Amazon's Steve Schmidt on AI agents gone rogue (Live at HumanX) | Equity Podcast

AI's Impact on the Threat Landscape

• The conversation explores the impact of AI on the threat landscape, discussing how AI is allowing threat actors to enhance their capabilities, with lower-level skilled actors becoming more effective and state actors broadening their attack scope 10s.
• AI is changing the threat landscape by enabling threat actors to up-level their game, with lower-level skilled actors using AI to change their tooling, approaches, and targets, and state actors using AI to launch simultaneous attacks on multiple areas 2m6s.
• The increased use of AI by threat actors is concerning, but it also presents an opportunity for defenders to improve their detection and response capabilities by integrating AI into their workflows 4m42s.

Risks Introduced by AI in Organizations

• The introduction of AI into an organization's environment can expose new risks, as AI agents can potentially access and compromise large amounts of sensitive information, highlighting the need for comprehensive oversight and containment strategies 6m15s.
• The use of AI by employees to find new ways to make their jobs easier and more efficient can create a "shadow AI problem," where unauthorized or unsecured AI deployments can pose significant security risks 8m10s.

Strategic Integration of AI in Security

• Security professionals should not focus on stopping AI deployments, but rather on getting past the initial concerns and working to integrate AI into their security strategies to stay ahead of potential threats 9m40s.
• Finding ways to use AI tooling safely is crucial, and this involves knowing what AI tooling is being used, where it's installed, how it's being used, what data it has access to, and where that data is going, which is a deceptively simple but tough problem to operationalize and assign permissions around the use of that information 10s.

Amazon's AI Governance and Framework

• At Amazon, a framework was built to assign an identity to an agent, allowing for the identity of the calling party to flow through everything that the agent does, which is important for forensics, security, and explaining actions to regulators in regulated businesses 2m6s.
• The framework includes audit logs that are essential for forensics, security, and potentially training other agents, and Amazon's extensive logs from software development engineers over the years provide a valuable resource for fine-tuning and training models 2m6s.
• The ability to keep track of actions and outcomes within the company is an area where enterprises like Amazon have a leg up over startups in implementing AI, as it allows for the improvement of loops using the newest versions of IDE environments or coding agents 4m30s.

Governance and Permissions for AI Agents

• Giving agents governance, including their own ID and governance permissions, controls, and understanding what they should be allowed to do, is based on nuance and creates a potential attack surface, making it essential to protect that information from abuse 6m40s.
• To protect against potential attacks, the focus is on understanding what a human being would do in various circumstances and canonicalizing that in instructions, guardrails, and model tuning, while also protecting that information from those who would want to abuse it 8m20s.
• The goal is to prevent situations where an AI agent is over-permissioned and causes unintended consequences, such as deleting a production stack, by ensuring that the agent is properly tuned and governed to achieve its goals without causing harm 10m0s.

Security Through Context and Guardrails

• The development of AI agents requires a set of context and guardrails to ensure they are doing the right thing at the right time, which is incredibly sensitive from an intellectual property standpoint and can be vulnerable to pollution by adversaries, allowing agents to escape their guardrails in unexpected ways 10s.
• To mitigate this risk, it is essential to implement containerization, where the agent runs in a container and has to pierce the container boundary to get credentials, which can be audited, logged, and controlled, and the credential is uniquely tied to the individual action 2m6s.
• The use of a judge, another model that examines the request for a credential from the outside, can help ensure that the agent is not tricked into doing something it shouldn't, and if it is tricked, there's another party that can intervene and say it's not the right thing to do 4m30s.

Containment and Control in AI Security

• The future of AI security is about containment and control rather than just model capability, and it's essential to build the kind of skill set that Anthropic's Mythos has into the software development, deployment, and operation chain 6m40s.
• A super tight feedback loop is necessary between writing software and committing code, where the code is immediately examined and corrected if necessary, rather than waiting until the end, which can be too late and too costly 8m10s.
• This tight iterative loop allows for short, iterative changes that are much less expensive than looking at something after it's all been put together and saying it's a problem that needs to be fixed, and it also provides better training material for the model 10m0s.

Human-in-the-Loop for AI Oversight

• The concept of "human in the loop" is more than just a slogan, and it's essential to have a human involved in the process to ensure that the AI agent is doing what it's supposed to do 12m0s.
• Human-in-loop control is necessary for sensitive changes in infrastructure operations, and this can be achieved through contingent authorization, which requires two people to agree that a change is correct, and this concept needs to be implemented in the AI world with a checkpoint that requires another party to say yes, this is reasonable, before proceeding 10s.
• To enforce this control, a hook is needed outside the boundary of the agent, and this can be achieved through a container or a system like Midway, which is an internal authorization system that uses FIDO2 tokens to require a human being to touch a two-factor authentication token for especially impactful actions 2m6s.

Security Practices for Startups and Smaller Organizations

• For scaled-down companies or startups, the first step in building security is to know what agents are being used, where they are installed, what access they have, and what rules are in place for data access, and it is essential to keep track of this information from the beginning 4m42s.
• It is crucial to have structured data about the data being used, which means labeling the information with some kind of structure, so that it can be identified as sensitive or non-sensitive, and this will help in avoiding hurdles when building something new 8m10s.
• Implementing this structured data approach from the get-go allows companies to have better control over their data and agents, and it does not require putting everything in a relational database, but rather finding a way to label the information with some kind of structure 10m0s.

Agent Inventory and Isolation Strategies

• The top priority for organizations today is to understand where their AI agents are and not give them unfettered access to everything, instead running them in some form of isolation chamber, such as a container on a machine or a VM, to measure their activity if needed 10s.
• Organizations can keep track of the agents being downloaded by their employees using software packages that inventory the items running on machines, which can help prevent corporate or employee surveillance, and it is essential to have a method of inventory to make intentional decisions about the agents being used 1m30s.
• To maintain security, it is crucial to start the process of discovery, keep it current, and make intentional decisions about the agents being used, as organizations may be surprised by what employees have downloaded and used on their machines 2m6s.

Cultural and Organizational Security Responsibility

• Including a Chief Information Security Officer (CISO) in a startup's first hires is not necessarily a requirement, but rather, every employee should own and be responsible for security, understanding the sensitivity of the data they handle and its value to customers 4m10s.
• Ultimately, the key to security is ensuring that customers trust the organization with their information and that the organization handles it consistently with how the customers would handle it themselves, as this is crucial for building trust and avoiding potential security breaches 5m30s.