The First Fully Autonomous AI Attack Is 18 Months Away | Kristin Lovejoy

Conor Bronsdon 0:20 Many people are skeptical of AI. Accuracy concerns, energy concerns, security concerns, privacy, all are complaints. But AI is evolving, and so are its production use cases. Our guest today works with nation states and enterprises around the world to explore the regulatory and business challenges of our massive AI infrastructure build-out and the increasing use of AI around the world. Let's talk about it. Welcome back to Chain of Thought, everyone. I am your host, Connor Bronsdon. My guest today is Chris Lovejoy. Chris is the Global Head of Strategy at Kindrel, and Kindrel is the world's largest IT infrastructure services provider, working with thousands of mission-critical enterprises across more than 60 countries. This is an interesting perspective, and one we don't actually have on the show a lot. But before Kindrel, Kris did a variety of other things that have helped fuel the global economy, including running security businesses at EY and IBM. She's, in fact, spent her career inside the systems the global economy runs on. Banks, hospitals, energy grids, governments. She's on the board of Dominion Energy. Kris is also one of the few people who is truly looking at the depth of what is required to deploy genetic AI from the point of view of the CISO and the resilience team. This perspective is rare on this show, and it's a reason why this conversation matters now. Chris, welcome to Chain of Thought. It's great to see you. Where are you joining us from?

Kris Lovejoy 1:45 Thank you, Connor. I am actually in the weirdest place in the world. I'm on the Appalachian Trail in Pennsylvania.

Conor Bronsdon 1:53 Oh, wow. Are you on a [1:55] Kris Lovejoy: [OVERLAP] Yeah. [1:55] Conor Bronsdon: [OVERLAP] long-term Appalachian Trail hike right now? Am I just getting a little cameo?

Kris Lovejoy 1:59 No, it's just, this is where my house is. I,

Conor Bronsdon 2:02 Amazing.

Kris Lovejoy 2:03 yeah, I like to hike, but I'm not there today. I'm sitting in my, besides my house, looking at the mountain where the trail is.

Conor Bronsdon 2:09 So when you're not helping enterprises deploy agents around the world, you're hiking. I love that you find some time to touch grass, as we say. But when you're not out and about, I know you are thinking deeply about many of the topics that impact enterprises as they try to bring AI into production today. And one of the big things that I know Kindle has seen is that 2025 readiness report that showed that 68% of organizations are investing heavily in AI, and yet, while AI spend is up 33% year over year, and I think, honestly, in 2026 it's up more than that, if we're being realistic, 62% of those initiatives were still stuck in pilots. We've talked about this on the show sometimes, about evaluation gaps, observability, these other things, but from your perspective, as someone who works with so many enterprises around the world, what's the challenge or challenges that are keeping AI from being as impactful as it could be?

Kris Lovejoy 3:07 Well, I'm going to use a bit of an analogy. It's, you know, I think about it, you know, when we first invented electricity, you know, you could go to the World's Fair and you could see somebody holding up a light bulb and it would go on. Everybody would say, ooh, Howard, you know, you go and you light up a house. But the reality was that the, you know, the transmission distribution lines weren't yet established. The energy generation wasn't established so that you could actually run electricity at scale. And I think we're running into kind of the same problem with AI right now, which is we're really good at building the models and building the pilots around the models. But we are having a scale problem. Some of it has to do with the data sources with which we're trying to integrate so that we can actually, you know, provide, get to the outcomes we're looking for. Some of the issue is associated with just CPUs. You know, we've got a lot of, you know, older, you know, equipment within our environment. Yeah, I could go on and on, but I think that we're coming out of this age of experimentation, going into a transitional phase, and eventually we're going to get to kind of the era of industrial AI. But I think it's going to take us a little bit to get there.

Conor Bronsdon 4:23 So it's interesting you say it's going to take us a little bit together. I want to dive into that a bit because I think there are other countersigns that show that that AI 2027 prediction is on track. I mean, we look at the insane growth that Anthropic has seen earlier this year and the build out of like codex of cloud code. How do you square that kind of acceleration effect that we're seeing in certain areas with AI versus the gap with maybe more traditional enterprises?

Kris Lovejoy 4:52 I think, well, first, I think we have to begin to be careful about thinking about AI as being this monolithic thing. And so I tend to categorize AI into, you know, there's AI for productivity, individual productivity uses. So this is us going to Gemini and using Gemini and creating agents in Gemini to do things like book a hotel. It's very easy for people to use AI, generative as well as agentic AI, to help them improve their productivity. And in that particular case, particularly when you're talking about agentic AI, Agentic AI is running within your user context, so they're inheriting the authorizations that you as a user has. Within an enterprise, productivity tools are being used and they are being used at scale. What I don't see and I'm, you know, when I look at the other kind of the more mission critical systems and the use of AI for business process transformation, I am not yet seeing the large scale kind of autonomous systems use propelled by AI. So when I think about AI, I do agree with you that there's been a lot of adoption on the productivity side. When I, when I'm thinking about where our customers that you really are running the banks are running the healthcare systems, those transformations are not yet at full production scale. Hope that helps in the, it's kind of the segmentation.

Conor Bronsdon 6:35 Yeah. What do you see as the gap that's stopping them? Is it about unlocking the data and context that these businesses already have and actually ensuring AI is tailored to them? Is it more about in-production accuracy and governance or is it a combination of both and other things as well?

Kris Lovejoy 6:53 all of the above. And I think a lot of it is situation dependent.

Kris Lovejoy 6:59 We're not in a world where people run on monolithic systems, particularly when you're talking about critical infrastructure. Most critical infrastructure industries are not cloud first. They may have some mainframe mid-range. They have your X-series. They've got cloud infrastructure. They probably have multiple clouds. They've got a truly hybrid environment. Some of it is very old. We say it's vintage. Some of it is very new. A lot of complexity. Data is all over the place. So kind of managing across these complex environments and, you know, getting access and integration into the underlying data, to the data layers, and getting that data normalized and ensuring the integrity of the data so it can be digested by the models, that's not easy. And I think that some of it is the practical reality of just touching the data. I think the other thing is just risk. Things work well in an experiment, but when you start talking about security and reliability and sovereignty and economics and scalability, these are all things that don't come necessarily with the pilot. It takes a lot of work to get to those things. And, you know, I think we also have to be realistic that a lot of what we're trying to accomplish, we're kind of making it up as we go along. And what we're finding as we're getting into, you know, sort of these production instances, that the guardrails that we need, the capabilities that we need to enable resilience, they don't necessarily exist yet. And so we are really, I think, that's why when I say it's going to take a little bit for us to get there, you know, maybe a few years, maybe up to a decade, but there is going to have to be some iterative invention that goes along with us actually building out these production use cases. Because I'm seeing every day we run into the wall where we're like, oh, Oops, I kind of figured that out. And yeah, anyway, I think it's going to take some time before most organizations can use agentic AI in particular at scale. [9:15] Conor Bronsdon: [OVERLAP] It's interesting you bring this up because we've had a lot of conversations on this show about data architecture. You know, I had Souter Hasby from Neo4j on a few weeks back and he basically talked about how he views hallucinations as really a data architecture problem. We're like, yeah, the model's going to try to predict what you want to see and sometimes it'll hallucinate to do that. But if you provide the right data at a point in time and you have your enterprise data unlocked, like you can solve this. And then on the other end, we just spoke with Jerry Liu from Lama Index, and Jerry was saying, look, I think the context layer, a similar and related argument, is something that needs to be unlocked. There's a reason they're focusing so much on OCR for documents, because while they're seeing frontier models be able to dive into PDFs and get like 80% accuracy. I mean, if we have a bunch of PDF documents, which many enterprises do, we need to be able to unlock those at close to 100% accuracy to really make our models more effective. As you put it, unlock agentic scale. And part of what this comes down to is we are beginning to treat, I mean, we've been treating code as infrastructure for a long time, but it is vastly increased by the amount of code we can now generate with these models. And these models use code as their native language because it's the best interface between a computer and us and we're able to just get them to generate so much code. Uh, and I think we're truly hitting this era now of policy as code and code just being in everything we do, everything trying to be translated to code. That's the right, you know, primitive for us for the moment. I know Kindle [10:52] Kris Lovejoy: [OVERLAP] Yeah. [10:52] Conor Bronsdon: [OVERLAP] is really pushing on this idea and saying, look, like policy as code has to be the future. Talk to me about your perspective here and where you see opportunities or gaps.

Kris Lovejoy 11:03 Yeah, and I've, you know, I've been in this industry for a long time, and I remember the conversations, you know, back when cloud first came out. I don't know if you're probably too young for this, but we used to talk about policy as code back then. And we would say, ah, cloud is just software. But the benefit of cloud is that if you implement policy as code, you're never going to have another security problem. That was the narrative. You build it right, you don't have to worry about it. Well, I think it took us not very long to figure out that that narrative was not necessarily correct. And so therefore, we had to have compliance, you know, cloud compliance and secondary controls and all that kind of good stuff implemented to enable us to get to a good overall security environment. Policy as code is an important element for us today, right? Because though I have to say that policy as code for me, I have a fraught relationship with policy as code in so much as what I see people trying to do is apply deterministic rules to inherently autonomous systems. And I wonder, at what point are we simply just creating? Is it RPA? Or is it really, you know, agentic AI? But that's like a philosophical discussion we can get into. What I would say is that, you know, when you're talking about mission-critical systems, you know, let's start with the word you used, which is infrastructure. We have to start with the premise that in order for us, and this is the kind of the fundamental security rule, it's just if you can't see it, you can't protect it. And so when you're talking about mission-critical systems that are going to be using agentic AI, and when I think about the role of agentic AI as a privileged user interacting with those systems, then we have to apply certain rules to how we manage that. And it starts with, first of all, we have to inventory the agent. We have to evaluate the agent within simulated environments to ensure that that agent is not going to be performing activities that we don't want it to perform. We have to generate the policies and establish the policies and monitor the policies. We have to create, you know, fulsome audit reports and compliance reports so that we can understand what happened. And we have to have humans in supervisory roles. I'm not sure, again, I'm not a big fan of the concept of human in the loop in so much as, again, we're trying to put a human construct into something that is supposed to be autonomous. And so I keep pushing back and asking, is it really human in the loop or is it human on top, right? Is it a different model that we have to think about? Because I keep seeing, you know, humans are, we're trying to take the construct we understand and make, it's interesting because even when we think about business process, we think in a linear way. AI doesn't think in a linear way. AI works in parallel, there are parallel tasks that occur, and it is a very different, and I see teams struggling with how do you, like this concept of human in the middle, how do you actually develop the policy constraints such that humans don't become kind of that roadblock to process fulfillment. Anyway, I'm kind of going off on a tangent, but coming back to sort of what you asked, I think that policy as code is important, but as I said, policy as code is one element of the overall reference architecture that needs to be implemented. I am a big fan of agentic AI requiring secondary evaluations and approvals before it can actually complete it. [15:17] Conor Bronsdon: [OVERLAP] I really appreciate your perspective on infrastructure, Chris, because there are a lot of considerations that come into play when it comes to actually getting AI into production at scale. Like, yes, cloud code is great for my individual productivity. Maybe I'm using Hermes agent, maybe I'm using Codex. There's a lot of opportunities there for developers in particular, which are often early adopters of this kind of technology. [15:40] Kris Lovejoy: [OVERLAP] What?

Conor Bronsdon 15:41 But as you start to scale to trying to have massive systems, there are just so many considerations, regulatory concerns, et cetera. And there's also in the background this concern for many enterprises of, oh, I'm hearing in media that this is a potentially huge climate impact. Maybe AI is using a ton of water. Maybe AI is using a ton of energy. I did an episode on this last year with Annie Masley where we debunked some of the myths around this, but you have real on the ground experience here with your work at Dominion Energy as a board member. I'd love your perspective on this. What are you seeing around AI infrastructure and energy usage?

Kris Lovejoy 16:25 Sure. So let me end first. I'm not going to speak as, you know, as Dominion. I'm just, just me speaking. But I, whether it be AI or it be quantum or, you know, figure out whatever the next generation of new technology is, the one thing is true is we've got a lot of data center requests that are coming out. And so if you look at, you know, we represent kind of, you know, you look at the data center load that's going up in the kind of the northeast, southeast of the United States.

Kris Lovejoy 17:04 There is an organization out there that is called PJM and it is responsible for forecasting the load. And every year, it comes up and says, gee, last year we underestimated by name your percentage, and it's always a double-digit percentage. So what's happening is we've got a lot of data center requests, and a lot of the data centers that are being put up, it's not just the hyperscalers, it's a lot of different data center providers. Those data center providers are building, you know, high-capacity compute installations. Now, oftentimes, they're using, you know, good refrigeration technologies, you know, to support AC, and there's, you know, they're liquid-cooled, but there's, you know, recycling, et cetera. So they're efficient. They're energy-efficient. It's just that there are a lot more devices, right? It's just, it's a question of scale. It's not necessarily that, you know, AI is more consumptive than another technology, because you can, if you spend the money, you can make it environmentally friendly. But we can't stop the number of you know, of devices that are going to be connected or need to be connected in order for us to be successful. You know, as a nation or, you know, any business, you have to have electricity to make your compute go. So that is true. [18:29] Conor Bronsdon: [OVERLAP] Yeah, as a society, I think it's really interesting to look at this because I think there are folks who are just concerned about overall energy usage, but the reality is that we are not going to stop using energy. In fact, we're going to keep electrifying the grid even more, especially for folks who are concerned about the climate. I put myself among them. I used to run a show called Growing the Grid Economy. I've consulted on a variety of energy infrastructure papers and been an expert policy reviewer there. And I do think it matters. But we need actually more energy, not less. We need to be more efficient, yes. But I mean, we're building all these electric cars. And, you know, I can quibble about the energy load of creating electric cars and what type of energy sources we use to run them. But the bottom line is we have to get off oil and gasoline, let alone if you look at things straight from use, which we're not going to get into. But there are major risks. Gasoline is getting more expensive. The global economy is being disrupted. We need to be able to have effective EVs. And when we look at those vehicles, and those are the same vehicles that are powering potentially massive drops in actual traffic accidents through things like Waymo, which I'm super excited about, we can do a whole episode on that at some point. [19:38] Kris Lovejoy: [OVERLAP] We. [19:38] Conor Bronsdon: [OVERLAP] Um, but the, the energy drops we're able to get from those and the, uh, do require a lot more electrification of the grid because we are transitioning from burning a ton of gasoline for these vehicles. It's actually much more energy efficient for me to sit at home using AI to code all day than it is to, uh, you know, go drive my car, my gasoline powered car to the grocery store and back for a few minutes. And so I think it, that gets lost in these conversations is, is the efficiency angle to your point. Totally, we are having a massive build-out of data centers. It's going to keep accelerating. We don't have enough of them. Look at the whole Anthropic and SpaceX computing deal, where rivals are having these deals to open up compute as they grow massively. People want to keep using AI. It's not going away, let alone quantum, as you put it. There's a whole other layer of infrastructure here that's going to be built out. So let's try to do it the best we can.

Conor Bronsdon 20:34 Personally, I would shout out, Everybody in the pool is a podcast talking about like nuclear energy and other opportunities. There's so much to do here. But bottom line is like we should be efficient about it, but we're going to keep building data centers. [20:48] Kris Lovejoy: [OVERLAP] Yeah, [20:48] Conor Bronsdon: [OVERLAP] It just is what it is. [20:49] Kris Lovejoy: [OVERLAP] it is. And I think that there's a lot of new technology. There's battery storage in particular I'm very optimistic about. I do think, you know, small nuclear is definitely, you know, a good possibility. I think extending leases or, you know, perhaps, you know, opening up some new nuclear facilities, that'll be great. But it's going to take 20, 30, 40 years for us to get the [21:10] Conor Bronsdon: [OVERLAP] out. [21:10] Kris Lovejoy: [OVERLAP] permitting done. I mean, I think at this point, what we've got to focus on, and some people aren't thinking about that, is that when you're making the decision about whether you're going to colo, you're going to own, or you're going to just use cloud, you do always want to ensure that the vendors with whom you're working are being as efficient as possible. Because I do see that there are some situations where the data center providers are not thinking from an environmental perspective, particularly when it comes to water use. And I do think that that is going to become an issue. And it's not that the technologies are not available. It's that the technologies may be expensive, and it's hitting the margin from a competitive perspective. And so I think that we, as we are designing, because some of my teams, they design data centers. So they're always recommending kind of the most efficient kinds of environmentally friendly and efficient kinds of technologies to use, particularly on the cooling side. But it is up to the buyer to ensure that the vendor is providing those services, and sometimes that is lost. And yeah, but I couldn't agree with you more. We need an all-of-the-above kind of approach to energy. And it's not just about energy and water. It's about the grid, you know, transformation. Because our grid is pretty old. [22:33] Conor Bronsdon: [OVERLAP] Yes it is. [22:34] Kris Lovejoy: [OVERLAP] And [22:34] Conor Bronsdon: [OVERLAP] Yeah.

Kris Lovejoy 22:34 so, and I have these really interesting discussions all the time about, you know, just from a geopolitical perspective, if you look at kind of the U.S. is really focused on energy infrastructure and AI, which is kind of interesting, the duality there. But you look at some of the other nation states, they've spent a lot more on grid modernization. They have a lot more energy available, particularly in the form of renewables. interesting dynamic where it's kind of the next economic battle is going to be fought. And I think it's there.

Conor Bronsdon 23:07 Yeah, I mean, there's the obvious comparison of China that happens all the time and their insane drive on renewables. But you can look at many other nation states around this. And it is interesting because to your point about efficiency of the technology being put into data centers and data center design. There are opportunities to even use AI. I'm seeing people do this to make the data centers more efficient once they're live. But from the very start, I think you have to be driving for the most efficient, you know, climate positive technologies or else your data center may get rejected. We're starting to see this [23:39] Kris Lovejoy: [OVERLAP] Yeah. [23:39] Conor Bronsdon: [OVERLAP] around the United States where

Kris Lovejoy 23:40 Good.

Conor Bronsdon 23:41 local communities are coming together and saying, no, we don't want this locally here. Um, and you, you as an organization don't want to risk that. So it's better to plan from the start, not only because it's going to better be better longterm for your industry and your, your data center, it's going to be more entry efficient. You'll save money over time. Uh, but you're also avoiding the risk of a full rejection from local communities. [24:02] Kris Lovejoy: [OVERLAP] Yeah. And I also think there are some tips and tricks that, you know, people can do, like rack optimization, because it kind of drives me crazy that, you know, you can provision, you know, a certain amount of energy into a data center and oftentimes that energy isn't used. So it's kind [24:17] Conor Bronsdon: [OVERLAP] Yeah. [24:17] Kris Lovejoy: [OVERLAP] of a park resource. So because there's, because it then, what happens is you have to, because that energy is being used, you have to make another connect request, you know, for another. It's just, it's just, it's kind of a mess that we're not as, you know, as efficient as we could be. But I think you and I are both passionate about this particular subject. But at the end of [24:37] Conor Bronsdon: [OVERLAP] Yes. [24:37] Kris Lovejoy: [OVERLAP] the day, you know, you need to make computers run. They run on electricity. So we got to figure out how to do that as efficiently as possible.

Conor Bronsdon 24:44 Yeah, I'm curious. In particular, you mentioned your team is working on data center design and thinking through these problems. What are some of the key areas you're focusing on? So cooling, you mentioned rack optimization. What are the others?

Kris Lovejoy 24:57 Um, density is just more of density. How can you pack more and make it, you know, make it work as efficiently and effectively as possible? And a lot of our customers, they've got, you know, older technologies, they're moving to high-performance compute, they're moving to GPUs. And they're just, you know, what they don't realize, when they're thinking about kind of the data center, and they're thinking about, so I've got a parked I've got capital that is in this existing data center. I've got all of this equipment that needs to be turned over. What we're working with them on is the fact that the infrastructure inside the data center itself has to change. And sometimes things like just the load on the floor, it can't handle the kind of the weight of this new equipment. So as you're thinking through the placement of the technologies, because the physical placement of the technologies is important, how the cooling systems, you know, need to be sort of optimized within that environment, the rack, or, you know, like how high, how wide the rack, all of these things factor into, you know, creating a footprint that is, you know, as friendly as possible, both from an economics and an environmental perspective.

Conor Bronsdon 26:13 Yeah, it's interesting we bring this up because I feel like we've touched upon two major complaints that some folks have about AI. One being accuracy and particularly looking at like the enterprise side of this, because it's obviously gotten a lot better on the consumer side with web search and other tools. Two being, you know, efficiency as far as the environmental piece. And then I feel like there are a few others as well that I know you're also very informed on, you know, one being security and the implications of AI, you know, potentially leaking data or being used in attacks. Another being the idea of privacy and, you know, what does privacy look like in an AI world where your data is being used for training? I'd love your thoughts on those two areas as well.

Kris Lovejoy 26:54 Okay, so those big questions. I think we're in a very interesting territory right now because I do think that there's a piece to this that we don't talk about very much, which is disparate pieces of data, which historically in isolation have not met any kind of jurisdictional requirement vis-a-vis privacy regulation. When two or three pieces of data come together, all of a sudden it's PII. And so from a privacy perspective, and I don't, you know, honestly, I don't think a lot of people understand the difference between privacy and security, which I always, it's just, it's just a reality, you know, privacy and just the two minute, like, you know, commercial break, you know, privacy being kind of an individual right that when I give my data to a third party, that third party inherits the obligation to assure that is accessible to me. that there's integrity, it doesn't change, and that when I ask to see it, I can see it. All of those things. And that it's not provided to anybody else. Those are the privacy requirements. And security is one of the mechanisms by which you can achieve control in order to meet these privacy requirements. Privacy in the AI world is very hard because sometimes we don't know what privacy is in our jurisdictions. And right now, we have a patchwork of privacy requirements. In the States, it's like variations on the same theme. When you go over to Europe, sometimes in Europe, you'll see rules where a corporation has the right to privacy. IP addresses are protected. It's a protected form of data. So the individual data element that is being used, as well as the combination of those data elements, they may create a privacy obligation that we have not seen. And so therefore, I think what organizations have to, again, going back to kind of thinking differently, we tend to think of compliance as a kind of a time-constrained activity where we go in and we take a look and we say, OK, I tested this code. Everything's fine. It's compliant. It meets the requirements for privacy. Done. doesn't work anymore. So you've almost got to get a continuous compliance construct put in place where you are continually monitoring how that data is coming together, how it is being connected, how it is being provided, where it's being processed, so that you can trigger, based on kind of that real-time analytics, that you may be evolving to a place where there is a privacy constraint that has to be taken into account. But again, this is just a fundamental rethinking of compliance activity from point in time to more of a continuous compliance thing. I

Kris Lovejoy 29:57 also worry a lot about the integrity of data and [30:01] Conor Bronsdon: [OVERLAP] Hmm. [30:01] Kris Lovejoy: [OVERLAP] how, ironically, privacy will create constraints on forms of data which will make it very hard for underserved communities to become part of the tapestry of those who can enjoy the value and the benefits. Some things, and I talk a lot about this to the regulatory authorities, is I know that many nation states, they feel that these strong privacy rules are protecting their citizens. But small countries, when they put in place these privacy requirements, it makes it more expensive for businesses to do business with them, or to use the data for things like training, you know, like medical, you know, medical models, or, you know, financial models. And so therefore, it is potential that different populations are going to be left out of the AI ecosystems because the jurisdictional requirements make it too expensive for businesses to actually participate in working with those various communities. So I guess, you know, a long way of saying privacy is going to be a double-edged sword. Third piece of this, I'd say, is privacy. In order to have good privacy, you need to have visibility. And so that's the other little challenge we've got is, you know, privacy is all about constraining that visibility. And visibility, as I said, is the recipe for good privacy. So all of these things I think we're going to have to work out. I would venture to say that the new word that we're going to all be focused on is control. You know, we hear this word sovereignty. To me, the word sovereignty actually just means control. It's control of what data, when do I use that data, how do I use that data, where do I use that data, where do I process that data, what data center houses that data. And that control has to be manifested from an operational, a technical, as well as like a data layer perspective.

Conor Bronsdon 32:06 I am really glad you brought up this idea of data as an evolving corpus that we need to keep compliant, not just in the moment where we launch, but over time.

Kris Lovejoy 32:18 Go.

Conor Bronsdon 32:19 Having a control plane and understanding of your AI systems is really crucial to actually enable them to stay compliant, not just launch compliant. And I think there's this other side because I love the differentiated security compliance and privacy here because they are connected but disparate topics. And, you know, the freedom of your data and the usage of your data is a certain topic. But there's also this idea of AI being used both by attackers and defenders on the security side. And we're already seeing AI incidents climb where AI is being leveraged by attackers from a security perspective. I saw that you actually made a prediction there's going to be a fully autonomous attack where AI takes down an enterprise security network in the next year, year and a half without any actual human capabilities pushing for it. Is this related to the expanding capabilities and security validation we're seeing with things like Cloud Mythos, where they're catching all these bugs that have been there for years? Or is this simply looking at and kind of predicting the progress of these frontier models?

Kris Lovejoy 33:29 So, I mean, I'm looking at it from three different vantage points. I think from an attacker perspective, you know, I think the chaining of vulnerabilities, we knew this was going to happen. Anybody who had looked at, you know, kind of the cloud capabilities and has been, you know, sort of looking at agentic AI, you know that it's kind of inevitable. And so the inevitability is that typically speaking, you know, in my world, you know, there's the way it works. It's pretty simple, actually, is there if there's a threat and that threat is, you know, sort of an actor or a piece of malcode in the wild, and that threat can exploit a vulnerability, a weakness in a system, and then create an impact, then there is a risk. And I need to spend money. That's my job as a CISO, is to spend money to reduce the prevalence of the threat or the likelihood that the vulnerability can be, you know, and that's through patching. Well, what we know now is that, you know, attackers are able to find individual vulnerabilities faster than we ever have before. And so that means that we have to get better at detection and better at remediation. So that's one. Now what we're finding is vulnerabilities that have previously been called low-risk vulnerabilities. Now you can chain vulnerabilities, and you can create high-risk vulnerability by chaining together low-risk vulnerability. Okay, so that's upping the ante between, I found it. Now all of this, if you look at any organization, they've got a billion patches they have yet to apply, and they're all low-risk. Right. So, you know, like we talk about high risk, we don't talk about the low risk ones. So we get a whole corpus of things. So I think that it is going to be much more effective for attackers to use these tools to chain vulnerabilities to exploit. That's one. Two is I really worry about kind of the inadvertent activity. Anybody who's been playing around with agentic AI also knows that is very outcome oriented. This goes back to kind of the policy as code. So let's say you have an agentic workflow. So you've got an orchestration agent. You've got lots of little agents. Lots of little agents are going to lots of different, you know, data sources to, you know, to answer different questions. Now, all of a sudden, the agents who are very outcome oriented Your policy, which is constrained by the human mind, it's been written in such a way that you will, you know, define the guardrails for the agents. You didn't think about something. You didn't imagine something. Now all of a sudden, these very outcome agentic, you know, options are going out and they're performing their tasks and they're inadvertently taking you down because They just didn't understand how those guardrails worked. And we already saw an example of that, you know, within the last couple of weeks with the company that was doing the car rental stuff. Now we talk about inside. The other area I worry about and I talk about a lot is the potential for there to be some, and people hate when I talk about this, but I think it's important we talk about it. There are, we've always seen this, the actors inside an organization, insiders. Now there's inadvertent actors, they make mistakes, they do dumb things and things go down. That happens all the time. Then there's the, or they do things, they follow the rule book and it still goes down. That happens even more than they do dumb things. But there's the reality that there are people that are worried about things like losing their job to AI. And so we've seen this throughout history, that people that get nervous, that get afraid, get angry, they sometimes will act out. Now what we're talking about are the utility tools that allow you to chain vulnerabilities inside an organization. So what do you have? You have insiders that understand all of your weaknesses They have tools that they can go and they can build bespoke attacks, you know, for your organization. So I do think that there's multiple levels of my fear in this area. But a lot of it is because we are exposing ourselves to attacks and to outages based on our historic practice of only focusing on crown jewels, if you will. And I knew this was going to come back to bite us. But this kind of concept of only, only, you know, invest in protecting the things you care about is right to a point. Now we've gotten to a point where the stuff that we didn't worry about is a big problem.

Conor Bronsdon 38:06 I appreciate that you have such a diverse perspective across the industry and I think you have a really interesting global lens that you're bringing to this conversation as well with your work in the EU and elsewhere. What other predictions do you have about what we'll see with AI and the AI build out in the next year or two?

Kris Lovejoy 38:23 I mean, every day I wake up and I'm just waiting. You know, it's it's really it's a very exciting time for us because everything is changing so quickly. I

Kris Lovejoy 38:35 do think that. And some of it has to do with the geopolitics, I. I do think that. There is going to be an interesting couple of years, because all of the things that we're talking about are now being conflated, and all these risks are converging when it comes to AI. And so I think some of the risk, what we're talking about right now is there's this recognition that businesses and nation states, in order to grow, they must quickly adopt AI technology. That's kind of the narrative. In order for them to adopt an AI technology, they have to have technology they can trust. They have to have a supply chain they can trust. They have to have energy and water to power the data centers. They have to have the data center infrastructure. So let's start at the beginning. A lot of nation states are just worried about the supply chain and the availability of technology and the fear that technology is going to be used as a tool of trade. So imagine that all of a sudden, you know, Amazon is not available, Microsoft is not available to me anymore, right? Somebody shuts off the cloud. That's something, whether it's credible or not credible, it's something that people are fearing. And so they're worried about technological dependence, and they're beginning to think through what does the alternative look like? to a world where I have, you know, absolute dependence on the U.S. So I do think that some of what AI is going to change is not necessarily AI. It's going to be things like we're going to be more focused on open source. So I think we're going to hear a lot about open source, and I think we're going to hear a lot about open source vulnerabilities. I also think that this concept of sovereignty and control is being read, and this goes back to the energy, you know, in talking to some of our customers, what they would say to us is, you know, I live in Europe and I worry about sovereignty. I worry about supply chain. I worry about data localization. But what it really means to me is I worry about control. I want to be able to run my workloads where I want to run my workloads, when I want to run my workloads, and I want to be able to pull them back into a local data center in my country when I need to do that. And so I think the other thing we're going to be talking about is just operational resilience and the ability in a sovereign construct, the ability to move data and move workloads from one location to another location. So I think that's a second thing. And I do think, you know, from an AI perspective, we're also going to be, you know, really thinking about, you know, kind of the cost of AI because it's a bit of a black box. And so I think AI, that kind of the economics is going to become a big thing, you know, along with the energy thing. I also think that there's going to be a big drive now toward autonomous robotics. I'm beginning to see a lot more robotics appearing. I was just at the AI Expo this past week. A lot of robotics being shown, a lot of drone technology being exhibited. So I think that, you know, autonomous technology in the form of drone or robotics is going to become the next frontier. And then I also think that AI is providing a lot of There's a lot of technical innovation going in and around quantum, so I'm thinking that the other shift that we're going to begin to see is we're going to see a lot more discussion about quantum and the potential risk and opportunity associated with quantum technology that is going to appear as well. It's a little bit of a roundabout way of saying it's not necessarily AI, it's what AI is creating from a worry perspective or a technology perspective is that what we're going to be digesting.

Conor Bronsdon 42:32 I particularly love your points about autonomous robotics. I think you're spot on. That is the wave we're already seeing and it's going to continue. And I think we're not prepared for what is going to change as quantum comes on board, enabled by AI and with AI pushing it. So excited to see those changes, nervous about those changes. I'm right there with you. Chris, thank you so much for joining me today. It's been an absolute pleasure. Do you have any closing words for our audience and where can they follow you to continue to see your work?

Kris Lovejoy 42:58 Oh, thank you. And I guess the best place is LinkedIn because I'm a pretty avid poster. The final words, I would say this is a really exciting time. You know, I think there is, I'm expecting the thing, you know, I didn't say is where I'm going to, I'm expecting a Luddite movement, you know, if you will. Remember what happened, you know, during the last, you know, industrial revolution, there was all of a sudden the Luddite movement is, you know, we're going to lose our jobs. We're going to, there's going to be

Conor Bronsdon 43:28 I'd argue we're already seeing it, honestly. People are trying to bomb data centers, trying to bomb someone's home. I think we're already seeing it.

Kris Lovejoy 43:34 Yeah. And that, I think, we're going to look back or our children or children's children are going to look back at this time period and say, wow, that was really a period in history that was either it was for the greater good or it wasn't. I want to be positive. But as a security and risk person, I'm also looking at this and saying,

Kris Lovejoy 44:00 oi! This is why I have a house in the country and I buy heirloom seeds, just in case. I'm not at a full bunker state, but you know, you gotta be a little careful nowadays. But suffice to say, I think there's lots of opportunity. I would ask everybody who is thinking about agentic AI in particular, You know, these are important tools. We don't really fully understand. You have to be very thoughtful about what a control plane for agentic AI looks like. And a lot of the tools and technology constructs that we used in managing IT, including cloud, needs to be applied to this construct. Things like, again, registry, non-human identity, monitoring, policy, all of these things have to be implemented in order for you to use technologies like agentic AI at scale in a safe, secure, reliable, sovereign, and economically feasible way.

Conor Bronsdon 45:06 Fantastic. Chris, thank you so much for joining me on Chain of Thought today. And to all of our listeners and folks watching on YouTube as well, remember that you can get so much more deep dives, essays, and all this good stuff at newsletter.chainofthought.show. Check it out and subscribe. Thank you so much for joining us. And Chris, thanks again.

Kris Lovejoy 45:24 Thanks, Connor.