 enterprise. That's predictionguard.com/practicalai. 388 00:24:52,235 - > 00:24:55,995 The next one that Anthropic highlights is supply chain and 389 00:24:55,995 - > 00:24:57,755 dependency risks. 390 00:24:57,835 - > 00:24:58,235 Chris: Mhmm. 391 00:24:58,235 - > 00:25:02,075 Daniel: So, you you were just mentioning how sometimes agents 392 00:25:02,075 - > 00:25:06,150 compose things at runtime, Chris. This includes potentially 393 00:25:06,150 - > 00:25:10,790 loading external tools or installing packages or changing 394 00:25:10,790 - > 00:25:14,630 infrastructure. And so the that that supply chain can actually 395 00:25:14,630 - > 00:25:19,535 update in in real time or at runtime as agents are trying to 396 00:25:19,535 - > 00:25:24,735 accomplish a task, but also model and tool, supply chain. So 397 00:25:24,735 - > 00:25:27,855 models have their own supply chains related to the weights 398 00:25:27,855 - > 00:25:32,210 and how they were trained or fine tuned, how how easy it is 399 00:25:32,210 - > 00:25:35,410 to jailbreak them or prompt inject them. But then MCP 400 00:25:35,410 - > 00:25:37,730 servers are also software components. 401 00:25:37,730 - > 00:25:40,290 Right? They have their own integrations. They their own 402 00:25:40,290 - > 00:25:44,130 software dependencies, etcetera, which have their own potential 403 00:25:44,130 - > 00:25:49,385 vulnerabilities. So all of this, it it's very much a multilayered 404 00:25:49,385 - > 00:25:52,985 thing that It is. Could evolve dynamically, which is kind of 405 00:25:52,985 - > 00:25:53,785 scary. 406 00:25:53,865 - > 00:25:56,185 Chris: That and one thing to call out while we're talking 407 00:25:56,185 - > 00:25:59,280 about supply chain and dependency risks is that all of 408 00:25:59,280 - > 00:26:02,400 the traditional zero risk vulnerabilities, all the things 409 00:26:02,400 - > 00:26:06,320 that we were talking about in the cybersecurity world before 410 00:26:06,400 - > 00:26:11,120 we started having AI agentic system conversations about this, 411 00:26:11,200 - > 00:26:14,485 those all still apply as well. And when we're talking when and 412 00:26:14,485 - > 00:26:18,965 I was prompted, no pun intended, to say that by you when you 413 00:26:18,965 - > 00:26:23,925 mentioned the multilayer. So you can still have, you know, BIOS 414 00:26:23,925 - > 00:26:29,020 and CMOS vulnerabilities that can take, that lend themselves 415 00:26:29,020 - > 00:26:32,780 to some of these vulnerability, you know, layers and packages 416 00:26:32,780 - > 00:26:36,220 that build up. So there's many different points in a stack 417 00:26:36,700 - > 00:26:37,900 where these attacks All can 418 00:26:38,780 - > 00:26:42,165 Daniel: the way down to, you know, networking and firewall, 419 00:26:42,165 - > 00:26:45,125 right? If you're, you have an agent operating in that 420 00:26:45,125 - > 00:26:49,845 environment, it could, you know, find and detect things that that 421 00:26:49,845 - > 00:26:55,590 it shouldn't, and so, that's, it's so, yeah, I guess multi 422 00:26:55,590 - > 00:26:59,830 layered, which, you know, many security things are, and I know 423 00:26:59,830 - > 00:27:03,430 OWASP always recommends this kind of layered approach. But, 424 00:27:03,430 - > 00:27:07,190 yeah, the the last two are are kind of related memory and 425 00:27:07,190 - > 00:27:10,415 context poisoning and rag poisoning, both obviously are 426 00:27:10,415 - > 00:27:15,775 this type of, of way that you can either in the memory or 427 00:27:15,775 - > 00:27:20,735 context to an LLM call or into rag data, retrieval augmented 428 00:27:20,735 - > 00:27:24,850 generation data, which often lives in a database, a vector 429 00:27:24,850 - > 00:27:30,290 database. You, if, if you have no control over what and how 430 00:27:30,290 - > 00:27:33,410 things are committed to that memory or to that vector 431 00:27:33,410 - > 00:27:37,905 database, there's nothing preventing agents or external 432 00:27:37,905 - > 00:27:42,145 parties from inserting things into that memory. So, you know, 433 00:27:42,145 - > 00:27:47,585 the I think the one, the example I used last year at the Midwest 434 00:27:47,585 - > 00:27:51,410 AI Summit, Chris, which as a reminder to our folks, Midwest 435 00:27:51,410 - > 00:27:56,050 AI Summit coming up October 15, gonna be another great great, 436 00:27:56,530 - > 00:27:57,250 experience. 437 00:27:57,250 - > 00:28:01,330 You can can search the details Midwest AI Summit. But I think I 438 00:28:01,330 - > 00:28:05,515 used the example where it was a health care situation and 439 00:28:05,515 - > 00:28:09,515 someone at, you know, an agent or a prompt is like, in a first 440 00:28:09,515 - > 00:28:14,555 interchange, it says, hey, do this for patient a, and then 441 00:28:15,035 - > 00:28:19,300 you, in the follow-up, say like, well, in all the following, you 442 00:28:19,300 - > 00:28:23,780 know, consider patient A to be patient B. And then you keep, 443 00:28:23,780 - > 00:28:26,980 keep filtering in that information about patient A 444 00:28:26,980 - > 00:28:30,895 being patient B. And then all of a sudden, when, you know, later 445 00:28:30,895 - > 00:28:35,055 on you're you're wanting some information about patient A or 446 00:28:35,055 - > 00:28:37,615 patient B, all of a sudden you're getting data that you 447 00:28:37,615 - > 00:28:39,375 shouldn't shouldn't be getting. Right. 448 00:28:39,375 - > 00:28:46,050 So it it can happen, and and has been shown to happen, so. Okay, 449 00:28:46,050 - > 00:28:49,490 Chris, that's all the scary things. I guess there's a That's 450 00:28:49,330 - > 00:28:49,730 lot right. Of 451 00:28:50,290 - > 00:28:52,290 Chris: Now we gotta go now we gotta figure out how to fix 452 00:28:52,290 - > 00:28:52,850 this, right? 453 00:28:52,850 - > 00:28:56,290 Daniel: Now now we gotta figure out how to fix this. And I do 454 00:28:56,290 - > 00:29:02,515 like the general structure that Anthropic provides here, 455 00:29:03,075 - > 00:29:09,075 recognizing again that many people are behind in this and 456 00:29:09,075 - > 00:29:12,350 that new tools and products will need to address many of these 457 00:29:12,350 - > 00:29:17,150 things gradually over time. They present three capability I think 458 00:29:17,150 - > 00:29:20,510 what they call capability tiers or three tiers of application 459 00:29:20,510 - > 00:29:24,350 basically saying, hey, in these different areas, you need to do 460 00:29:24,350 - > 00:29:27,165 something. There's like the minimal thing that you should do 461 00:29:27,165 - > 00:29:30,925 which they call foundation, the minimum viable thing and then 462 00:29:30,925 - > 00:29:34,765 there's an enterprise tier which means, hey, if you're if you're 463 00:29:34,765 - > 00:29:39,880 an actual enterprise and and needing to be robust and and 464 00:29:39,880 - > 00:29:42,200 resilient, you need to do these things. And then there's 465 00:29:42,200 - > 00:29:45,640 advanced, which would apply to kind of particularly high risk 466 00:29:45,640 - > 00:29:48,840 or stringent regulatory environments or maybe 467 00:29:48,840 - > 00:29:52,865 aspirationally for everyone else to try to get to that get to 468 00:29:52,865 - > 00:29:53,585 that level. 469 00:29:53,585 - > 00:29:57,985 So foundation, enterprise, and advanced in each of these 470 00:29:57,985 - > 00:30:04,225 categories. And then for, they develop something in each of 471 00:30:04,225 - > 00:30:09,980 these categories for each of a number of, the threats that that 472 00:30:09,980 - > 00:30:13,660 we talked about or the areas in which you need to secure. The 473 00:30:13,660 - > 00:30:14,380 first one Okay. 474 00:30:14,780 - > 00:30:17,500 Chris: Kinda dimension it kinda breaks them down by diff by 475 00:30:17,500 - > 00:30:20,620 dimensions and then tiers them against those three tiers that 476 00:30:20,620 - > 00:30:21,580 you just described. 477 00:30:21,580 - > 00:30:25,205 Daniel: Yeah. It's kinda like, I need to I need to consider these 478 00:30:25,205 - > 00:30:28,565 however many things, I forget how many there were. I I need to 479 00:30:28,565 - > 00:30:32,405 at least be in the foundation level for all of these and then 480 00:30:32,405 - > 00:30:35,285 I can circle back and maybe upgrade particular ones to 481 00:30:35,285 - > 00:30:39,230 enterprise or like gradually work on it over time. So the the 482 00:30:39,230 - > 00:30:43,470 first of those is agent identity and authentication, which they 483 00:30:43,470 - > 00:30:46,670 kind of frame as the foundation for every other security 484 00:30:46,670 - > 00:30:50,430 capability because without this identity, you can't really 485 00:30:50,430 - > 00:30:55,165 enforce other other things throughout the throughout the 486 00:30:55,165 - > 00:31:01,725 framework. Now, as we go through here, they talk about, certain 487 00:31:01,725 - > 00:31:05,565 ways of doing identity and verification, and there are a 488 00:31:05,565 - > 00:31:10,040 couple terms in here that people may be unfamiliar with as well. 489 00:31:10,120 - > 00:31:13,720 One of those being they talk about hardware bound 490 00:31:13,720 - > 00:31:18,680 credentials. Mhmm. Have you, I'm I'm sure this is also a part of 491 00:31:18,680 - > 00:31:21,245 of your life over time, Chris? 492 00:31:21,245 - > 00:31:23,725 Chris: Yes. Hardware bound credentials are where you have 493 00:31:23,725 - > 00:31:27,805 to present a fit, you know, you may be a USB or something, you 494 00:31:27,805 - > 00:31:30,765 know, there's a lot of different ways it can it can but you have 495 00:31:30,765 - > 00:31:34,525 to insert a piece of hardware or make act make accessible a piece 496 00:31:34,525 - > 00:31:37,570 of hardware which provides that authentication which an 497 00:31:37,570 - > 00:31:41,090 adversary would be unlikely to have in their possession, and 498 00:31:41,170 - > 00:31:46,130 that doesn't necessarily do it by itself. There's usually 499 00:31:46,130 - > 00:31:51,315 multiple tiers, but that's, that is one way of contributing 500 00:31:51,315 - > 00:31:53,555 significantly is if you don't have a physical piece of 501 00:31:53,555 - > 00:31:56,435 hardware in your hand, you're not gonna be able to gain 502 00:31:56,435 - > 00:31:58,915 access, even if you can break through other tiers, so. 503 00:31:59,155 - > 00:32:02,755 Daniel: Yeah, and this idea of it being bound to hardware, I 504 00:32:02,755 - > 00:32:08,490 think is key point that that you're referencing, where, 505 00:32:09,130 - > 00:32:13,930 otherwise they view kind of, hey, if you have API keys for 506 00:32:13,930 - > 00:32:18,215 example, and those are just floating around, you should 507 00:32:18,215 - > 00:32:21,415 probably consider those already compromised if we're going with 508 00:32:21,415 - > 00:32:25,975 this idea of zero trust versus if an agent has an identity and 509 00:32:25,975 - > 00:32:32,110 has an authentication to access this environment. It has 510 00:32:32,110 - > 00:32:35,710 authentication tied specifically to the hardware that it's 511 00:32:35,710 - > 00:32:38,350 operating on, you know, something like that. That 512 00:32:38,350 - > 00:32:42,830 hardware bound credential is is something that they talk about. 513 00:32:42,830 - > 00:32:47,245 And just to give some examples here in the agents agent 514 00:32:47,245 - > 00:32:52,285 identity and authentication piece, the foundational and we 515 00:32:52,285 - > 00:32:55,565 won't be able to go through all the tiers of all the categories. 516 00:32:55,565 - > 00:32:56,685 We just don't have time. 517 00:32:56,845 - > 00:33:04,730 But just to give an example of of these, there is, the agent 518 00:33:04,730 - > 00:33:09,850 identity verification piece, the foundation level that they 519 00:33:09,850 - > 00:33:14,570 suggest there is to have unique cryptographic identifiers for 520 00:33:14,570 - > 00:33:19,785 each agent instance. So to assign persistent agent IDs 521 00:33:19,785 - > 00:33:23,065 backed by cryptographic material, not just labels, the 522 00:33:23,065 - > 00:33:26,425 track agent life cycle from creation to retirement, IDs 523 00:33:26,425 - > 00:33:30,240 appear in all logs and access requests. The enterprise level 524 00:33:30,240 - > 00:33:34,800 is certificate based authentication with full life 525 00:33:34,800 - > 00:33:38,720 cycle management, and the advanced is hardware backed 526 00:33:38,720 - > 00:33:43,105 identity with attestation. So that advanced, you know, you 527 00:33:43,105 - > 00:33:47,185 store agent credentials in hardware security modules or 528 00:33:47,185 - > 00:33:49,505 trusted platform modules 529 00:33:49,745 - > 00:33:49,985 Chris: Right. 530 00:33:50,065 - > 00:33:53,345 Daniel: With remote attestation, which there's a whole rabbit 531 00:33:53,345 - > 00:33:56,465 hole you could go down there with those with those terms, but 532 00:33:56,465 - > 00:34:00,610 that would fit into their into their advanced category. That's 533 00:34:00,610 - > 00:34:05,330 right. Yeah. So that that's an example of one of these 534 00:34:05,330 - > 00:34:08,690 categories, agent identity and authentication. The next, 535 00:34:08,930 - > 00:34:15,330 category that they that they talk about is access control and 536 00:34:13,875 - > 00:34:15,715 privilege management. 537 00:34:15,795 - > 00:34:19,395 So assuming you have an identity for your agent, then you need to 538 00:34:19,395 - > 00:34:25,315 control access and privileges for that agent and, and that 539 00:34:25,315 - > 00:34:29,220 authorization layer should enforce this idea that we 540 00:34:29,220 - > 00:34:34,100 defined earlier of leased agency, which is ensuring agents 541 00:34:34,180 - > 00:34:40,035 receive only the access required for their specific function. And 542 00:34:40,035 - > 00:34:44,195 this can get very subtle like that API example that I gave. 543 00:34:44,275 - > 00:34:47,795 You could only tell an agent about these endpoints, but if 544 00:34:47,795 - > 00:34:50,915 you haven't physic like, if you haven't literally shut off the 545 00:34:50,915 - > 00:34:55,120 network for other endpoints or something, then there's nothing 546 00:34:55,120 - > 00:34:59,520 preventing that agent from, like, going off of the off of 547 00:34:59,520 - > 00:35:01,840 the rails in that case. That's right. Yeah. 548 00:35:01,840 - > 00:35:04,880 Just to give another kinda set of examples here, access 549 00:35:04,880 - > 00:35:08,640 control, foundation level is role based access control or 550 00:35:08,640 - > 00:35:13,865 RBAC with deny by default. That's the the foundation in in 551 00:35:13,865 - > 00:35:14,825 that category. 552 00:35:15,065 - > 00:35:18,505 Chris: That's right. And and by the way, just as we're working 553 00:35:18,505 - > 00:35:21,705 through this, wanted to make one quick comment. These are all 554 00:35:22,020 - > 00:35:25,780 standard zero trust concepts. So those of you who in the you 555 00:35:25,780 - > 00:35:29,140 know, who may be watching, you may recognize a lot of these 556 00:35:29,140 - > 00:35:32,340 categories and stuff, and I think I think the key is kind of 557 00:35:32,340 - > 00:35:36,295 thinking about it within this agentic context, and, you know, 558 00:35:36,295 - > 00:35:40,055 as as as we're all onboarding agents and stuff, that that 559 00:35:40,055 - > 00:35:43,015 throws it out, but keep going. I just wanted to call that out for 560 00:35:43,015 - > 00:35:44,455 those that might recognize that. 561 00:35:44,455 - > 00:35:49,170 Daniel: Yeah. Yeah. For sure. I think we can't abandon our good 562 00:35:49,170 - > 00:35:52,530 security intuition and especially when you start treat 563 00:35:52,770 - > 00:35:58,530 treating these agents as having an identity and being, operating 564 00:35:58,530 - > 00:36:01,970 in this zero trust environment, some of these things kind of 565 00:36:01,970 - > 00:36:07,075 flow through if you if you work out those details, but, yeah. 566 00:36:07,075 - > 00:36:10,035 The the next category, behavioral monitoring and 567 00:36:10,035 - > 00:36:15,875 response, or, sorry, observability and auditing. 568 00:36:15,875 - > 00:36:19,310 That was that was, so there there's actually these two are 569 00:36:19,310 - > 00:36:21,630 tied together. We could probably talk about them together. 570 00:36:21,630 - > 00:36:25,950 There's observability, which essentially captures what agents 571 00:36:25,950 - > 00:36:29,470 do. So it observes what agents are doing and you need 572 00:36:29,470 - > 00:36:34,275 visibility into that. So you need logging and audit trails. 573 00:36:34,275 - > 00:36:38,275 Often in our implementations with customers in my day to day 574 00:36:38,275 - > 00:36:44,515 work, I often like to say, hey, we need to know that this human 575 00:36:44,515 - > 00:36:50,430 user using this API key triggered this agent, which has 576 00:36:50,430 - > 00:36:54,590 this identity to do this goal, which issued these prompts, 577 00:36:54,590 - > 00:36:58,510 which triggered this tool call, which had this input, which was 578 00:36:58,510 - > 00:37:01,595 blocked by this governance policy, etcetera. Like that's 579 00:37:01,595 - > 00:37:04,795 where we're, you know, and down the line. We need that kind of 580 00:37:04,795 - > 00:37:08,875 traceability and and logging. Otherwise, you you can't have 581 00:37:08,875 - > 00:37:13,150 visibility or build rules or monitor things. So that's the 582 00:37:13,150 - > 00:37:16,430 observability piece, but observability captures only what 583 00:37:16,430 - > 00:37:17,630 agents do. 584 00:37:17,710 - > 00:37:21,070 The behave behavioral monitoring that they're talking about 585 00:37:21,070 - > 00:37:27,315 determines whether the actions that agents are doing should be 586 00:37:27,315 - > 00:37:29,475 allowed or are suspicious. 587 00:37:29,875 - > 00:37:31,315 Chris: Are they appropriate for what 588 00:37:31,315 - > 00:37:34,275 Daniel: you would expect? Are they appropriate? Yes. 589 00:37:34,275 - > 00:37:34,755 Chris: That's right. 590 00:37:34,755 - > 00:37:38,115 Daniel: Yes. Exactly. And and this is behavioral monitoring 591 00:37:38,115 - > 00:37:42,320 and response, Right? So in certain cases, like I say, when 592 00:37:42,320 - > 00:37:46,240 when when we enforce governance policies, we say, well, if we 593 00:37:46,240 - > 00:37:48,960 see this, then do this. Right? 594 00:37:49,280 - > 00:37:53,040 So sometimes that's blocking certain things. Sometimes it's 595 00:37:53,040 - > 00:37:56,705 just logging. Sometimes it's, you know, alerting someone using 596 00:37:56,705 - > 00:38:03,585 a a particular platform. Okay. The the, second to the last one 597 00:38:03,585 - > 00:38:06,945 is input validation and output controls. 598 00:38:07,170 - > 00:38:10,930 I think actually this one so what are we on? 1234. This is 599 00:38:10,930 - > 00:38:15,170 the fifth one. This is probably the one that most often comes to 600 00:38:15,170 - > 00:38:20,690 people's mind and I think is often maybe overemphasized, 601 00:38:21,365 - > 00:38:26,005 which is this idea that you would have point checks over, 602 00:38:26,165 - > 00:38:29,525 you know, harmful things that the agent could produce in its 603 00:38:29,525 - > 00:38:33,925 output or harmful things that could go into the agent's 604 00:38:33,925 - > 00:38:37,970 context or something. This is, very important, I would say, but 605 00:38:37,970 - > 00:38:39,810 it's kind of like table stakes. 606 00:38:39,890 - > 00:38:44,050 The the example I usually give is, you know, is it bad for me 607 00:38:44,050 - > 00:38:47,810 to take my temperature if I want to be a healthy human? Well, 608 00:38:47,985 - > 00:38:50,385 that's not a bad thing. You know, you can take your 609 00:38:50,385 - > 00:38:54,705 temperature. It doesn't mean that you are plugged into a 610 00:38:54,705 - > 00:38:58,705 healthy lifestyle or being governed by, you know, health 611 00:38:58,705 - > 00:39:02,145 records and as part of a health care system and have a primary 612 00:39:02,145 - > 00:39:06,830 physician and have a care plan and a diet. And, it's just a 613 00:39:06,830 - > 00:39:11,310 very limited way to view, that kind of overall health. 614 00:39:11,310 - > 00:39:13,790 And if we extend that here, this would be these sort of point 615 00:39:13,790 - > 00:39:18,025 checks of validating inputs and outputs, which are, yeah, again, 616 00:39:18,025 - > 00:39:20,665 I would say those are table stakes. And the last one is 617 00:39:20,665 - > 00:39:26,425 integrity and recovery. So, all of this prevention and detection 618 00:39:26,425 - > 00:39:29,465 assumes agents operate correctly, you know, when they 619 00:39:29,465 - > 00:39:30,825 don't, what what do you do? 620 00:39:31,250 - > 00:39:33,490 Chris: Yeah, and and I think that's actually a pretty big 621 00:39:33,490 - > 00:39:38,050 question in the agentic systems world, in that if you think 622 00:39:38,050 - > 00:39:40,850 about, you know, going back a couple of points to behavioral 623 00:39:40,850 - > 00:39:44,210 monitoring and trying to identify what's appropriate for 624 00:39:44,210 - > 00:39:47,455 agents to be doing within all the other security parameters 625 00:39:47,455 - > 00:39:51,055 that we've talked about along the way. But when when you when 626 00:39:51,055 - > 00:39:54,575 you have gotten outside the bounds of what is appropriate, 627 00:39:54,735 - > 00:39:57,855 trying to figure out how to roll agents back, especially if 628 00:39:57,855 - > 00:40:01,710 they're in critical functions, can be quite challenging because 629 00:40:01,710 - > 00:40:06,110 those critical functions still have to be addressed. And so if 630 00:40:06,110 - > 00:40:09,870 a critical function is compromised by an agent that is 631 00:40:09,870 - > 00:40:13,310 intentionally or unintentionally off the rails, then figuring out 632 00:40:13,395 - > 00:40:17,235 how do you take a critical system back and get it get it 633 00:40:17,235 - > 00:40:20,435 back to a safe place to proceed in whatever is appropriate for 634 00:40:20,435 - > 00:40:24,355 that function can be quite challenging. And so I've I've 635 00:40:24,355 - > 00:40:29,930 I've have spent some time in that space myself, and I think 636 00:40:29,930 - > 00:40:32,170 that there's a lot of imagination that has to go into 637 00:40:32,170 - > 00:40:38,170 it that maybe wasn't quite as necessary in pre Agentsic Zero 638 00:40:38,170 - > 00:40:41,450 Trust models, so I just wanted to call that out. 639 00:40:41,450 - > 00:40:45,355 Daniel: Yeah. Yeah, they talk about, to give some examples, 640 00:40:45,595 - > 00:40:50,235 Chris, for configuration integrity, they talk about on 641 00:40:50,235 - > 00:40:53,515 the foundational level, version controlled agent configurations, 642 00:40:53,515 - > 00:40:56,635 and the advanced level, immutable infrastructure with 643 00:40:56,635 - > 00:41:00,980 attestation. On the recovery capabilities, they talk about at 644 00:41:00,980 - > 00:41:05,140 the foundation level, documented rollback procedures, which to 645 00:41:05,140 - > 00:41:08,500 your point, having some, having an idea of what you might do is 646 00:41:08,500 - > 00:41:12,260 one thing, being able to actually do it is sometimes a 647 00:41:12,260 - > 00:41:15,425 challenging thing. At the advanced level, they talk about 648 00:41:15,425 - > 00:41:21,265 self healing systems with automatic remediation. So, yeah, 649 00:41:21,585 - > 00:41:24,385 definitely agree agree with your points there. 650 00:41:25,990 - > 00:41:29,430 I know that we're getting to the close to the end here, Chris, 651 00:41:29,430 - > 00:41:33,270 and just to kinda wrap things or or get close to the end here, 652 00:41:34,310 - > 00:41:37,910 Anthropic does a good job at kind of saying, hey, here's all 653 00:41:37,910 - > 00:41:42,215 of this stuff and all of these tiers and levels and categories, 654 00:41:42,215 - > 00:41:45,815 etcetera, but then they do provide a kind of phased, a 655 00:41:45,815 - > 00:41:49,255 phased way that you can think about implementing agents, which 656 00:41:49,255 - > 00:41:53,600 I think is helpful. One, identifying requirements, two, 657 00:41:53,600 - > 00:41:57,280 managing supply chain risks, including they talk about AI 658 00:41:57,280 - > 00:42:00,880 bomb or AI build materials, defining agent boundaries, 659 00:42:00,880 - > 00:42:04,560 defending against prompt injection, securing tool access, 660 00:42:04,880 - > 00:42:07,925 protecting agent credentials, and then safeguarding agent 661 00:42:07,925 - > 00:42:11,205 memory. And they give some kind of specifications under each of 662 00:42:11,205 - > 00:42:14,965 those phases for for people to to think about. 663 00:42:14,965 - > 00:42:18,405 Chris: Yeah. I think, you know, as we're as we're winding up, as 664 00:42:18,405 - > 00:42:22,560 they address it, I know just to share kind of how I perceive 665 00:42:22,560 - > 00:42:26,640 the, you know, kind of establishing the workflow, is in 666 00:42:26,640 - > 00:42:30,160 the zero trust world that we've been in for a number of years, 667 00:42:30,160 - > 00:42:33,920 it's fairly static. Know, there's a lot of things, and you 668 00:42:33,920 - > 00:42:38,275 kind of have to tick them all off, and a lot of it's a very 669 00:42:38,435 - > 00:42:42,515 it's almost a regulatory approach to system development, 670 00:42:42,995 - > 00:42:46,595 and I think the thing that agentic implementations require 671 00:42:46,915 - > 00:42:52,570 is the is trying to anticipate an incredibly dynamic capability 672 00:42:52,570 - > 00:42:55,690 that can arise, you know, that can kind of an emergent quality 673 00:42:56,250 - > 00:43:00,410 that that people are doing, and I think what Anthropic has done 674 00:43:00,410 - > 00:43:03,850 for us is given us a way of taking what we already know in a 675 00:43:03,850 - > 00:43:08,215 zero trust context and and and pointed out, you know, that 676 00:43:08,215 - > 00:43:12,455 within Agentic Systems, these capabilities are are it 677 00:43:12,455 - > 00:43:15,895 definitely requires a level up to take the same ideas, but get 678 00:43:15,895 - > 00:43:19,960 them out of that static mindset and move into a anticipating 679 00:43:19,960 - > 00:43:24,680 dynamic capabilities from agents. And I know as we're in 680 00:43:24,680 - > 00:43:30,200 both in our own jobs and stuff, that certainly required us to 681 00:43:30,200 - > 00:43:31,800 kind of level up and reconsider. 682 00:43:32,845 - > 00:43:36,205 It's a it makes it for a very interesting problem set to 683 00:43:36,205 - > 00:43:36,845 address. 684 00:43:37,245 - > 00:43:41,325 Daniel: Yeah. Yeah. And there's major thought process changes or 685 00:43:41,325 - > 00:43:45,165 philosophical shifts, as you're mentioning, that as 686 00:43:45,165 - > 00:43:48,740 practitioners, we may have to make. They talk in the in the 687 00:43:48,740 - > 00:43:54,340 ebook, Anthropic does about this idea of AI vendoring that, Hey, 688 00:43:54,340 - > 00:43:57,460 there's these fragile open source projects out here that 689 00:43:57,460 - > 00:44:01,220 you might rely on. The thing to do might just be to have your 690 00:44:01,220 - > 00:44:05,825 agentic coding system just completely vendor or literally 691 00:44:05,825 - > 00:44:10,625 not not copy, but generate a new version of that project that's 692 00:44:10,625 - > 00:44:13,425 proprietary to you and under your control and just include it 693 00:44:13,425 - > 00:44:16,705 in your project rather than than bringing in a third party 694 00:44:16,705 - > 00:44:17,505 dependency. 695 00:44:17,505 - > 00:44:22,600 So there's like philosophical shifts, like that. I do think 696 00:44:22,600 - > 00:44:26,360 there's some hard things that we'll still have to wrestle with 697 00:44:26,360 - > 00:44:33,080 around. I I think there's still some of this conclusion that 698 00:44:31,455 - > 00:44:35,695 humans are gonna have to make containment decisions around how 699 00:44:35,695 - > 00:44:39,215 to contain these things and whether it be threats in your 700 00:44:39,215 - > 00:44:42,255 environment or agents operating in your environment. And if 701 00:44:42,255 - > 00:44:46,010 things are moving so fast, I just think it's gonna be hard 702 00:44:46,010 - > 00:44:50,570 for humans to, you know, if if something is happening in your 703 00:44:50,570 - > 00:44:55,450 infrastructure and exploit timelines go from, you know, 704 00:44:55,450 - > 00:45:00,695 months to to hours to minutes to seconds. You can't just, like, 705 00:45:00,695 - > 00:45:03,815 rely on waking up the CISO in the middle of the night to 706 00:45:03,815 - > 00:45:06,455 approve, you know, shutting this thing down. 707 00:45:06,455 - > 00:45:06,775 Right? 708 00:45:06,775 - > 00:45:09,655 Chris: I mean, this is I mean, this is a revolution in 709 00:45:09,655 - > 00:45:14,430 cybersecurity. Just to just to put, a dot, you know, as we're 710 00:45:14,430 - > 00:45:18,030 finishing up here. Every intelligence agency in the 711 00:45:18,030 - > 00:45:23,310 world, is is learning how to, both defend against and exploit 712 00:45:23,310 - > 00:45:27,150 these these, these potential vulnerabilities that we're 713 00:45:27,150 - > 00:45:30,605 talking about, as well as criminal organizations of of all 714 00:45:30,605 - > 00:45:37,405 sizes, shapes on a global scale. So this you know, we're I I 715 00:45:37,405 - > 00:45:40,285 think we're at the very beginning of this journey. I 716 00:45:40,285 - > 00:45:43,450 think this is a fantastic start to get us thinking. 717 00:45:43,450 - > 00:45:45,690 I think we're gonna see a lot more tooling and a lot more 718 00:45:45,690 - > 00:45:49,770 capabilities coming out in the days ahead. And it seems to be 719 00:45:49,770 - > 00:45:53,290 coming out very quickly because the threats have risen very 720 00:45:53,290 - > 00:45:57,595 quickly. And so I hope folks find this as useful as we did, 721 00:45:57,675 - > 00:46:01,915 in terms of kind of reframing this modern take on cyber, in 722 00:46:01,915 - > 00:46:04,315 our in this agentic world that we've been talking about 723 00:46:04,315 - > 00:46:06,795 nonstop, throughout this this last year. 724 00:46:07,240 - > 00:46:10,120 Daniel: And we'll, like I say, include the links in the show 725 00:46:10,120 - > 00:46:15,400 notes, so take a look at those. Excited to keep the conversation 726 00:46:15,400 - > 00:46:17,480 going. Thanks for this today, Chris. 727 00:46:17,480 - > 00:46:21,320 Chris: Yeah, thanks for taking us through it. Was a good 728 00:46:20,985 - > 00:46:21,945 exercise to do. 729 00:46:26,345 - > 00:46:29,545 Narrator: All right, that's our show for this week. If you 730 00:46:29,545 - > 00:46:33,680 haven't checked out our website, head to practicalai.fm and be 731 00:46:33,680 - > 00:46:37,120 sure to connect with us on LinkedIn, X, or Blue Sky. You'll 732 00:46:37,120 - > 00:46:40,480 see us posting insights related to the latest AI developments, 733 00:46:40,480 - > 00:46:43,360 and we would love for you to join the conversation. Thanks to 734 00:46:43,360 - > 00:46:46,320 our partner Prediction Guard for providing operational support 735 00:46:46,320 - > 00:46:49,645 for the show. Check them out at predictionguard.com. 736 00:46:49,805 - > 00:46:52,845 Also, thanks to Breakmaster Cylinder for the beats and to 737 00:46:52,845 - > 00:46:55,885 you for listening. That's all for now, but you'll hear from us 738 00:46:55,885 - > 00:46:56,605 again next week.