Download Transcript (pdf)

In this episode of ClearTech Loop, Jo Peterson speaks with Rock Lambros, CEO and Founder of RockCyber, about three issues shaping the next phase of AI security: shadow AI, non human identities, and what AI defense actually means in enterprise environments.

Rock brings a cybersecurity perspective grounded in governance, agentic AI risk, identity, and operational security. His work with RockCyber and the OWASP GenAI Security Project gives him a clear view into how organizations are trying to secure AI systems while adoption continues to move faster than governance. 

As AI becomes part of daily workflows, leaders are being pushed to manage visibility, accountability, and defense in real time. This conversation explores why shadow AI is really a governance issue, why non human identities are becoming harder to manage, and why AI defense requires more than vendor messaging. 

Episode Highlights 

Shadow AI is a governance issue, not just a policy problem

Rock frames shadow AI as a familiar problem moving at a new speed. Employees are not adopting unauthorized AI tools because they are trying to create risk. They are usually trying to get work done when approved tools are too slow, too limited, or not available. 

That creates a visibility problem. Organizations need to understand what is already in use, where data is going, and whether sanctioned alternatives exist before they can build effective guardrails. 

Nonhuman identities are changing the scale of identity management 

The conversation also examines how machine identities, service accounts, and agent driven identities are expanding faster than many organizations can manage. Traditional identity programs were built around people, but today’s environments increasingly rely on non human actors with broad permissions and unclear ownership. 

Rock points out that agentic systems add a new level of risk because they do not behave like people. They do not naturally pause, question ambiguity, or escalate for review. They execute. That makes lifecycle management, attestation, ownership, and accountability much more important. 

 AI defense is bigger than “AI powered” tooling 

When asked about AI defense, Rock separates real security needs from vendor messaging. There are legitimate parts of AI defense, including protecting AI systems from manipulation and using AI to improve detection and response. 

The challenge is that many vendors are compressing those ideas into broad “AI powered” messaging. For Rock, the more important question is whether security teams understand the new attack surface and how AI is actually beingused inside their environments. 

About Rock Lambros 

Rock Lambros is CEO and Founder of RockCyber and an active contributor to the OWASP GenAI Security Project. His work focuses on cybersecurity strategy, AI governance, agentic AI security, risk management, and helping organizations move from theoretical governance to operational controls. 

He has written and spoken extensively about AI governance, autonomous systems, agentic security, and the need for organizations to rethink how they manage AI risk as systems become more capable and more embedded in enterprise environments. 

Why This Episode Matters 

AI security is no longer a future planning exercise. It is already part of daily operations. 

This episode is especially relevant for CIOs, CISOs, security leaders, IT leaders, and enterprise teams trying to understand how AI is already being used across their environments. Shadow AI, non human identities, and AI defense are not separate conversations. They are connected by the same underlying issue: adoption is moving faster than visibility, governance, and control. 

Key Takeaways 

• Shadow AI is not just a user behavior issue. It is a visibility and governance gap driven by speed, productivity pressure, and limited approved alternatives.  

• Non human identities are scaling beyond traditional identity models, creating new challenges around ownership, permissions, lifecycle management, and accountability.  

• AI defense requires organizations to understand the attack surface, not just adopt tools labeled as AI driven.  

Key Quotes 

• “I don’t think shadow AI… is a security failure. It’s an overall governance failure.” — Rock Lambros  

• “Most organizations have at least 10x more machine identities than human identities, and they can’t tell you which ones have admin rights to production.” — Rock Lambros  

• “I need to reach for my wallet… vendor, vendor, vendor… buzzword bingo.” — Rock Lambros  

• “What I care about is whether your security team understands the new attack surface than whether your vendor has a chatbot interface to their product.” — Rock Lambros  

• “The thing I like about the shadow AI conversation is it’s forcing people to actually talk to each other. Whose hot potato is it?” — Jo Peterson  

Listen · Watch · Subscribe 

• Listen to the full episode 
  https://www.buzzsprout.com/2248577/episodes/19123355

• Watch on YouTube 
  https://youtu.be/GiAcyPmdcXM?si=j_h40GJhBm87z5ym 

• Subscribe to ClearTech Loop on LinkedIn 
  https://www.linkedin.com/newsletters/7346174860760416256/ 

Additional Resources 

• OWASP GenAI Security Project: https://genai.owasp.org/  

• AAGATE: Agentic AI Governance Assurance & Trust Engine: https://www.rockcybermusings.com/p/aagate-governing-the-ungovernable-operationalizing-nist-ai-rmf-agentic-ai  
• Governing the Ungovernable: https://aicybermagazine.com/governing-the-ungovernable/