VIA Knowledge Hub Podcast

In the end, it's all risk. An AppSec leader's guide to enterprise AI with Joshua Bregler

What would you do if your AI agent deleted your production database because it decided that was the logical thing to do? That's not a hypothetical. It happened. And according to Joshua Bregler, it happened because someone gave an AI agent the same admin privileges they'd never hand to a new hire. Joshua is an application security leader at McKinsey, working at the intersection of AppSec, AI adoption, and risk. He spends his days helping some of the world's largest organizations figure out what to do when a shiny new AI tool shows up at their door — and what to do when they've already let the wrong one in. In this conversation, Joshua shares front-line stories from enterprise AI deployments gone wrong, breaks down the guardrail and access control decisions that teams consistently get wrong, and makes a case that's both simple and easy to miss: the right way to manage an AI agent is a lot like the right way to manage a junior developer. The fundamentals don't change. We just haven't learned how to apply them here yet. Topics Covered 01:20 - Why AI adoption fails when humans are removed from the loop entirely 02:30 - Real-world use cases: When AI fabricates data, and it admits it on the spot 04:30 - AI given admin privileges, and why it deleted the production database 06:00 - The three themes: human-in-the-loop, guardrails, and access control 07:00 - Treating AI like a junior developer: prompt guardrails, library restrictions, and code review that holds 09:30 - The old methods are still the right ones, we just need to apply them to AI 10:30 - Why ignoring business logic creates vulnerabilities that don't surface for weeks 12:00 - What good AI adoption actually looks like: small, purposeful agents over monolithic platforms 13:00 - Why an unused AI agent is an attack surface waiting to be activated 14:45 - Test, test, and retest: the only real advice for AI-powered compliance tooling 16:00 - An example where an AI-generated compliance report could be a huge liability trap 17:20 - The ROI question every executive asks first, and why the answer is always “it depends” 20:00 - "In the end, it's all risk:” money, lawsuits, reputational capital, and institutional knowledge 21:30 - What questions companies are (and aren't) asking about AI adoption 24:20 - Managing AI identities: why blanket permissions don't work, and granular access is harder than it sounds 27:00 - The AI agent inventory: from Excel spreadsheets to dashboards 28:30 - Don't ignore the frameworks: OWASP Application Security Verification Standard, OWASP AI Top 10, and why they apply more than you think About Joshua Bregler Joshua Bregler is a cybersecurity executive with deep expertise in application security, cloud architecture, and mission-critical systems. He currently serves as the Application Security Leader at McKinsey & Company, where he builds and scales firmwide application security capabilities, enabling secure product development and enterprise resilience. Before joining McKinsey, Joshua was a Principal Security Architect at Amazon Web Services, where he supported the U.S. Department of Defense and the Intelligence Community. In that role, he led secure cloud transformation initiatives, architected high-assurance systems, and partnered with national security stakeholders to advance zero-trust security models across classified and critical workloads. Joshua holds an MBA from Johns Hopkins University and is a U.S. Marine Corps veteran, bringing a mission-first mindset and disciplined leadership style to every engagement. His career reflects more than two decades of advancing cybersecurity strategy, designing secure digital ecosystems, and guiding organizations through complex technical and regulatory environments. Connect with our guest Joshua Bregler: LinkedIn — Join the VIA Knowledge Hub community on Substack: viaknowledgehub.com [http://viaknowledgehub.com] Get passwordless logins instantly with VIA's Zero Trust Fabric (ZTF): solvewithvia.com/via-ztf Test out VIA's Zero Trust Fabric on GitHub: github.com/viascience/ztf-tutorial This is a public episode. If you would like to discuss this with other subscribers or get access to bonus episodes, visit www.viaknowledgehub.com [https://www.viaknowledgehub.com?utm_medium=podcast&utm_campaign=CTA_1]

The Four Ps every developer needs to know before their next product decision with Eve Maler

Most teams treat identity like plumbing: invisible, unglamorous, and someone else’s problem… until something breaks. Eve Maler has spent thirty years proving that’s the wrong mental model, and it’s costing companies more than they realize. As the co-creator of SAML and User-Managed Access, former CTO of ForgeRock, and author of the forthcoming Mastering Digital Identity: From Risk to Revenue, Eve introduces a sharper lens: identity is a product. The teams that own it intentionally ship faster, convert better, and lose less to fraud. The ones that don’t are one incident away from finding out why it mattered. Eve shares her Four Ps framework: Protection, Personalization, Payment, and People, and explains why fraud is a design problem long before it becomes a detection problem. She also makes the case for why decentralized identity isn’t a future trend to monitor. It’s a present-tense decision your team is already making, whether you know it or not. Topics Covered * Why identity is part of your technology strategy * What “identity strategy” actually means for developers (not just CISOs) * The Four Ps framework: Protection, Personalization, Payment, and People * Why identity and payments are inseparable, and what’s at stake when they’re not designed together * Fraud as a design problem: modeling happy paths and unhappy paths * The cost of separating fraud teams from development teams * What changes when your org has a dedicated identity product owner * Decentralized identity: why it’s happening now, and what developers need to know * How to make the case for identity investment to a CEO or board * Baking identity in from the start vs. scrambling to fix it after launch About Eve Maler Eve Maler is President and Founder of Venn Factory and an award-winning Digital Identity Strategist, whose work has influenced how people, organizations, and technologies establish identity, exchange data, and operate securely at scale. From early Internet standards such as XML to identity-defining protocols including SAML and User-Managed Access, Eve has helped build the underlying systems that enterprises around the world rely on every day. Her career in identity spans 25+ years, from Technology Director at Sun Microsystems to Chief Technology Officer of ForgeRock, where she brought identity innovation strategy to dozens of Global 5000 brands. As a former Forrester Research security analyst and now founder of Venn Factory, Eve transforms companies’ digital identity strategies from a cost center into a growth engine by reducing friction, optimizing security and privacy protection, and unlocking new revenue opportunities. Her influence can be seen across global initiatives, including UK Open Banking and U.S. and Canadian health IT efforts. An author, speaker, and board member, Eve is known for connecting technical reality with business outcomes and for showing why, when identity is done right, it becomes one of the most powerful levers of competitive advantage. * Connect with our guest Eve Maler: https://www.linkedin.com/in/eve-maler [https://www.linkedin.com/in/eve-maler] Make it secure and ship faster? Yes, please. We built the easy button for military-grade authentication. This is a public episode. If you would like to discuss this with other subscribers or get access to bonus episodes, visit www.viaknowledgehub.com [https://www.viaknowledgehub.com?utm_medium=podcast&utm_campaign=CTA_1]

How to break into DevSecOps (without expensive bootcamps) with Damien Burks

DevSecOps is everywhere right now, but most teams are still treating it like a tooling problem. Damien Burks says it's actually a culture problem. He's a DevSecOps expert and the founder of the DevSec Blueprint, a free, open-source learning guide with a 650+ member community. His mission: help people break into DevSecOps by focusing on foundations and systems thinking, not expensive bootcamps. In this episode, Damien explains why DevSecOps engineers are “the glue”, the people connecting developers, operations, legal, and compliance into a single security-minded team. He walks through the patterns that repeat across every cloud platform, why the first thing you should automate is your CI/CD pipeline, and how to think about LLM risks (hallucinations, data residency, prompt injection) when you’re working in regulated environments. He also shares the story of a woman in Africa who used the DevSec Blueprint to land her first internship, proof that accessible education works. The bottom line: security isn’t something you bolt on at the end. It’s a shared responsibility. And the sooner your team internalizes that, the faster (and safer) you’ll ship. Topics Covered Why DevSecOps is a cultural movement, not a job title DevSecOps engineers are “the glue”: connecting developers, operations, legal, and compliance The DevSec Blueprint: an open-source learning guide for breaking into DevSecOps Systems thinking over tool-chasing: recognizing patterns that work across platforms Why soft skills and communication matter as much as technical chops The #1 thing to automate this year: your CI/CD pipeline with security gates Build, test, scan, deploy: the repeatable pattern inside every secure pipeline LLM risks in regulated environments: hallucinations, data residency, and prompt injection Air-gapped AI as a strategy for heavily regulated industries Why prompt injection is still an unsolved problem and what that means for DevSecOps The DevSecOps Home Lab: buying two machines from a pawn shop and learning by doing One mindset shift: “Security is a shared responsibility” About Damien Burks Damien Burks is a DevSecOps leader, security engineer, educator, and the founder of the DevSec Blueprint, a free, open-source learning guide that helps people transition into DevSecOps and cloud security development. With a background in software development and experience working in heavily regulated environments, Damien focuses on making security education accessible, practical, and community-driven. His Discord community has grown to over 650 members who actively contribute projects and capstone exercises. Damien also creates content on YouTube covering cloud security, DevSecOps, and the tech career landscape. His philosophy: less tools, more foundations, and always lead with the mindset that security is a shared responsibility. Connect with our guest Damien Burks: LinkedIn [https://www.linkedin.com/in/damienburks] Check out The DevSec Blueprint: https://devsecblueprint.com [https://devsecblueprint.com] _ Join a community of developers on VIA Knowledge Hub’s Substack: https://www.viaknowledgehub.com/ [https://www.viaknowledgehub.com/] Get passwordless logins instantly with VIA’s Zero Trust Fabric (ZTF): https://www.solvewithvia.com/via-ztf/ [https://www.solvewithvia.com/via-ztf/] Test out VIA’s Zero Trust Fabric (ZTF) on GitHub: https://github.com/viascience/ztf-tutorial [https://github.com/viascience/ztf-tutorial] This is a public episode. If you would like to discuss this with other subscribers or get access to bonus episodes, visit www.viaknowledgehub.com [https://www.viaknowledgehub.com?utm_medium=podcast&utm_campaign=CTA_1]

The one security practice most teams skip: tabletop exercises with Jeff Fields

Most security teams aren’t underprepared because they lack tools, they’re underprepared because they haven’t rehearsed what happens when humans, systems, and pressure collide. Jeff Fields says that the single most important thing teams can do is run tabletop exercises. Fresh off a 20-year FBI career, Jeff explains why the most damaging incidents aren’t caused by “unknown threats,” but by breakdowns inside the organization, alerts going to the wrong people, missing owners, and teams operating in silos. Tabletop exercises expose those weak points early, forcing engineering, HR, legal, leadership, and comms to operate as one security team. The result is a security posture that assumes human error, limits blast radius, and lets teams ship faster with confidence. Topics Covered * Why “there’s no separating the digital from the human” in modern cyber attacks * Nation-state motivations: how PRC, Russia, North Korea, and others target differently * The “geopolitical layer cake” and why every builder is in it (whether they like it or not) * Security as a team sport: breaking silos between engineering, HR, legal, physical security, and leadership * Why basic information sharing is the cheapest “upgrade” most companies aren’t doing * The Sony hack lesson: when the alerts won’t stop… and someone turns them off * “Humans be humans”: designing systems that assume mistakes will happen * Bake security in from the start vs. bolting it on after launch * Zero Trust explained in plain English and why it can accelerate innovation * Why table top exercises/war games separate resilient teams from chaotic ones * Planning for the least likely, most catastrophic scenario (and why it covers everything else) * Where to get government resources: fbi.gov, dni.gov, and National Counterintelligence and Security Center (NCSC) support for private sector About Jeff Fields Jeff Fields [https://www.linkedin.com/in/jeff-f-63736a173/] is a newly retired FBI leader, most recently serving as Assistant Special Agent in Charge of the FBI’s Counterintelligence Branch in San Francisco, with 20 years of experience spanning counterintelligence, national security, and the defense industrial base including emerging tech and the innovation ecosystem. Now advising VCs, startups, and universities, Jeff brings a rare operator’s perspective on how real-world adversaries move and how builders can design security that supports speed instead of fighting it. In addition to being a technical advisor, Jeff is also a Senior Fellow of Practice at the Berkeley Institute for Security and Governance where he serves as a “Hacking for Defense” (H4D) instructor. H4D teaches students how to work with the government to rapidly address the nation’s emerging threats and to solve mission-critical problems at the speed of a startup. In his free time Jeff enjoys hiking with his two Belgian Malinois, volunteering with the non-profit Girl Security, or checking out a live opera or hip-hop show. This is a public episode. If you would like to discuss this with other subscribers or get access to bonus episodes, visit www.viaknowledgehub.com [https://www.viaknowledgehub.com?utm_medium=podcast&utm_campaign=CTA_1]

Decentralized identity in the age of AI agents with Kaliya Young

What does decentralized identity really mean, and why is it becoming essential in a world of AI, deepfakes, and digital fraud? In this episode, we sit down with Kaliya Young [https://www.linkedin.com/in/kaliya/]. Kaliya is widely known as the “Identity Woman” and is one of the earliest pioneers of decentralized and self-sovereign identity. With over 20 years in the field, Kaliya breaks down complex concepts like decentralized identifiers (DIDs) and verifiable credentials in practical, real-world terms. Kaliya explains how decentralized identity reshapes trust, privacy, and security across many different entities, including people, businesses, AI agents, and physical assets. From digital driver’s licenses and business wallets to supply chains and autonomous systems, this conversation offers a grounded look at how identity infrastructure is evolving. It is clear that old paper-based and centralized models are no longer enough for highly regulated industries. Topics covered * What decentralized identity actually means * How decentralized identifiers (DIDs) work * Verifiable credentials and why they matter * Trust and privacy in the age of AI and deepfakes * Business and enterprise use cases like know your customer (KYC) and know your business (KYB) * Identity for AI agents and autonomous systems * Digital wallets for people, businesses, and assets * Revocation, security, and privacy-preserving design * Where developers and organizations can get involved About Kaliya Young Kaliya Young, often called the “Identity Woman,” has been working on decentralized and self-sovereign identity for over 20 years. She works closely with developers, policymakers, and standards bodies to help make digital identity more secure, private, and human-centered. Kaliya is also the founder and host of the Internet Identity Workshop (IIW), an unconference that brings together identity practitioners from around the world to shape the future of digital identity. Through her writing, workshops, and advisory work, she plays a central role in how decentralized identity, verifiable credentials, and trust frameworks are evolving today. * Connect with our guest Kaliya Young: https://identitywoman.net/https://www.linkedin.com/in/kaliya/ [https://www.linkedin.com/in/kaliya/] * Join the Identity Woman newsletter: Make it secure and ship faster? Yes, please. We built the easy button for military-grade authentication. This is a public episode. If you would like to discuss this with other subscribers or get access to bonus episodes, visit www.viaknowledgehub.com [https://www.viaknowledgehub.com?utm_medium=podcast&utm_campaign=CTA_1]