ClearTech Loop: In the Know, On the Move

AI Security: James McQuiggan on Shadow AI, NHIs and AI Defense

May 19, 2026
ClearTech Loop podcast James McQuiggan

Download Transcript (pdf)

In this episode of ClearTech Loop, Jo Peterson speaks with James McQuiggan, founder and CISO of Apparent Security, about three issues shaping enterprise AI security: shadow AI, non human identities, and AI defense. 

James brings the lens of an educator to the conversation. His background spans cybersecurity, threat intelligence, critical infrastructure, human risk, and security leadership, but what comes through most clearly is how much he thinks about the way people learn, adopt new tools, and change behavior. 

As AI adoption accelerates, organizations are being pushed to manage policy, visibility, access, and education at the same time. This conversation explores why shadow AI is both an IT and security issue, why non human identities require tighter control around data access, and why AI defense now includes defending with AI, defending against AI enabled attacks, and protecting AI systems themselves. 

Episode Highlights 

Shadow AI is both an IT and security issue 

James frames shadow AI as the next version of shadow IT. Employees are using AI tools because they want to move faster, solve problems, and get work done. In many cases, that usage is happening before organizations have fully caught up with training, approved tools, and governance. 

That makes shadow AI a shared responsibility. Security owns the risk, policy, and governance. IT owns the technical path, controls, and approved access. When those two groups are not aligned, the business ends up with visibility gaps. 

James also makes the case that blocking access is not a complete strategy. If people believe AI tools help them work faster, they will find ways to use them. The better answer is to provide safer options, create visibility, and make education part of the rollout. 

Non human identities are changing the access conversation 

The discussion then shifts to non human identities and the access challenges created by AI systems, agents, APIs, and automation. 

James explains that AI tools need access to data in order to be useful, but broad access creates real risk. If an AI system can reach email, directories, files, and internal data without the right permissions and controls, it can expose information to people who should not be able to see it. 

That makes non human identity more than an identity management issue. It is also a data flow, authorization, and API security issue. 

AI defense has three parts 

When asked what AI defense means, James breaks it into three areas. 

First, there is using AI to help defend the organization. Security products have used machine learning and predictive analysis for years, and large language models are adding new support and knowledge capabilities. 

Second, there is defending against attackers who are using AI. Phishing emails are getting better. Language barriers are lower. The old advice about checking spelling and grammar is no longer enough. 

Third, organizations have to defend the AI systems they are adopting. As AI tools become connected to business data, workflows, and systems, they need to be protected as part of the enterprise environment. 

About James McQuiggan 

James McQuiggan is founder and CISO of Apparent Security. He is a threat intelligence strategist, cybersecurity educator, and practitioner with more than 25 years of experience across critical infrastructure, human risk management, and security leadership. 

His work focuses on helping organizations understand cybersecurity risk in practical terms, from the front desk to the boardroom. In this episode, he brings that educator’s perspective to AI security, with a focus on safe adoption, continuous learning, and the human side of cybersecurity. 

 Why This Episode Matters 

AI security is not only a policy, tooling, or governance issue. It is also an education issue. 

This episode is especially relevant for CIOs, CISOs, security leaders, IT leaders, and enterprise technology teams trying to manage AI adoption inside live environments. From shadow AI and unsanctioned tool use to non humanidentity access and AI enabled threats, the conversation highlights why leaders need to understand what is already happening before they can control it. 

Key Quotes 

  • “Cybersecurity is not the department of no. We needed to be the department of, okay, well, let’s try to work on that.” — James McQuiggan  
  • “When the NHI has got full access to everything, it’s going to give everything.” — James McQuiggan  
  • “If a cyber criminal gets in and they gain access into that AI environment, that’s it, game over.” — James McQuiggan  
  • “Education has to be part of any AI policy rollout. If a CISO can’t baseline the environment, they won’t know which teams are already ahead, or how to help them continue safely.” — Jo Peterson 

Listen · Watch · Subscribe 

Additional Resources