The Real Metric for AI in Your SDLC

Summary of Presentation: The security implications of AI-generated code aren't a future problem. They're already showing up in pipelines, in vulnerability backlogs, and in the growing gap between how fast code is being written and how fast it's being reviewed. Code volume is on track to increase fourfold, and most security programs weren't designed to absorb that.

This session looks at what that shift means for security leaders and the engineering organizations they partner with. We'll cover how the modern software pipeline creates compounding risk when it's moving faster than it was built to handle, and why models like Anthropic's Mythos represent a step change in the speed and scale of exploitation, not just another threat to add to the list. More importantly, we'll talk about what to do about it. Six concrete steps that security and engineering teams can take together to reduce exposure, shorten remediation cycles, and actually get ahead of the threat rather than just respond to it.

The goal isn't to slow things down. It's to build pipelines that are genuinely fast and genuinely secure, and to give security leaders the language and the framework to make that case inside their organizations.

Securing and Governing AI: A Technical and Legal Perspective (Panel discussion)

Synopsis: AI adoption demands more than good intentions — it requires coordinated action across technical and compliance disciplines. This panel brings together technical cybersecurity practitioners and legal/compliance leaders to examine how organizations can simultaneously secure AI systems from existing and emerging threats and govern them through threat models and frameworks to ensure their safe and responsible adoption. 

Title: TBD

Summary of Presentation: 

TBD

Title: TBD

Summary of Presentation: 

TBD

Title: TBD

Summary of Presentation: 

TBD

Title: TBD

Summary of Presentation: 

TBD

Continuous Threat Modeling for Cloud & AI Systems: Applying Architecture-Driven Security at Scale

Summary of Presentation:

Cloud and AI adoption have fundamentally changed how systems are built. Dynamic infrastructure, shared responsibility models, and increasingly autonomous AI behaviors are introducing risks that traditional, point-in-time threat modeling approaches can’t adequately address.

This session explores how organizations can evolve threat modeling into a continuous, architecture-driven practice that keeps pace with modern cloud and AI environments. We’ll walk through practical approaches to modeling cloud-native systems, incorporating AI-specific risks, and applying frameworks like MAESTRO to assess agentic behaviors and emerging attack paths.

Attendees will gain a pragmatic view of how to integrate threat modeling into DevSecOps workflows, improve consistency and traceability in security decisions, and better align architecture, risk, and compliance in complex, multi-cloud environments.

Title: Robots vs Robots – Securing AI Throughout the Data Lifecycle

Summary of Presentation:

As AI systems, copilots, and autonomous workflows proliferate, defenders must secure not only the data that fuels them—but the AI behaviors, access paths, and automation they introduce. Robots vs. Robots explores how organizations can protect AI systems end‑to‑end by controlling data exposure, governing AI access, and using automation to stay ahead of adversaries.

Title: Automating the Cloud Controls Matrix: From Deterministic Audits to AI Agents

• Modernizing GRC by evolving static risk workflows into intelligent AI agents that map security alerts directly to CSA standards

Summary of Presentation:

Despite the rise of AI, "manual work remains stubbornly high" for security teams. This session demonstrates how to bridge the gap between CSA Cloud Auditing (CCAK) and practical automation by building a three-stage GRC pipeline in Tines:

1. The Foundation (Deterministic): We begin by ingesting raw cloud alerts and creating a standardized "Risk Register using Tines Records", ensuring every violation is captured without manual entry.

2. The Intelligence (AI Agent): We upgrade the workflow with an AI Agent action. Because "Agents shouldn’t be a black box", we explicitly instruct it to map alerts to the Cloud Controls Matrix’s "197 control objectives" and recommend remediation.

3. The Interaction (AI Chatbot): We conclude by deploying an "AI interaction layer". This allows auditors to query their compliance data using natural language (e.g., "Show me all GDPR risks"), effectively "unlocking AI’s full value" for the audit process

Title: Securing AI Use in the Cloud: Practical Guardrails for Enterprises 

Summary of Presentation:

• Enterprises are rapidly adopting AI across browsers, code assistants, and internal apps—but with that adoption comes new risks: shadow AI, data leakage, prompt injection, unsafe responses, and governance gaps. This session shares a practitioner’s view on how to put actionable guardrails in place across three core areas: employee use of AI tools, developers using AI code assistants, and homegrown AI applications. We’ll walk through real-world patterns for visibility and control (e.g., detection of unsanctioned AI tools, policy-based redaction and enforcement, content moderation), and discuss emerging challenges with agentic AI and MCP frameworks—plus how dynamic risk scoring and gateway patterns can help mitigate them in cloud environments.

Key Takeaways:

• A simple framework to assess and prioritize AI security risks across employees, developers, and internal apps.

• Pragmatic controls you can deploy now: observability for shadow AI, automatic data redaction, policy enforcement, and content safeguards.

• How to approach agentic AI and MCP risk: what to monitor, how to score risk, and where to enforce controls (endpoint, proxy, or app layer).

• Implementation patterns that balance developer velocity and user experience with enterprise-grade governance.