ClearTech Loop: In the Know, On the Move

AI Security Isn’t a Regex Problem | Lori MacVittie | ClearTech Loop S1E10

September 2, 2025
ClearTech Loop S1E10 Lori MacVittie cover image

Stop bolting on “controls.” Start governing the system. 

Hosted by Jo Peterson · ClearTech Loop | Download Transcript (pdf)

Episode Summary 

Rules don’t scale. Architecture does. In this conversation, Lori MacVittie argues that if your  protections live inside the app, you’re accruing security debt you can’t repay. Put policy and enforcement in the infrastructure, where they can adapt post-deploy — and govern AI as a distinct threat surface, not just another API.   

“Don’t build it in. It should be in the infrastructure… once it gets… into the environment, you are applying the correct security at the time it’s relevant to that process.”  

— lori macvittie, f5 distinguished engineer & chief evangelist, f5 office of the cto

“You have to treat AI as both a capability and a threat surface… the context, the prompts, the responses, the completions… all of that is a threat surface that is distinct from the API… the network stack…” 

— lori macvittie, f5 distinguished engineer & chief evangelist, f5 office of the cto\

Three Questions We Tackle

1) From rules to semantics: how do we keep up? 

Rule-chasing is slow and brittle. Use LLMs to accelerate discovery and spot patterns humans miss — think packet captures that flag a noisy IoT device in minutes instead of hours.  

“this problem is not going to be solved by a series of reg x… we have to look at AI as a capability to help us identify… semantic patterns.”  

2) Where should controls live? 

In the architecture, not the app. Keep secure coding by default, but move policy/enforcement/governance to the delivery layer so you don’t throttle dev velocity — and so controls evolve without redeploys.  

3) What does “AI security” actually cover? 

The loop (prompts, context, responses, completions, agents) — a surface that’s distinct from APIs and the network stack. Govern it explicitly. Also: adoption is outrunning security. If you’re still reactive, you’re late.  

What You’ll Learn 

  • How to evolve from rules to semantic detection and pattern analysis.  
  • How architectural controls protect velocity and reduce security debt.  
  • Why AI must be governed as its own attack surface, end-to-end.  

Quick explainer (for non-practitioners) 

Regex = rule-based string pattern matching. Useful for forms; brittle against adversaries who mutate text. The shift here is to semantic signals (meaning/behavior), not just string matches.  

Guest Bio: Lori MacVittie

Distinguished Engineer & Chief Evangelist, Office of the CTO at F5. Lori focuses on emerging architectures, application delivery, and AI-driven operations. She’s a prolific industry author and speaker; prior to F5, she served as a technology editor at Network Computing.