CISO Series Podcast
Why Be Responsible When We Can Just Blame AI?

AI is making it easier than ever to ship fast and assign blame later. But who owns AI-generated code? This episode digs into what happens when an agent deletes your inbox, and why "a human approved the pull request" is starting to sound a lot like an alibi. 

This week’s episode is hosted by David Spark, producer of CISO Series, and Andy Ellis, principal of Duha. Joining them is their sponsored guest, Jadee Hanson, CISO, Vanta.

Listen to the full episode here.

The compliance receipt nobody reads

Let's give SOC 2 some credit. It wasn't designed to be useless, but point-in-time audits have made it that way. By the time a PDF lands in procurement, the security posture it describes is already months out of date, said Bil Harmer of Kraft Ventures. The problem is that nearly every SOC 2 report comes back spotless, which tells you nothing about the state of a vendor's actual controls. The industry knows this is broken and keeps buying anyway. Real improvement means moving toward continuous verification and full transparency, where buyers can see live control data instead of a frozen snapshot. The first vendor willing to show their messy, dynamic environment openly will face scrutiny. They'll also be the ones raising the bar. 

Who signs off on the AI that wrote the code

AI-generated code is already shipping into compliance-sensitive environments, and the governance hasn't caught up. The instinct is to require a human to approve every pull request. But the question came up in the cybersecurity subreddit: Who owns the code after it ships, after a reorg, after the team that wrote it no longer exists? Ownership at commit time isn't enough. Every piece of code running in production needs traceable accountability back to someone making active decisions about it, whether that accountability runs through a person or an AI operator. The review problem is real, but the ownership problem is older. AI just made it more urgent.

The agent that wouldn't stop

An AI agent deleted a Meta AI safety director's inbox. It had been told to confirm before acting. It didn't. The instinct is to call this an AI problem, but for Ross Young of the CISO Tradecraft podcast, it's really a systems design problem that predates AI entirely. Giving an agent admin-level access and trusting a prompt as the kill switch aren't control strategies. Kill switches belong in identity and access management, in scoped permissions, in chaos testing that asks what happens when the agent goes rogue before it does. Every system powerful enough to help at scale is powerful enough to cause damage at scale. The architecture has to account for that from the start.

The questionnaire that should not exist

AI in GRC has become shorthand for LLMs autofilling security questionnaires. That's a great floor for the tech, but hardly the ceiling. The questionnaire itself is the problem. Static questions sent to vendors produce static answers that don't reflect how a security program is performing week to week. The more useful application is an AI that continuously monitors your own program, flags when you've been missing vulnerability SLAs for 3 weeks, and lets buyers query live control data directly instead of waiting for a document. We should be trying to eliminate the paperwork, not make it more efficient.

Listen to the full episode on our blog or your favorite podcast app, where you can read the entire transcript. If you haven’t subscribed to the CISO Series Podcast via your favorite podcast app, please do so now.

Thanks to James Purvis of Rubrik for providing our "What's Worse" scenario.

Thanks to our podcast sponsor, Vanta

Subscribe to CISO Series Podcast

Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "CISO Series Podcast" into your favorite podcast app.

Security You Should Know
Rethinking Tabletops with Reflex Security

In this episode, Cassio Goldschmidt, co-founder and CTO at Reflex Security, explains how Reflex replaces static, script-driven tabletops with adaptive AI-driven simulations that fight back, measure real human behavior under pressure, and surface the gaps that scripted exercises never reach. Joining him are Nick Espinosa, host of the nationally syndicated Deep Dive Radio Show, and Jay Wilson, CISO and CIO at Insurity.

Want to know:

• Why do traditional tabletops train teams to know the plan rather than execute under pressure?

• What's the difference between a team that panics and a team that chokes, and why does it matter?

• How does Reflex use AI agents to adapt the simulation based on what the team actually does?

• Can you run separate tabletops for technical, legal, and executive audiences without multiplying the workload?

• Is there a risk that security leaders optimize for the AI's score rather than genuine preparedness?

• How does an AI agent joining a video conference change the way a tabletop runs?

• How hard should training be relative to the real thing?

Read more and listen to the full episode for the answers you need.

Thanks to our podcast sponsor, Reflex Security

Subscribe to Security You Should Know

Please subscribe via Apple Podcasts, Spotify, Amazon Music, Pocket Casts, RSS, or just type "Security You Should Know" into your favorite podcast app.

Best advice I ever got in security…

“Best advice I received was assume that you're wrong first, surround yourself with a team that challenge you, tell you you should dig in deeper. Curiosity and humility will find more risk than confidence ever will.“ - Jadee Hanson, CISO, Vanta

Listen to the full episode of "Why Be Responsible When We Can Just Blame AI?"

Why Cyber Startups Need CISO Advisors

"A lot of vendors assume CISOs are always looking for the most advanced, the most sophisticated, the most innovative solution, but in practice, most are just looking for things that are dependable, understandable, operationally sustainable." - Steve Jensen, CISO, University of Maine System

Listen to the full episode of "Why Cyber Startups Need CISO Advisors"

Subscribe to our newsletters on LinkedIn!

CISO Series Newsletter - Twice every week

Cybersecurity Headlines Newsletter - Every weekday

Security You Should Know Newsletter - Weekly

Cybersecurity Headlines - Department of Know

Our LIVE stream of The Department of Know happens every Friday at 4 PM ET / 1 PM PT with CISO Series producer Richard Stroffolino, and a panel of security pros. Each week, we bring you the cybersecurity stories that actually matter, and the conversations you’ve been having at work all week long.

Friday’s episode will feature Kathleen Mullin, former CISO, MyCareGorithm, and Mike Lockhart, CISO, EagleView. Join us on YouTube and catch up on what shaped the week in security.

Thanks to our Cybersecurity Headlines sponsor, ThreatLocker

Super Cyber Friday
Join us next Friday for “Hacking Pentesting in the Age of Agentic AI”

Join us on Friday, May 29, 2026, for Super Cyber Friday: “Hacking Pentesting in the Age of Agentic AI: an hour of critical thinking about who's really in charge when the machines do the testing.”

It all kicks off at 1 PM ET / 10 AM PT, when David Spark will be joined by Eric Sheridan, CTO, Sprocket Security, and one other special guest, for an hour of insightful conversation and engaging games. And stick around for our always-popular meetup, hosted right inside the event platform.

Register for this episode on Crowdcast!

Thanks to our Super Cyber Friday sponsor, Sprocket Security

Share for a chance to WIN A FREE GIFT!

Help us get the word out! Share next week’s Super Cyber Friday registration link on LinkedIn, tag me (David Spark) and CISO Series, and you'll be entered for a chance to win an item from our prize store. We'll randomly pick one winner from everyone who shares.

Participate! Add our live shows to your calendar

Learn more about all of the fun ways you can participate, and add our events to your calendar.

Google Calendar, iCalendar, Outlook, or export an .ics file

Cybersecurity Headlines - Daily News Shorts

Subscribe to the CISO Series YouTube channel, for daily shorts videos from CISO Series reporter, Rich Stroffolino. You can find all of the stories he’s covered, plus new content every weekday, at the Cybersecurity Headlines Shorts YouTube playlist.

Thank you for supporting CISO Series and all our programming

We don’t just say we appreciate your feedback; we incorporate it into our programming. Learn more about all of the fun ways you can participate.

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing on social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.