EP 29 — Age of Learning's Carl Stern on Why Certifications Are Side Effects, Not Final Goals

EP 33 — TELUS’ Jesslyn Dymond on the Gap between AI Use and AI Literacy in Enterprise Adoption

TELUS [https://www.telus.com/en] didn't wait for generative AI to arrive before building governance infrastructure. Jesslyn Dymond [https://www.linkedin.com/in/jesslyn-dymond-94306419/], Director of AI Governance & Data Ethics, joined the company in 2019 to stand up responsible AI practices alongside the machine learning teams building them, which meant that when generative AI hit, the governance scaffolding was already there. Jesslyn walks through the specific structures TELUS uses to govern AI at scale: a CEO-led AI board that includes the CIO, Chief AI Officer, and Chief Data and Trust Officer; a network of hundreds of data stewards embedded across business units and appointed by VPs; and a unified intake process called a Data Enablement Plan that consolidates privacy, security, and responsible AI review into a single workflow instead of separate forms and sign-offs. Jesslyn also shares how TELUS certified its first generative AI customer support tool to the international Privacy by Design standard and then had it independently audited, and what that process required the team to work through on transparency and user experience. She makes a pointed case for why shadow AI is best addressed with access to better internal tools rather than policy restriction alone, explains how her team grades levels of agency within their agentic AI framework to determine what controls need to be in place before approving systems, and describes how TELUS took the concept of purple teaming out of the security world and applied it to AI governance, including running those sessions with students and the general public. Topics discussed: * Building proactive AI governance infrastructure before adoption by embedding responsible AI practices alongside ML development teams * Structuring enterprise AI oversight through a CEO-led board including CIO, Chief AI Officer, and Chief Data and Trust Officer * Deploying VP-appointed data stewards across business units to connect governance policy with on-the-ground AI implementation * Consolidating privacy, security, and responsible AI review into a single Data Enablement Plan to reduce friction and improve compliance  * Certifying a generative AI customer support tool to the international Privacy by Design standard and navigating external audit requirements * Grading levels of agency within an agentic AI framework to determine appropriate controls * Countering shadow AI by prioritizing internal tool access and functionality over policy restriction alone * Applying purple teaming from security practice to AI governance to test systems collaboratively across various teams

EP 32 — Polymer's Yasir Ali on Team Composition over Talent When Scaling Interdependent Platforms

Polymer's runtime security approach operates at the file and message level, intercepting content in real-time within workflows like Slack and Zendesk to redact, block, or grant granular access based on specific entities found inside documents. This contrasts with traditional perimeter-based security where access is binary: you're either in the club or out. Yasir Ali [https://www.linkedin.com/in/yasirnyc/], Founder & CEO of PolymerHQ DLP [https://www.polymerhq.io/], explains how financial services has operated under workflow-level distrust for over a decade, with every file interaction requiring labeling and ethical wall policies between trading and investment banking divisions, and why the rest of the enterprise world is finally moving toward this model. Yasir also touches on a critical gap in current security architectures: control planes across network, identity, and content layers don't communicate with each other. His team works to triangulate telemetric data from tools like Zscaler with Polymer's ground-level content controls, creating unified policy layers without forcing organizations into single-vendor platforms. He also addresses a tension in AI-powered security: probabilistic detection models work well for entity recognition, but policy enforcement must remain deterministic. You can't have AI deciding some days to block sensitive data and other days letting it through. Topics discussed: * Implementing runtime security at file and message level to enable partial document sharing based on entity-level access policies * Solving the binary sharing problem in unstructured datasets where traditional security forces all-or-nothing file access  * Adopting financial services workflow-level distrust model that requires labeling and ethical wall policies for all file interactions * Addressing enterprise AI adoption barriers through proper identity modeling for non-human agents and machine-to-machine interactions within IAM systems * Triangulating telemetric data across network, identity, and content control planes to create unified policy layers without vendor lock-in * Balancing probabilistic AI detection models for entity recognition with deterministic policy enforcement to maintain response certainty * Building enterprise software teams by prioritizing cultural fit and collaboration ability over hiring 10x engineers

EP 31 — Arbor Memorial's Teij Janki on why adding AI before fixing process amplifies weaknesses

Teij Janki [https://www.linkedin.com/in/tjanki/], CISO & Director of IT Governance Risk & Compliance at Arbor Memorial [https://www.arbormemorial.ca/en.html?utm_source=LinkedIn&utm_medium=SocialMedia&utm_campaign=LinkedIn], has spent 30 years moving through the full stack of security, and his view is that the sequencing most teams follow is backwards. His principle is that technology does not solve processes, it amplifies them. That means deploying a tool before fixing the underlying process weakness just scales the problem. The implication for AI adoption is direct and worth hearing spelled out. On the budget side, Teij makes a case that privacy legislation is a more reliable governance lever than cybersecurity risk alone because privacy laws carry consequences that executive teams will actually act on. He also walks through the gating sequence his team built for AI tool adoption wherein sensitive data gets slowed down and scrutinized, lower-sensitivity use cases move through faster, and staff have a service catalog to work from rather than a blanket ban.  Topics discussed: * Applying a people-process-technology sequence to security programs before introducing AI or automation tooling * Using privacy legislation as an executive governance lever when cybersecurity risk alone fails to drive budget decisions * Building a gating sequence for AI tool adoption that separates sensitive from low-sensitivity data use cases * Replacing blanket AI bans with a structured service catalog that lets staff self-select and move tools through approval * Identifying process weaknesses before deploying technology to avoid amplifying existing security vulnerabilities at scale * Progressing security from a technical cost center to a strategic business enabler using the CMMI maturity model * Applying martial arts principles of discipline, clear expectations, and target-setting to cybersecurity team leadership * Evaluating where generative AI delivers in security operations versus where magical thinking still outpaces real-world performance

EP 30 — Postman's Sam Chehab on Three Unteachable Traits He Hires For

At Postman [https://www.postman.com/]'s scale of 40 million developers generating billions of API requests, Sam Chehab [https://www.linkedin.com/in/schehab/], Head of Security & IT, centers on three enforcement domains: authenticated and encrypted data paths, zero-trust inter-service communication, and runtime instrumentation. His vendor evaluation is just as precise, cutting past feature lists to one demand: show me the architecture diagram and walk through exactly how your solution addresses my threat models. Sam identifies why generative AI creates fundamentally new risk: the combination of private data access, untrusted content processing, and external communication capability. This trifecta explains why browser-based AI is nearly impossible to contain; it touches local machines, queries the open web, and executes actions on your behalf. Sam also covers how he screens for three traits he can't train: initiative to self-direct research, attitude to absorb constant setbacks, and aptitude to process how rapidly this field moves. Topics discussed: * Implementing data path integrity, zero-trust inter-service authentication, and runtime instrumentation with immutable logs * Evaluating cybersecurity vendors by demanding architecture diagrams and specific threat model solutions rather than feature lists * Managing freemium platform security with anomaly detection, rate limiting, and abuse prevention across 40 million developers * Identifying AI security's dangerous trifecta: private data access, untrusted content processing, and external communication capabilities  * Building MCP generators that enable least-privilege API servers by allowing developers to select only required methods before deployment * Using AI agents to generate security tests during development, shifting validation from security teams to automated testing * Applying security hygiene fundamentals before adopting specialized vendor solutions * Hiring security teams based on three unteachable traits: initiative, attitude, and aptitude

EP 29 — Age of Learning's Carl Stern on Why Certifications Are Side Effects, Not Final Goals

Carl Stern [https://www.linkedin.com/in/carlstern/], VP of Information Security at Age of Learning [https://www.ageoflearning.com/], explains why forcing controls into place without executive alignment guarantees you'll fight uphill battles every single day, as people begin to see security as a blocker rather than a business enabler. Instead, he starts with identifying crown jewels and acceptable risk levels before selecting any frameworks or tools, ensuring the program fits company culture instead of working against it.  He also asserts that certifications like HITRUST and SOC 2 validate you're already operating securely; the real program is the daily processes people follow because they understand why, not compliance theatre. Carl also argues the cybersecurity industry exists at its current scale because of a systemic failure: companies ship insecure software without liability, pushing security costs downstream. Most breaches exploit preventable defects that should never reach production, not sophisticated zero-days.  Topics discussed: * Building security programs from scratch versus inheriting existing programs and why executive alignment prevents daily uphill battles * Treating certifications as validation of operational security rather than the primary program goal * Pairing administrative controls with technical monitoring to establish baselines before enforcement for unstructured data security policies * Applying three-part investment calculus for lean teams: measurable risk reduction, manual work automation, and crown jewel protection * Calculating true cost of 24/7 internal SOC coverage including shift staffing, turnover, training, and tooling versus managed services * Why attack patterns remain consistent across healthcare, education, gaming, and retail despite different compliance requirements * Explaining how AI lowers the barrier for exploit development and expands zero-day risk beyond traditional high-value enterprise targets * Arguing that the cybersecurity industry exists at current scale because companies ship insecure software without liability, pushing costs downstream