Risky Business - Risky Biz Soap Box: The lethal trifecta of AI risks
Episode Date: February 19, 2026There’s a lethal trifecta of AI risks: access to private data, exposure to untrusted content, and external communication. In this conversation, Risky Business host Pat...rick Gray chats with Josh Devon, the co-founder of Sondera, about how to best address these risks. There is no magic solution to this problem. AI models mix code and data, are non-deterministic, and are crawling around all over your enterprise data and APIs as you read this. But in this sponsored interview, Josh outlines how we can start to wrap our hands around the problem. This episode is also available on Youtube. Show notes
Transcript
Discussion (0)
Hi everyone and welcome to another edition of the Soapbox podcast here at Risky Business. My name is Patrick Gray.
For those of you who are unfamiliar, Soapbox is where we sit down and have a wholly sponsored chat with a vendor or a startup.
And yeah, these things are wholly sponsored and that means everyone you hear in one of them paid to be here.
So today we are chatting with Josh Devon. Josh is the co-founder of Sondera.
And prior to that, he was actually the co-founder of Flashpoint, which has a company.
that many people in the cyber security discipline may have heard of. But now, of course,
you know, not content with his post-acquisition riches. You know, the life on the mega yacht got a
little bit boring. So he's decided to come back out into Founderland and start Sondera. Josh,
welcome. Good to see you. Yeah, no. Hey, Pat. Good to see you. As always. Now, in addition to
then being a sponsor, I'm planning on doing some advisory work with Sondera. And of course,
they're a Desbell founded company. And Decibel is a part owner.
of the Risky Business podcast.
But Josh, like, let's just step through, I guess,
how to tackle all of this, right?
Because it's a big topic.
Why do we start with defining the problem space
that you're trying to tackle at the moment,
which is AI agents crawling around everywhere
doing God knows what?
I think we've had a bit of insight
into how this can go wrong lately,
just by looking at what people are doing with OpenClaw.
But why don't you walk through
guess, you know, define the problem space that you're in at the moment and what you're trying
what you're trying to do, because it is interesting. I think at a fundamental level, what we're
trying to unlock is like this agentic era, right? Like, agents are amazing precisely because they
are non-deterministic. And if you have a lot of minions and you could trust them, you could do a
lot of things. And while you sleep, the minions can go work. And I think like, that's the future
that we want to unlock and I think where the organizations and enterprises are truly going to find the
value. You know, we, the way I think about it is, you know, Gen AI is kind of like the engine and
agents are kind of like the automobile around the engine. We're not going to go into work and have
hundreds of chatbots. We're going to have Waymo's driving around. And in order to do that,
they have to be really trustworthy. Now, trustworthy is a combination of both like reliability,
like, will this thing drive me to the airport and get me there most of the time?
And then governance.
Like, can it do it without running over 14 people, right?
Like, it can achieve the goal reliably, but it has to do it in a way that satisfies, like,
the conditions that I've set.
And I think that's the unlock and the problem space that we're going after.
It's how do we enable us to put these agents on longer-term missions that can achieve,
you know, harder and harder goals by laying down, like,
deterministic lanes in which they can operate, but letting them have that, you know, unique
non-determinism, which is what makes them so special as a technology, but bound that autonomy.
And, you know, we have this saying, you know, with humans, right, where it's like sort of
principle of least privilege with humans in terms of like, you know, passwords and, you know,
but with agents, it's really like a principle of least autonomy. How do I continue to give this agent
more and more superpowers while continuing to restrict its autonomy as I give it more powers.
And that utility, you know, safety, regulation, compliance, all those tradeoffs are what we're
trying to do with our product and allowing folks to set specific deterministic rules around
their agent behavior that they know they can rely on. You know, today we have a lot of what I call
prompt and prey, which is, you know, we put into the system prompt, you know, please,
please, please, if we put it in capital letters, we're like, oh, this, I really mean you have to
follow this every time. And we know that, you know, the agents won't. And so that non-determinism
is at both like a risk and the value. And we're trying to reduce the risk and cut the tail off.
So hopefully that explains at a high level. I mean, partially, right? I think one of the problems
there is that, you know, I've asked you to define the risks. And fair enough, you gave me a
metaphor, which is around cars. How do we stop a Waymo or a Tesla from running down 14 people on
the way to the airport, right? So, okay, cool. What is the Corpo-like enterprise equivalent of
aigentic AI running over 14 people on the way to the airport? What does that look like inside an
enterprise, you know, brass tax? The biggest risk really for businesses, I think today is what
Simon Wilson calls like the lethal trifecta, which is anytime an agent has access to private
data, exposure to untrusted content, and the ability to externally communicate, that means
you have an agent that's susceptible to prompt inject and could exfiltrate data. And I think
data concerns are a really primary when it comes to Gen AI. And in addition, agents present
another challenge to traditional like data governance. So not only do you have to worry about
the perimeter and exfiltration, but you have this issue of data mutation.
as well. You know, agents can go and just mutate data inside the perimeter that your DLP tools
and et cetera might not see. So that's a huge, a huge risk. Another risk you have is around,
like, identity. And Pat, actually, you and I were talking about this a little bit where, you know,
if you can't attribute, you know, who's doing what with agents versus humans, you can take on a lot
of risk as a company, as an employee. I've seen, you know, when it comes to horror stories,
you know, people's jobs have been on the line because their agent returned, say, a file that
they weren't necessarily supposed to have access to. Who's the insider threat? Is it the
human? Is it not? If I've had banks ask me, you know, if a, say a vulnerability, we're using
coding agents and a vulnerability gets in the code, okay, fine, you know, some vendor, we find
the vulnerability. But how do I know what kind of problem I have? Do I have? Do I have?
have, is it, do I have an insider and the developer? Did the agent get hijacked? Did the agent just
hallucinate? How would I know? And so having that observability, I think, is going to be, you know,
really critical. And if you don't have that, you're taking on risk of like, you know, unknown
risk of who's doing what in my organization. And I think then we've also seen just as a risk that
our current tooling like EDR, et cetera, just is, is not able to constrain agent behavior because
EDR can't see these logic-based attacks where, you know, I'm prompt injecting an agent to
open up a web browser and go to a website and go do a thing. There's no like malicious software
being detonated. And so basically, I always, I always call these prompt injection attacks.
I mean, it's basically social engineering for robots, right? So like, how are you going to,
how you know, you need to use similar defenses as social engineering, which is limiting what the agent can do,
which is limiting what people can do, right?
Like remove footguns from people and from agenic stuff.
100%.
And I think that's the first principles thinking that we're approaching this problem space
of just like humans, I have to assume they're going to be, you know, prompt injected.
Like humans get fish, they get prompt injected.
Same thing.
The models, you know, can easily get fished or prompt injected.
They can have, you know, emergent misalignment.
I just have to assume, you know, like we say,
this is the other, you know, we say in security, right? Like assume breach. We have to assume prompt
inject, right? Like it's the only way that you can really do this. And so the way that then you have
to govern these agents is through the behavioral controls, just like we do with humans. And, you know,
with humans, we have key cards and locked doors and we prevent bad ideas from happening through behavioral
controls. And that's what we've got to do with the agents because we have to assume that they'll be
prompt injected, and so we're going to stop behaviors that we see that we don't want them to do.
So if I prompt inject an agent to, you know, send me $500, I have to assume that the agent will
get prompt injected, and I'm going to put a policy against a tool call that says, hey, if you're
doing more than $100, you're not allowed to, even if the agent is prompt injected.
And I think it's those types of deterministic controls that are going to be necessary to give us,
you know, the confidence that we know that these agents aren't going to, you know, when you talk about
risk, it's like, well, they could just decide to send lots of money to someone if you have an
agent that can, you know, send money, you know. So here's the thing, right? My colleague James Wilson
has recorded a solo podcast, but he's looked at OpenClaw and I listened to it yesterday. And, you know,
there's this really funny moment where he's like, you know, he needed to give OpenClaw access to
like one of his social media accounts or whatever, but he didn't want to give it access to his
browser. So open, open clause like, that's fine. Just give us these cookies. Yeah. You know, and he gave
it the cookies and off it went, right? So, you know, at no point does the API or whatever,
you know, wherever these cookies are being used, does it know that it's an agent and not a human
being, right? So I dig it that like what you're saying is, oh, well, we can put these guardrails
around the agents, but how, right? Like, if these things start getting access to API endpoints, right,
and they can just ask the user, hey, I'm going to make your life easier.
give me that API key and the user pastes it in.
Like, what?
You know, I'm guessing this is a problem that you're spending a bit of mental energy on.
How do you deal with that?
Yeah.
No, totally.
And again, so if we go with the, you know, the first principle of assumption of it has to start with behavior,
what we're effectively building and I'm using like, you know, there's two terms I think
that are worth but just like, you know, calling out.
One is like the that the AIML, you know, researchers use like, and one is like scaffold.
So a scaffold, an agent scaffold is what wraps around an LLM and gives you the, it gives it the ability.
So like Claude Code, for example, is a scaffold around like Opus 46 and you're giving it a set of tools, a certain set of instructions.
And that makes it the agent.
There's also something called a harness.
A harness is what we're building that basically wraps the agent itself in the scaffold.
And effectively, what we're doing is man in the middleing the entire trajectory.
And every single step, we are evaluating that through a policy engine that uses policy as code to verify that the agent is doing something that is allowed.
So we can create rules like, you know, if an agent, you know, pulls GDPR sensor,
data, it's not allowed to use open web search tools. And if it tries to, we can notice that in the trajectory and then stop the tool call. And we can either, you know, you know, outright deny. We can try to steer the agent. So say, hey, you're not allowed to do that. Try again. We can escalate to human in the loop depending. But that's, you know, one big piece of how we're like in real time doing that. And there's obviously, you know, more layers to go in there. But that's how we're doing. We're inspecting the, you know, the deep
inspection and stateful inspection of the trajectory itself and then stopping it in real time
if it's breaking a policy. I mean, isn't one of the issues there, though, that the agents,
as they're non-deterministic, I mean, that's another way to say that they're sneaky. Oh, 100%.
And you're going to tell it, oh, you can't do it this way. It's going to try something else, right?
So you're spot on. And like, this, I think, we were talking about this earlier, like,
this is, I think, like, one of the maybe bigger unappreciated risk. And it's kind of like a scaled
down version of the paperclip, you know, problem where it's like, you know, I make the,
I make paper clips and it decides the best way to make paper clips is to like kill all the humans
so it can make as many paper clips as it wants. Like, I feel like we have that situation, but using
that as an example makes it so far fetch that it's hard to realize that like the risk isn't
necessarily that you tell the agent to go do a thing and it just turns into, you know, it goes
berserk and like, you know, turns into like the Terminator, it's more like you're saying,
you have a hyper-competent, super eager to please, you know, agent that is going to find a way.
So, for example, it's going to invent, it's going to invent DNS tunneling just to get it on,
you know?
Well, well, it will, so using OpenClaw, for example, we were doing a research extension for that
and building out a version of, you know, the sort of what we're building with policy as code
to prevent OpenClaw from, you know, running RM-R,
and all these things. And so as I was testing it, you know, to, you know, hey, try to do this or try to do
that, delete this file, delete that file, it found many other ways to delete files that didn't,
like if, if I blocked RM-RF, it's like, oh, I'm not let's use RM, well, I can, you know, move,
move to, you know, trash. I can find, you know, there's, there's so many different permutations.
Well, I mean, one of the things that I love about open code, I didn't know this until I
listen to James podcast is it manages its own config files as well, right? Yeah. How do you put a harness on
that? Yeah. So we actually in in a policy pack that we created, um, we created a deterministic
set of rules to protect the system files so that open claw isn't allowed to write its own,
you know, you know, rewrite its own heartbeat. Because, you know, there's a, there's a shy hallood waiting
in open claw, right? Where, you know, this agent can get prompt injected, rewrite its own, you
rules to, you know, every five seconds, reach out to other, you know, like there's this, you know,
something that we can see here. And being able to block the behaviors is really where it's at.
One of the cool things that we're using through our approach, and we've published about this,
we're using Amazon's policy language Cedar, which has really great properties. But one of them
is that it's a forbid all, like by default language.
So it allows you to sort of, you know, deny the entire action space and then specifically allow different types of tool calls as a way of sort of constraining that for higher risk situations.
Then, you know, I'm going to try to, you know, I can't get every single edge case.
And, you know, so that denial, I think, can be really, you know, helpful.
The other thing that we're doing as part of our harness is we have a simulation piece.
So I see like a lot of people struggle with, you know, just like what we talked about at the
beginning of this conversation.
It's like, well, what are the risks?
It's like, well, what's your agent do?
You know, like, so many people struggle with, you know, because each, you know, each type of
agent has specific risks.
Like, I can set a rule like don't steal.
Like, yeah, I want none of my agents to steal.
But every agent can steal differently.
Is it sending money?
Is it sending data?
What?
So, you know, we have, we use simulation to, you know,
test that sort of action space and see, you know, where can we find, you know, edge cases
and what, you know, can we get this thing to exfiltrate data? Can we get it to leak tokens?
Not really red teaming it, the model to try to get it to say a bad word or, you know,
looking for vulnerabilities, but like what toxic flows and trajectories can we get this agent to do
and then use that, yeah. Just hold on. Before we, before we, you know, continue with the simulation
stuff, because there's some interesting stuff to talk about there. Let's talk. Let's talk
brass tacks, you know, again, going back to that, those two words, brass tacks, about, like,
let's talk about what you've actually built, right? So we know you've got a harness. Where does that
harness live? You know what I'm like, man, I like to talk about things in real simple things. Is it
a cloud platform? Does it arrive in a taxi? Does it drop out of a tree? Do you spin it up on an endpoint?
Like, you know, how, how, what is the thing that you have built? So basically, the harness connects
into a control plane.
And the control plane can be deployed in different places.
And I should say, like, the harness has a policy engine.
That policy engine can be deployed on-prem.
It can be deployed as a sidecar.
You can send it to the cloud, and we can host that.
But we are under the impression that agents are going to be everywhere, even air-gapped,
you know, and we're going to need to have rules that can be applied to them,
even if they don't have internet connections, right?
like either on a thumb drive or something, right?
Like, so we've deliberately built the harness and policy engine to be able to be deployed very,
very easily in all those different environments, VPC.
So the harness just goes anywhere where the agent is, right?
The control plane itself can also be hosted wherever.
VPC, we can do a manage host, you can host it locally.
And that's where your policies live, your policy studio.
And like, what we see is that folks are, can take their system prompt.
So, you know, in our system prompts, we have a lot of, please, please, please, you must never, if it's more than this, you must always do it in this order.
You know, all those like, you know, things that we put in a system prompt.
We take all the natural language policies that enterprises care about.
So I've had folks ask me, you know, how do I apply my acceptable use policies?
How do apply my employee handbook?
How do I apply EUAI Act?
we take all of that natural language and through a process called auto formalization,
we pull out like these logic statements, like what are the obligations, permissions,
prohibitions contained in these natural language, and we then convert that into policy as
code. And again, as I mentioned, we're using Cedar. So we're able to verify this code.
We're able to resimulate. I mentioned simulation. We can talk more about it, but resimulate to see,
you know, are these policies working in the way that we expect them to?
No is always going to be the answer there.
Just before you continue, though, like, where you, you know, when you're using, you know,
agents from the majors, how do you apply, like this harness to, you know, sort of enterprise-grade
stuff that's in the cloud?
How, what's the deployment look like there?
Sure.
We are in, like, as a good example, like, we've got hooks into, like, say, Claude code and
cursor and GitHub's CLI and sort of like the agents that are like most widely deployed right now,
in my opinion.
And different organizations have different, like I would say quality of hooking.
We're deeply, deeply integrated with like Claude Code and cursor and others, I think,
are beginning to open up their ecosystems when they're kind of like a walled garden.
But basically-
Was this going to be like Microsoft when they didn't build like network taps in Azure for like 15 years
or something?
Is it going to do kind of like that?
Well, there are ways like, you know, we're talking about like what's the deepest integration
that we can get.
We also can use things.
And others have done this too, like using like LLM and proxies and such that, you know,
we can sort of like get what we need to no matter what.
It's just how deeply we can get integrated with certain types of agents.
But what we've built is meant to be instrumented.
Where they've made it easy, you've integrated it.
Where they've made it hard, you can sort of proxy everything.
and infer from that like most of it.
Yep.
Yeah, got it.
Got it.
Sorry, all right.
So back to simulations.
What sort of stuff?
You know, I mean, you can call it a simulation.
You know I don't like that word.
For some reason, it just sticks in my craw.
But, however, however, you know, say we were to call it a back test, right?
Maybe that's a better word to make me happy.
I've had engineers almost caught like a unit test for the agents.
It's sort of like, you know, in this action space.
like, how do I test this?
And, you know, the simulation, I think we use that word because, like, you know, as we, as we,
as we sort of see it, there's a spectrum of like simulate, emulate, emulate digital twin,
you know, and you can get very sophisticated with like cyber ranges and all of that.
What we're really trying to do is like starting at, you know, the simplest, fastest way to stress test
these agents.
And to your point that we call that simulation, but basically we have an adverse
LLM that takes the agent under test and then, you know, perturbs it with basically tool calls. And again,
it's specifically focused on, you know, the action space. Like we're not trying to get it to
say bad words or like, you know, it's, it's what, what risky behaviors can we get it to do?
We can monitor for all the bad words and do all of that stuff too. But to us, that's like,
you know, that's like sort of the easier problem. It's like, how do we get, you built a digital
devil on the shoulder, LLM that can go and try to trick all the other LLMs into doing naughty stuff.
And what's cool then is that we can, one, test policies that may already exist on that agent to see
if they're being effective. And two, we can bring threat intelligence into that simulation as well.
So, you know, yes, there will be new edge cases. There will be new, you know, agents will get new
capabilities, when a model changes, might the agent try to do something that it hasn't done before?
And as we move towards the space where, you know, agents are going to be creating their own tools,
agents are going to be creating other agents, there's going to really be a need to, you know,
understand, like, what the potential is, like, what really are the potential risks here?
And so the way I see it today is, like, a lot of folks are just, we get a spreadsheet and we get
in a room for the next 18 hours to 18 months.
And it's like, can you think of a risk, Pat?
Pat, can you think of a risk? And like, you know, that's like, you know, it's like, oh, that takes long
time. So, you know, this, I think, can help jumpstart that and get all the teams align. Like,
what does security team? Well, it's also, it's also, you know, with that sort of spreadsheet
manual thing, it's sort of like the network graph problem a bit, I guess. You know, it's like
trying to do a bloodhound graph by hand. You know, like it's just going to, it's going to take,
you're never going to find it. You're never going to find the subtle paths to an LLAM doing
something that bothers your compliance team, right? So, you know, with that in mind,
tell me what sort of stuff you've found, what sort of stuff shakes out of these simulations?
Fine, we'll call them simulation. But what sort of stuff, what sort of stuff shakes out of
these simulations that we're, you know, what sort of changes are being simulated in the
first place? And then from there, how do you actually go about setting some guardrails,
redoing the simulation or back test, and then being able to, off.
if you go. Yeah. Think of
simulation as something that
can kind of be running
all the time. Like I kind of
think of it as like we're constantly
like stress testing.
What's coming out is like
things like can we get the agent
to, you know, send money
more dollars than we want it to?
Can we, it really depends
like what the agent is under test, right? Like so
can we, you know, get it
to leak tokens, can we get it to, you know, manipulate internal data?
So really it's like taking all of the, you know, like all the OWASP, like top 10 things that you
might worry about.
See if we can see that.
We can also do things like, hey, might this thing go into like some infinite cost loop where
it's going to try really, really hard and rack up a huge cloud bill, you know, things like that.
So there's a whole spectrum of like risk.
that different, like, folks will care about, whether, you know, a CTO cares about, again, like, I have
cost control risks or a GRC team needs to know, like, what controls do I have against, you know,
particular risks that are popping up. So, you know, with things like Claude, it's like, you know,
can I get the, can I get Claude to, like, jump directories or, and the answer is, you know, yes,
you can get it. We've all had, like, weird, you know, all had to do weird things. So, you know,
those are the types of like, you know, risks that might emerge. And then like, we take all of that.
And that's part of that like auto formalization process that I mentioned of like, what is this risk
register? What is the agent like what we call the agent card? It's sort of like, what is this agent
and its capabilities? Like, are we hiring an intern with photocopy access or a CFO who can send,
you know, dollars? And we then have a process and like a pipeline that takes that a natural language
for the policies that you want. That takes the simulation.
that takes what the agent's capable of,
and then creates, like, bespoke, you know, policy as code for every agent
that restricts the agent's autonomy in the way that we want it to for that agent
while still allowing it to succeed.
You know, part of, like, why simulation is also important,
especially when you're adding policies, it's like, you know,
I can make the Waymo perfectly safe by making it not be able to drive.
Like, you know, it's 100% safe.
But, like, we always have this, like, you know, trade.
between utility and safety, and I think simulation can help us, you know, help make those
tradeoffs and what policies might we need to mitigate X, Y, and Z. And so that process of simulate,
what rules do we need, real world observability, continues simulation we see as like a virtuous
flywheel to really continually update the policy as code because the, a real, a challenge
that folks have, that tend to bring up is the fact that, like,
Unlike humans, like, you know, Pat, you're an incredibly smart person, but like, you don't come back to Mars and you're like, you know, oh, by the way, I learned differential calculus last night and I can do all these things that I couldn't do before. But agents are like that. So, like, they, you might get a new model release that it just, the agent starts, I don't know, coding its own tools that you didn't, it didn't do before, you know.
Well, how do you, how do you catch that? I mean, how do you catch that? Because you're going to design a policy based on what the agent can do or what, what skills it shows during the simulation.
What if it picks up, you know, like Neo from the Matrix all of a sudden it knows Kung Fu.
Like, what do you do then?
It's, um, I think that's again why you have to continually be constraining the autonomy of the agent.
So default, default deny.
But understanding like, you know, you might like, I don't know, I'm making this up,
but like if the Waymo got a rocket pack, you know, it could start like doing things.
Well, maybe there are certain areas that you would allow that, but other areas you're going to constrain.
So it's least privilege, I guess is what you're getting at.
It's least privilege.
It's sort of like allow.
listed permission. Well, we say least autonomy. Least autonomy, really. It's like, you know, again,
like a lot of these rules are probably going to stay the same in the sense of like, you know,
okay, none of our agents are allowed to blackmail or, you know, we don't, we, but the way that
agents can, you know, do this behavior will change. And that's why simulation is going to be so
important. And it's going to be really important to be able to put controls around the agents that
are outside of the model. Because like, let's say you've got a fleet of agents doing your business
and, you know, suddenly this emergent behavior appears because, you know, pick your model,
you know, version 17 came out. Well, I can't go to my customers and be like, well, we have to
shut everything off and tell all these people, tell them to retrain the models because we don't like it.
You know, I have to have external controls around the model that can prevent it from doing anything
that I don't want to. And so, you know, and what we're getting at,
of agents creating tools, you know, that's programmatic tool calling, right? Like, I give the agent an
API spec. And I think if we're seeing in simulation that in response to, you know, some, you know,
hey, I want you to do this and I'm blocking another thing and it starts writing its own like,
you know, tools, you might say, hey, does this agent need bash? What do we need? You know, like,
you know, like what? By the way, something you said earlier too, which is directory traversal via
Claude, I didn't realize you could dot dot slash an LLM.
That's quite amazing about how everything that's new, everything that's all
is new.
Yeah, I know.
Claude will sometimes come out.
And like, um, uh, the thing is though is that like, I don't want to, like to me,
I want this to what we're building to be a green light product, right?
Like I believe in this stuff.
I want these agents running.
I want people in YOLO mode on their, on Claude code.
Like, I've used YOLO mode and ClaudeCode in sandbox.
It's awesome, right? It's the way that you want it to be. But, you know, for an enterprise, I can't be in YOLO mode. But if I have the lanes that I can constrain YOLO mode inside, you know, like, yes, I want the YOLO. And so this is what we want, right? We want to be able to go to sleep and wake up. And it did the thing that we wanted to do. Yeah. You want to go away, make a cup of tea. You want to come back. That task is finished.
nearly finished.
I mean, and that's where we're headed.
I mean, like, that's like, you know.
You know, it's not the first time, though, right?
So I'm sorry, I just got to tell an anecdote briefly, which is my father was a mathematician.
And he wrote some textbooks and whatever, and he used to have to hand draw graphs.
Then computers came along.
And I remember watching my dad sit back with a cup of tea, watching Derive, which was the
maths package that back then plot out a 3D graph.
And he would just sit there in front of the computer with a cup of tea or a glass of
scotch watching it appear.
You know, to him back then, this was the equivalent of people watching Claude
write their application.
It's just funny when I think about that sort of cyclical nature of technology, you know?
No, and I bet he was feeling the same thing we are now when I'm watching Claude.
I'm like, why are you so slow, Claude?
You know, like, why are you taking so long to do this?
No, I mean, I think for him, it was just incredible.
Like, it was just this incredible thing.
You know, I must have, I've seen him, I just, he did a lot of plotting, right?
Like, it's part of the gig.
And all of a sudden, as a mathematician, when all you needed to do is write a few lines in a text file
and bang, out came this, you know, this plot that to do it by hand is like, you know,
full on.
Absolutely full on.
Yeah, anyway, sorry, you just triggered a memory there, had to share.
childhood memories with Pat Gray.
Yeah, no, I guess maybe you did learn differential calculus.
I mean, my qualification is in engineering, so yeah.
Yeah, you know.
Well, you know what I was saying.
The complexity of the problem, I think, for enterprises, and I think the approach that we're
really trying to take here is, you know, a lot of folks are figuring out, like, okay,
we're figuring out this identity stuff, right?
Which agents, which and like the humans versus the agent.
A lot of folks are figuring out like the gateways and like you've got like these MCP gateways and agent gateways.
And these are sort of like, you know, can the agent like start the mission?
Folks are figuring out the posture management and all of that.
But I think it's like the space that we're focused on of like while the agents are in motion,
how am I applying my organization's policies at scale to all these different agents,
some of which, you know, might be in different countries and different teams and like, you know, just talking to a large bank, for example, they're like, you know, we're in 180 countries. Like, how are we going to, you know, prove to regulators, auditors that, like, all of our agents and all these different countries, like, operated according to their bespoke laws and, you know, all of that stuff.
Well, then there's, then there's the issue of, like, what people are calling shadow AI, right, which is not your wheelhouse, right? Like, your wheelhouse is dealing with the sanction stuff.
Are companies like push security there good at actually, you know, because they're into the browser.
They're very good at finding when people are using AI agents that are unsanctioned.
But that's a huge problem.
I think Ireland, the browser maker, they do it as well.
Yeah, like I think, you know, we can like to work on like agent shadow stuff.
It's a little bit trickier because, you know, agents are beginning to show up everywhere.
So like, for example, you know, we were talking about Windows a little bit earlier, but like, you know, whatever the next version of Windows is, like, are
we're going to have agents built into that thing? So it's like, so, you know, you're going to start
seeing these things like built in natively into the OS, into like the endpoint, into the edge.
But I mean, that's okay. If it's like, if it's in Windows, like there's going to be some sort
of enterprise instrumentation-y sort of features because, you know, that's fundamentally,
Microsoft makes business software. But I get your point, which is that this stuff is going to be
everywhere. Now, I just want to quickly move on to a slightly different part of the discussion,
which is that, you know, this is early for you. There's been a bunch of people who've spun up
like some fairly rudimentary like Arbach plays for AI. Some of them have even been acquired,
I think. Like there's all sorts of M&A activity and it's like, do you even have a complete
solution yet? So whereas you're doing, I guess, something more comprehensive that's going to
take a bit more time. It's like a more complete solution. That said, you've barely even launched.
yet. You're currently working with design partners at this point. You know, you just mentioned,
oh, you're talking to a bank with, you know, in 180 countries. Are these the type of organizations
that you are trying to serve, these large sort of institutions in heavily regulated industries?
Is that the go here? Is that who you're working with? Yeah, I mean, I think like,
we're really eager to solve the hardest problems, like, and where we see, you know, highly regulated
enterprises, finance, health care, insurance, even some aspects of manufacturing.
You know, this is an area where there's so much to gain, but the risks are very high.
And, you know, we want to be working on, like, solving those.
So, like, yes, some of our, we're working with some very large, you know, enterprises that are,
you know, pushing ahead with, like, agent stuff.
the other is, you know, so I would say like, one, we're talking to security teams that are doing that.
Two, we've also been sort of pulled into several of the AI platform teams inside these large enterprises who, you know, are like, I think what we're saying is like, I believe we're building the right thing.
What I find is that like other organizations are trying, either, they're trying to build some version of this.
And I think getting stuck around like, how do you deal with this?
This is the same old enterprise play, which.
is everybody's trying to do it themselves and they don't really have the time, the focus, the team.
Yeah, and well, some of them are doing it, but it's like very tricky. Like, a lot of folks are
trying to use, like, well, hard code rules into like API calls and stuff like that. And, but that
becomes very brittle and it's hard to do across like different agents, whether they're from different
frameworks and stuff like that. So we're trying to make it easy to have that single control plane in
the enterprise that allows you to apply a single policy to all these different agents. And I think
that's going to be really critical to get these things up and running. The other area that we're
working with design partners is if I'm, is folks who are building agents to sell into the enterprise
and either will have to expend significant resources in building their own guardrails and
attestations of like, this is how our agent, you know, isn't going to do bad things.
Or, you know, they can work with us and like, you know, we're helping sort of almost like a, you know, I don't want to have to build user manager if I can use, you know, a vendor that gives me user manager.
That's not, you know, we don't add and get any value by, you know, building user manager ourselves.
So those are folks where we're sort of accelerating the sales cycle for startups and also enterprises that are building agents to sell into other vendors.
And so those are like our use cases.
So anyone really building agents or concerned about the coding agents and like making sure that they have visibility into them and can put like, you know, rules like, you know, don't commit secrets, you know, is like a big one.
Can we get visibility into, you know, is it the human or the agent doing things?
That's another big one.
And so those are like some of the early use cases around the coding agents as well as folks building agents, but maybe don't have the same level of expertise.
we have. Josh, fascinating, fascinated to chat to you about all of that and about what you're
building. Yeah, we're going to be talking to you a bunch through the rest of 2026. And I think
you're doing your hard launch in a couple of weeks. So all the best with that. And yeah, we'll be
chatting with you soon. Thanks so much, Pat. It really was a pleasure. I loved hearing your
anecdotes also.