The Human in the Loop: Cybersecurity, Agentic AI, and Who’s Watching the Machines
What happens when a single AI model finds fifteen years' worth of hidden vulnerabilities in the code running the world's most critical systems — and then gets pulled from public release because it was too powerful?
In this episode, Jeff speaks with Clyde Johnson — Agentic AI Cybersecurity Strategist and founder of The Empowered Cyber Leader, a publication helping cybersecurity leaders harness AI to understand and communicate risk — for a frank conversation on what AI is doing to the security landscape, and why most boards are dangerously unprepared.
They cover Anthropic's Mythos model and what it revealed, the collapse of the attacker timeline from months to hours, why your vibe-coded tools may already be compromised, digital twins as the future of cyber risk communication, and what the CISO of tomorrow will actually look like when their team includes both humans and agents.
This is not a conversation about doom and gloom. It's a conversation about what the basics look like now — and why the organisations that get them right will be the ones still standing.
Find out more:
Connect with Clyde Johnson [https://www.linkedin.com/in/clydedjohnson] on LinkedIn.
Check out Clyde's newsletter The CISO's AI Toolkit [https://clydejohnson.substack.com] on Substack.
MITRE ATLAS (Adversarial Threat Landscape for AI Systems) [https://atlas.mitre.org] is a globally accessible, open-source knowledge base designed specifically to catalog adversary tactics, techniques, and procedures (TTPs) targeting AI and machine learning systems. Clyde recommends this for operational security, threat modelling, detection engineering.
NIST AI Risk Management Framework (AI RMF 1.0) [https://www.nist.gov/itl/ai-risk-management-framework] is a voluntary set of guidelines released by the National Institute of Standards and Technology in January 2023 to help organisations manage risks associated with artificial intelligence systems. It aims to improve the trustworthiness of AI by providing a structured approach to the responsible design, development, deployment, and use of AI products, services, and systems. Clyde recommends this for enterprise policy, compliance, executive reporting.
OWASP Top 10 for LLM Applications 2025 [https://genai.owasp.org/llm-top-10] is a community-maintained security taxonomy identifying the most critical risks in generative AI systems. It serves as the primary baseline for developers and security teams to structure threat models, prioritise mitigations, and ensure compliance with frameworks like the EU AI Act and NIST AI RMF. Clyde recommends it for secure development and code review — developer-centric vulnerability.
OWASP Top 10 for Agentic Applications 2026 [https://genai.owasp.org/resource/owasp-top-10-for-agentic-applications-for-2026] is the first industry-standard framework identifying the highest-impact security risks specific to autonomous AI agents that plan, decide, and act across tools and environments. Unlike traditional LLM risks, this framework focuses on active agent behaviours, treating agents as principals with distinct attack surfaces involving delegation, memory, and inter-agent communication. Clyde recommends it for agentic AI deployment security.
Clyde recommends these repos of reviewed coding agent skills:
https://www.skills.sh [https://www.skills.sh/]
https://github.com/vercel-labs/agent-skills [https://github.com/vercel-labs/agent-skills]
Check out the Oxford Artificial Intelligence Programme [https://www.sbs.ox.ac.uk/programmes/executive-education/oxford-ai-programmes] at Saïd Business School.
