ClearTech Loop: In the Know, On the Move

AI Security: Todd Smith on Shadow AI, NHIs, and AI Defense

April 29, 2026

Todd Smith Shadow AI, NHIs and AI Defense

Todd Smith of Ameris Bank & I talk Shadow AI, NHIs, and AI Defense

There are some conversations that push new ideas forward, and others that stay focused on what is actually happening inside organizations.

This one stays grounded.

Todd Smith is SVP and Director of Customer IAM and Threat Intelligence at Ameris Bank, where his work spans identity, fraud, and AI security in a highly regulated environment. That matters, because the issues we’re talking about here are not theoretical. They show up in day to day operations where risk, customer impact, and business pressure are all tied together.

That perspective shaped the conversation. We spent time on how AI is actually showing up across teams, what that means for visibility and control, and where organizations are starting to feel the strain as identity and security models adjust around it.

🎧 Listen to the full episode: https://www.buzzsprout.com/2248577/episodes/19091922
📬 Stay in the Loop. Subscribe for new episodes: https://www.linkedin.com/newsletters/7346174860760416256/

What I’m Watching

What stood out to me is how quickly this conversation moved past the idea that AI adoption can be controlled through policy alone.

That model does not hold.

Employees are already using these tools in different ways across the business, and in many cases, that usage is happening outside of approved environments. Not because people are trying to create risk, but because they are trying to get work done.

That gap between usage and visibility is where most of the conversation sits right now.

Give me your thinking around Shadow AI. Is it an IT problem, a security problem, both, neither?

Todd’s answer here was straightforward. It is both. Security owns the risk. IT owns the controls. And separating those responsibilities too cleanly creates gaps.

He also made a practical point that is easy to overlook. Blocking access is not a long term strategy. If teams believe these tools help them move faster, they will find other ways to use them.

That shifts the focus from prevention to management.

The real work is bringing that usage into an environment where it can be seen, supported, and governed without slowing the business down.

How are CISOs and CIOs addressing Shadow AI in their environments? What are some of the ways you are seeing CISOs and CIOs enabling Non Human Identities?

This part of the conversation stayed grounded in execution.

Todd kept coming back to discovery as the starting point. Before anything else, organizations need to understand what is already in their environment and how it is being used.

He also described AI adoption as something that should be introduced gradually. Not turned on all at once, but implemented in a way that allows teams to observe how it behaves and where it creates risk.

That same challenge becomes more complicated when the conversation shifts to non human identities.

These identities do not follow a clean lifecycle. They are created in different ways, often without clear ownership, and they tend to accumulate over time. In larger environments, that accumulation becomes difficult to unwind.

What stood out here is that there is no clean reset.

Organizations are managing what already exists while trying to prevent the problem from continuing to grow. That balance between cleanup and control is where most of the effort is going right now.

When you hear the term AI Defense, what comes to mind for you?

Todd approached this from the inside out.

Before thinking about external threats, he focused on what is already happening within the environment.

AI is being introduced into systems that were not originally designed for it. That creates questions around access, data exposure, and how these tools interact with identity and existing controls.

Without that internal understanding, it becomes difficult to build a meaningful defense strategy.

From there, the conversation expands outward. But the foundation is still the same. You need to understand what is in your environment before you can effectively defend it.

What this conversation makes clear

A few things stood out to me.

Shadow AI is already part of how work gets done, whether it is formally approved or not.
Non human identities are increasing in environments that were already difficult to manage.
And AI defense is not just about what is coming from the outside. It starts with understanding what is already inside.

There is nothing theoretical about that.

Final Thought

AI is being introduced into environments that were not designed for it.

That creates friction across governance, identity, and security at the same time.

The takeaway here is not that there is a single solution. It is that most organizations are working through the same set of problems in parallel, and the starting point remains consistent.

Understand what is in your environment. Create visibility where it does not exist. And build from there.

That is what I took from this conversation with Todd Smith.

See you in the Loop,
Jo

🎧 Listen to the full episode: https://www.buzzsprout.com/2248577/episodes/19091922
📬 Stay in the Loop. Subscribe for new episodes: https://www.linkedin.com/newsletters/7346174860760416256/

Additional Resources

National Institute of Standards and Technology AI Risk Management Framework: https://www.nist.gov/itl/ai-risk-management-framework

National Institute of Standards and Technology Cybersecurity Framework (CSF): https://www.nist.gov/cyberframework

MITRE ATT&CK Framework: https://attack.mitre.org/

Season 1 ClearTech Loop: https://www.buzzsprout.com/2248577