EPISODE · Jul 8, 2026 · 20 MIN
The AI Control Loop: What's Missing in AI Security Today - with Craig Thomas of Wallarm
from Code Story: Insights from Startup Tech Leaders · host Noah Labhart - Startup Founder & CTO
Today, we are dropping another episode in our series The AI Control Loop, How enterprises govern the AI they've already deployed - sponsored by our friends at Wallarm.Wallarm is the AI Control Platform for Enterprise AI, protecting every AI workload, API, and application in production, giving CISOs the governance they need and CIOs the speed they demand. Organizations choose Wallarm for a complete inventory of APIs, AI agents, and AI apps, patented AI/ML-based threat detection and blocking that operates at production traffic speeds.In today's episode, Craig Thomas, Sr. Solutions Engineer at Wallarm, returns to the show to dive into why runtime behavior is the critical blind spot, and what CISOs should demand if they want to move from policy to control.QuestionsSecurity teams are used to detecting incidents and responding after the fact. Why is that model becoming insufficient for AI-driven systems?Building on that, when we talk about response today, enforcement often means actions like restarting pods, rotating credentials, or shutting down services. Why can those measures come too late in an AI environment?So if traditional response isn't enough, why does AI behavior require controls that operate much closer to runtime?And when people hear "runtime enforcement," they may think of existing security controls. What changes when enforcement happens at the kernel level rather than only at the network, identity, or application layer?Can you make that tangible for us? What does it actually mean to revoke or contain a compromised AI session without disrupting the broader deployment?How does that kind of real-time containment change the risk equation for AI agents that have access to sensitive data, external services, or production workflows?With that in mind, what are some examples of AI behaviors that organizations should be able to stop immediately?Of course, security teams also don't want to become a bottleneck. How do organizations balance strong enforcement with the need to keep AI development and deployment moving quickly?And once organizations have the ability to discover, observe, and enforce AI behavior in real time, how does that change accountability at the enterprise level? What does good governance look like from there?Linkshttps://www.wallarm.com/https://www.linkedin.com/in/cu-craigthomas/Full AbstractThis episode examines what is actually missing in AI security today. Craig Thomas, Sr. Solutions Engineer at Wallarm, dives into why runtime behavior is the critical blind spot, and what CISOs should demand if they want to move from policy to control.CIOs and CISOs have moved past debating whether AI security matters. The question now is what to actually do about it, and most organizations are finding that their existing tools answer a different question than the one AI is asking.Traditional security tools were built around access: who can reach a system, what credentials they present, what traffic looks like at the perimeter. AI shifts the problem to execution: what a system does once it has access, whether that behavior matches what the business intended, and how you know when it doesn't. Most current tooling has no answer for that. It can tell you what is deployed and what is configured. It cannot tell you what your AI is actually doing at runtime, on whose behalf, or whether any of it violates the policies you thought were in place.That gap is where most AI security programs stall. There is no shortage of governance frameworks, compliance checklists, and vendor claims. What is missing is operational control: the ability to see AI behavior as it happens, enforce policy at runtime, and produce evidence that holds up when an auditor or a board asks for it. The four capabilities that define a closed AI control loop, discover, observe, enforce, govern, are well understood as a category. Getting all four working together in production is where the real work begins.Our Sponsors:* Check out Cash App and use my code CASHAPP10 for a great deal: https://click.cash.app/ui6m/mt82fpxl #CashAppPod. Cash App is a financial services platform, not a bank. Banking services provided by Cash App’s bank partner(s). Prepaid debit cards issued by Sutton Bank, Member FDIC. See terms and conditions at https://cash.app/legal/us/en-us/card-agreement. Cash App Green, overdraft coverage, borrow, cash back offers and promotions provided by Cash App, a Block, Inc. brand. Visit http://cash.app/legal/podcast for full disclosures.* Check out Plaud AI and use my code CODESTORY for a great deal: https://plaud.aiAdvertising Inquiries: https://redcircle.com/brandsPrivacy & Opt-Out: https://redcircle.com/privacy
What this episode covers
Today, we are dropping another episode in our series The AI Control Loop, How enterprises govern the AI they've already deployed - sponsored by our friends at Wallarm. Wallarm is the AI Control Platform for Enterprise AI, protecting every AI workload, API, and application in production, giving CISOs the governance they need and CIOs the speed they demand. Organizations choose Wallarm for a complete inventory of APIs, AI agents, and AI apps, patented AI/ML-based threat detection and blocking that operates at production traffic speeds. In today's episode, Craig Thomas, Sr. Solutions Engineer at Wallarm, returns to the show to dive into why runtime behavior is the critical blind spot, and what CISOs should demand if they want to move from policy to control. Our Sponsors: * Check out Cash App and use my code CASHAPP10 for a great deal: https://click.cash.app/ui6m/mt82fpxl #CashAppPod. Cash App is a financial services platform, not a bank. Banking services provided by Cash App’s bank partner(s). Prepaid debit cards issued by Sutton Bank, Member FDIC. See terms and conditions at https://cash.app/legal/us/en-us/card-agreement. Cash App Green, overdraft coverage, borrow, cash back offers and promotions provided by Cash App, a Block, Inc. brand. Visit http://cash.app/legal/podcast for full disclosures. * Check out Plaud AI and use my code CODESTORY for a great deal: https://plaud.ai Advertising Inquiries: https://redcircle.com/brands Privacy & Opt-Out: https://redcircle.com/privacy
NOW PLAYING
The AI Control Loop: What's Missing in AI Security Today - with Craig Thomas of Wallarm
No transcript for this episode yet
Similar Episodes
Apr 22, 2025 ·32m
Feb 27, 2025 ·0m
Feb 1, 2025 ·168m
Sep 20, 2024 ·57m