Diane Janosek: When AI Outruns the Law

Diane Janosek: When AI Outruns the Law

Dr. Diane Janosek is a nationally recognized cybersecurity leader and CEO of Janos LLC who advises organizations at the intersection of technology, law, compliance, and policy. With a rare résumé that spans a PhD in cyber leadership, a JD, practice before the U.S. Supreme Court, and senior leadership roles at the National Security Agency, Janosek brings a perspective that neither a pure technologist nor a pure attorney could offer. She describes today as an exciting moment in history precisely because artificial intelligence keeps producing what lawyers call "cases of first impression" -- novel questions the courts have never decided before -- and her dual background lets her see both the legal framework and the technical challenge at once. Much of the conversation centers on a deceptively simple question: Who owns what? Janosek illustrates how AI scrambles traditional notions of ownership and liability. When an AI tool rewrites your content, clones a narrator’s voice, or blends your proprietary idea into its own output, the lines of ownership blur, and liability and profitability follow close behind. Her practical warning to enterprises is blunt: Be careful what you feed into public models, because anything put "out into the ether" may no longer be protected or controllable. That risk is amplified by shadow AI [https://www.kiteworks.com/risk-compliance/shadow-ai/], and she notes that while larger businesses are getting smarter about controlling what employees push into outside tools, policing those edicts across multiple personal devices remains a genuine challenge. From ownership, the discussion turns to human oversight and the limits of regulation. Janosek explains her "risk-proportional approach" to keeping a human in the loop -- the greater the sensitivity of the data or the potential for harm, the more deliberately organizations should require human approval before autonomous AI acts [https://www.kiteworks.com/platform/compliance/compliant-ai/]. She frames the recurring theme of innovation’s pendulum, from Meta smart glasses that can covertly record strangers to Ring doorbell surveillance, where capabilities race ahead until something egregious forces a pull back toward the middle. She predicts AI regulation will likely follow the trajectory of cybersecurity law: voluntary guidance first, then state-by-state action led by places like New York and California, and eventually federal mandates -- though the hard questions of who enforces the rules and whether fines are proportionate to actual harm remain unresolved. The episode closes on the international dimension and practical advice for leaders. Janosek argues that AI and data governance [https://www.kiteworks.com/cybersecurity-risk-management/ai-data-governance-enterprise-risks/] demand cross-border harmonization, citing her West Point Cyber Defense Review piece on cyber threat intelligence sharing and the persistent uncertainty over whether the EU AI Act [https://www.kiteworks.com/risk-compliance-glossary/eu-ai-act/] will drive global standardization. Her counsel to CEOs who assume they are more prepared than they are foundational and concrete: Know where your data physically resides [https://www.kiteworks.com/platform/compliance/data-sovereignty/], understand your cloud agreements and supply chain, catalog your data, and apply protection proportionate to the sensitivity of your "crown jewels." It’s a fitting through-line for a Kitecast [https://www.kiteworks.com/kitecast/] conversation that repeatedly returns to a human question beneath the legal and technical ones -- What do we want to keep for ourselves as humans, and how do we embrace innovation responsibly without slowing the people pushing it forward? LinkedIn Profile: https://www.linkedin.com/in/diane-janosek-abc/ [https://www.linkedin.com/in/diane-janosek-abc/]  JANOS LLC: https://janosllc.com/ [https://janosllc.com/]  Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

Bryan Cassady: AI Requires Humans and Guardrails

Host Patrick Spencer sat down with Bryan Cassady—director of the Global Entrepreneurship Alliance, eight-time founder, author of Cycles and The Generative Organization, and creator of the AI for Innovation Toolkit—to unpack why eight out of ten organizations still aren’t getting real business results from artificial intelligence [https://www.kiteworks.com/cybersecurity-risk-management/ai-data-governance-enterprise-risks/]. Cassady, who is on a public mission to train one million entrepreneurs on AI by 2027, argues that most companies are chasing “bright shiny” AI tools without a strategy, a change-management plan, or a clear understanding of why they’re adopting AI in the first place. The conversation is essential listening for CISOs, CIOs, CEOs, and business leaders trying to move beyond AI pilots and prove measurable ROI on their AI investments while keeping the right human oversight and security guardrails in place. A core theme of the discussion is what Cassady calls “the 1% problem”—the staggering gap between intention and action that means most book buyers, training attendees, and AI tool adopters never actually apply what they learn. His counterintuitive fix, which he has used to grow his own readership, is to give content away and bundle it with AI tools that close the gap between knowing and doing. He extends the same logic to enterprise AI adoption: stop using AI like a search engine and start using it like a thinking partner, or as he puts it, a “muse.” Cassady walks Spencer through his proven 90-day AI adoption framework—10 minutes a day for ten days to shift mindset, a focused business sprint around day fifteen, and a 75-day execution plan tied to two clear priorities rather than 10—and explains why effectiveness, not usage or efficiency, is the only AI metric that matters. Cassady and Spencer also dig into the future of agentic AI [https://www.kiteworks.com/cybersecurity-risk-management/ai-agent-security-data-layer-governance/], the disruption of the SaaS market, the rise of modular software, and Jevons paradox—the 1860s economic principle that explains why making thinking cheaper with AI will likely increase demand for skilled thinkers rather than eliminate jobs. Cassady is direct about the layoff narrative dominating AI headlines, calling mass workforce reductions a “smoke screen” in many cases, and offers concrete criteria business leaders can use to decide which teams are ready to adopt AI: Can you describe what you want to do? Are you ready to learn as you go? And—counterintuitively—are you prepared to increase headcount, since AI often generates more work, not less. He also explains why “AI-first” companies are getting it backwards, and why chess matches still prove that AI plus a human consistently beats AI or humans alone -- the clearest argument yet that durable AI value requires humans in the loop [https://www.kiteworks.com/cybersecurity-risk-management/ai-governance-sensitive-data-guide/]. The conversation closes with a candid look at AI cybersecurity, data privacy, and risk management—the guardrails side of the title and the topics Kiteworks audiences care about most. Cassady and Spencer discuss why security teams are too often brought into AI projects as an afterthought rather than at the strategy stage, the very real risks of AI-generated passwords, prompt injection through hidden text, and the data-leak exposure created when employees feed strategic plans and PII into public large language models [https://www.kiteworks.com/cybersecurity-risk-management/ai-data-security-crisis-shadow-ai-governance-strategies-2026/]. Patrick highlights the growing importance of data security posture management (DSPM) [https://www.kiteworks.com/risk-compliance-glossary/data-security-posture-management/] and AI governance [https://www.kiteworks.com/cybersecurity-risk-management/ai-data-governance-guide/] as private content channels multiply, while Cassady reminds leaders that the right answer is not to ban AI but to integrate security thinking into AI strategy from day one [https://www.kiteworks.com/platform/simple/ai-data-gateway/]. Listeners will leave with a practical playbook for aligning AI initiatives with business goals and a sharper view of where agentic AI is headed. LinkedIn Profile: https://www.linkedin.com/in/bryancassady/ [https://www.linkedin.com/in/bryancassady/] Books The Generative Organization: AI Playbook for Exponential Leaders: https://www.amazon.com/dp/B0FJG7BRG2 [https://www.amazon.com/dp/B0FJG7BRG2] CYCLES: Innovate 6X faster, Reduce Risks by 50%: https://www.amazon.com/CYCLES-simplest-proven-innovate-reducing-ebook/dp/B09L1J7MYL [https://www.amazon.com/CYCLES-simplest-proven-innovate-reducing-ebook/dp/B09L1J7MYL] Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

Dr. Rick Goud: 1 in 3 Firms Hit with Data Sovereignty Incidents

In this Kitecast episode, Patrick Spencer sits down with Rick Goud, Kiteworks' Field CTO and a recognized European data sovereignty expert, to unpack findings from the Kiteworks Data Security and Compliance Risk: 2026 Data Sovereignty Report [https://www.kiteworks.com/sites/default/files/resources/kiteworks-report-2026-data-sovereignty-compliance-incidents.pdf]. The central paradox jumps off the page: Roughly 80% of the 286 professionals surveyed across Canada, the Middle East, and Europe feel well informed about sovereignty requirements, yet one in three experienced a sovereignty-related incident in the past 12 months. Rick pushes back on the "well informed" number, arguing that most stakeholders rely on a narrow definition — equating sovereignty with data residency or local vendor logos. The real question, he says, is not where your data lives but who holds the keys to it. The regional picture tells three different stories. The Middle East reports a 44% incident rate — nearly double Canada's 23% — despite moving fastest on sovereignty ambitions, as detailed in the Kiteworks 2026 Data Security and Compliance Risk: Data Sovereignty in the Middle East [https://www.kiteworks.com/sites/default/files/resources/kiteworks-executive-summary-middle-east-data-sovereignty-2026-compliance-risk.pdf]. Rick attributes this to maturity pressure: The pivot away from well-stress-tested hyperscalers toward younger local alternatives introduces security gaps that hyperscaler transparency reports historically do not show. Europe, covered in depth in the Kiteworks 2026 Data Security and Compliance Risk: Data Sovereignty in Europe [https://www.kiteworks.com/sites/default/files/resources/kiteworks-executive-summary-eu-data-sovereignty-2026-compliance-risk.pdf], is pursuing a pragmatic "glocal" model — only 4% plan to go fully local — layering sovereignty controls like customer-held encryption keys on top of Microsoft 365 and Azure rather than attempting a wholesale exit. The Kiteworks 2026 Data Security and Compliance Risk: Data Sovereignty in Canada [https://www.kiteworks.com/sites/default/files/resources/kiteworks-executive-summary-canada-data-sovereignty-2026-compliance-risk.pdf] shows a similar pattern, with 40% citing Canada-U.S. data-sharing shifts as their top concern, pushing organizations to rethink key custody rather than abandon U.S. providers entirely. AI governance emerges as the unresolved frontier. Rick is blunt: He has not yet seen a company that has solved governed AI data sharing at scale. Organizations are caught between blanket ChatGPT and Claude bans [https://www.kiteworks.com/platform/compliance/compliant-ai/] that sacrifice productivity, and open access that sacrifices compliance. His prediction — agentic AI will roughly double the digital workforce within two years — makes a centralized policy decision point [https://www.kiteworks.com/secure-managed-file-transfer/private-data-network/] non-negotiable. Rick's two-takeaway close is crisp: Adopt an internal sovereignty framework so stakeholders stop talking past each other with different definitions and never accept a vendor's sovereignty claim on faith — validate it against your framework. He also warns against vendor lock-in, because the winners of 2026 will not be the winners 12 months later. Listen to the full episode on the Kitecast podcast page [https://www.kiteworks.com/kitecast/] for the complete conversation. Rick Goud’s LinkedIn Profile: https://www.linkedin.com/in/rickgoud/ [https://www.linkedin.com/in/rickgoud/]  Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

Aaron McCray: Ferrari Security: Speed With Guardrails

Can you drive a Ferrari at 150 miles per hour without its enhanced safety package? Sure. Should you? That's the question Aaron McCray, Field CISO at CDW and retired U.S. Navy Commander with 27+ years in information warfare, poses to every CISO still white knuckling their way through 2026 with a 2021 playbook. In this episode of Kitecast, host Patrick Spencer and McCray dig into why the old way of doing security isn't just outdated—it's dangerous. McCray traces the CISO's evolution from post-COVID belt-tightener—the person whose job was to consolidate tools, justify every dollar, and basically serve as the "office of no"—to something far more consequential. Today's CISO needs to be a strategic risk executive who speaks the language of CFOs, not just firewalls. That means understanding EBITDA, financial risk quantification, and how a $350,000 investment in multi-factor authentication can translate into $35 million in reduced risk exposure. If you can't make that pitch, McCray argues, you're getting left behind. The conversation takes a sharp turn into the AI landscape [https://www.kiteworks.com/platform/simple/ai-data-gateway/], and McCray doesn't hold back. He's seen PCs, the internet, and mobile technology reshape the world over his career, but nothing compares to what AI is doing right now. "I don't mean that to sound like hyperbole," he says. "I really don't." The speed, the capability, the risk—it's all unprecedented. And while organizations scramble to harness AI's potential, many are sleepwalking past the dangers. Shadow AI [https://www.kiteworks.com/cybersecurity-risk-management/ibm-2025-data-breach-report-ai-risks/]is McCray's particular concern. He describes employees accessing public AI tools through browsers, unknowingly opening backdoors that exfiltrate proprietary data and invite threats back in. That leads to what might be the podcast's most important thread: ethics. McCray pulls no punches with real-world examples. One global organization trained AI to screen resumes and ended up systematically discriminating against qualified women. Another rushed self-driving technology to deployment before it was ready, resulting in a pedestrian's death. His message is blunt—just because you can doesn't mean you should. And without humans in the loop, governance frameworks, and genuine ethical guardrails, AI will optimize for whatever you point it at without ever asking whether it should. McCray also makes a compelling case for data security posture management [https://www.kiteworks.com/cybersecurity-risk-management/dspm-vs-traditional-data-security/], arguing that data isn't just a cybersecurity problem—it's a business problem. His parting advice for CISOs? Stop leading with fear, uncertainty, and doubt. Stop blocking innovation. Start enabling the business to move fast—but safely. He compares it to buying a Ferrari that you can drive it stock, or you can invest in the enhanced safety package. When you're doing 150 down a two-lane road, you'll want those features. LinkedIn: https://www.linkedin.com/in/awmccray/ [https://www.linkedin.com/in/awmccray/]  Website: https://www.cdw.com/ [https://www.cdw.com/]  Recommended Reading: Walt Powell, The CISO 3.0: A Guide to Next-Generation Cybersecurity Leadership [https://www.amazon.com/CISO-3-0-Next-Generation-Cybersecurity-Leadership/dp/1032840072/ref=sr_1_1?]  Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

Justin Greis: AI Meets Cybersecurity

Most organizations are racing to adopt AI without considering the security implications. Justin Greis, former leader of McKinsey's cybersecurity practice and founder of an AI-powered consulting firm Acceligence, explains why this approach creates risk and how security leaders can change the conversation. Companies are deploying AI at different maturity levels. Some distribute AI tools to business units and wait for use cases to emerge. Others push boundaries with advanced algorithms. Few consider the associated risks. The right stakeholders often aren't in the room when AI decisions are made, either because organizations want to move fast or because security teams are underfunded and focused on daily operations. Technology companies are making AI capabilities available at unprecedented speeds, leaving organizations uncertain about securing and deploying these tools responsibly. Security should be the foundation of trust, not an afterthought. McKinsey research found that customers make buying decisions based on product security when companies can demonstrate testing and rigor. A secure, certified product materially influences purchasing choices compared to alternatives without visible security standards. Greis emphasizes that compliance certifications like SOC 2 [https://www.kiteworks.com/platform/compliance/soc-2-compliance/] or ISO [https://www.kiteworks.com/platform/compliance/iso-compliance/] represent minimum requirements, not security maturity. Organizations secure enough to meet business objectives naturally achieve compliance. The goal is translating business initiatives into security requirements that exceed baseline standards. The Chief Information Security Officer position has shifted from back-office administrator to business enabler. AI has accelerated this change by converging infrastructure, technology, and cybersecurity into unified platforms. CISOs now have opportunities to demonstrate how they understand business context and can help organizations move faster and safer. The challenge for security leaders is communication and relationship building. Years of underfunding forced CISOs to focus on survival rather than strategy. As security functions reach parity with other departments, more leaders can engage at the executive and board level. This shift requires CISOs to develop storytelling skills that contextualize security metrics for business audiences rather than overwhelming boards with technical details. As AI agents begin making decisions without human oversight, organizations face new risks. The push to remove humans from decision loops creates efficiency but introduces vulnerabilities, particularly when AI accesses data [https://www.kiteworks.com/cybersecurity-risk-management/ai-data-privacy-risks-stanford-index-report-2025/] it shouldn't process or makes decisions affecting vulnerable populations. Companies need frameworks to identify where human oversight remains necessary and mechanisms to monitor those boundaries. Organizations implementing AI successfully have thought through secure development lifecycles, DevSecOps, and product operating models. Those starting from scratch face larger organizational changes to incorporate security, privacy, and responsible AI practices into development workflows. LinkedIn: https://www.linkedin.com/in/justingreis/ [https://www.linkedin.com/in/justingreis/] Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.