Live @ RSAC 2026: AI FOMO

0:00:05 Max Havey: Hello and welcome to Security Visionaries, a podcast all about the world of cyber data and tech infrastructure, bringing together experts from around the world and across domains. I'm your host, Max Havey, and today we have a really special episode here at RSAC 2026 where we'll be talking to Netskope, CISO, James Robinson. James, hello and thanks for taking the time. Glad you're here.

0:00:24 James Robinson: Thank you, Max.

0:00:25 Max Havey: So James, hopefully you can hear me. I know there's a lot going on here, so everything coming in good on your end?

0:00:31 James Robinson: Yeah, everything's great on my end.

0:00:32 Max Havey: Okay, excellent. Glad to hear, glad to hear. Usually we're talking through computer screens, so this is exciting that we're doing this.

0:00:38 James Robinson: Noise canceling, no background noise. All kinds of stuff.

0:00:40 Max Havey: We can't do that here. We can't do that here at RSA. We got to do it live and in person, which

0:00:44 James Robinson: It's better that way anyways.

0:00:46 Max Havey: Absolutely, and I agree. So James, to jump right in here, RSA is always a buzz with AI. So what's the trend that you've heard the most so far at the conference? Yeah,

0:00:55 James Robinson: I think this year, AI, obviously buzz last year was genAI. This year's agentic, agentic all over the place, heavy guardrails, a lot of conversations about that and it always comes back to also data, access and data, access and data no matter what it is. And so those are probably the two biggest themes I would say that kind of come across everywhere. And then you start peppering in a little bit with pen testing and some of those other areas like that, but mostly it's all about access and then the data that they would have access to is an agentic platform and system and how do people enable that. There's been some conversation also where people just are still trying to feel it out. They're still kind of in the governance side of the equation, but for those who I'd say are really progressing and really pushing themselves forward, it's about agentic.

0:01:42 Max Havey: Absolutely. Well, and another term that I hear coming up quite a bit in conversations I'm having here at the conference is data sovereignty. Where does data sovereignty crossover in that AI, agentic AI sort of conversation?

0:01:53 James Robinson: Yeah, sovereignty kind of comes up in multiple different areas. So there's the data sovereignty side, but then you also need to think about digital sovereignty. You got to think about AI sovereignty, cloud sovereignty, all these different pieces, and they all kind of come together at the end of the day and when they come together data, a lot of times it's still kind of the key thing and data sovereignty really on the basis is a lot of data needs to come together for AI to work, but how do you actually keep it where it needs to be? And so how do you keep that data within whatever region that it needs to be processed? Keep it there and if you can keep it there, then you're in a much better position to kind of support that data Sovereignty side, many organizations would say, well, we have a data leak, so we pump all the data back together. Data sovereignty breaks that entire model. So you want to try to still do AI and you still want to be able to use all this data and this information, but you can't necessarily always leverage the same approaches that you could before.

0:02:47 Max Havey: Absolutely. Well, it's what you said earlier, talking about guardrails, that being kind of a key thing, keeping folks in line and making sure no one is sharing things they shouldn't be sharing, letting sensitive data out in the world.

0:02:58 James Robinson: Yeah, that's exactly it. Or not even letting it out in the world, but even how do you use it internal to your organization? So if you think of your organization, there may be one team that wants to get access to that data and maybe they shouldn't have access to that because they need to transfer it out of that organization or out of one team, one function, one country into another. That's when you start to get into sovereignty issues as well.

0:03:20 Max Havey: Definitely. Well, and I think thinking about data, keeping sensitive data where it needs to be, I think a lot about highly regulated industries, so I'm kind of curious, what are some of the big challenges that are facing sort of highly regulated industries as they're things like banking or real estate or retail, manufacturing, all these ones that are dealing with high volumes of sensitive information. What are some of the big challenges that they're facing when it comes to successfully and securely enabling AI?

0:03:49 James Robinson: The biggest one that I see is there's still not a lot of frameworks in place for them to follow. And so of those frameworks, it's still a rapidly developing technology space and area. And so a lot of these highly regulated organizations are kind of stuck. They want to enable and they want to take advantage of a lot of AI and a lot of modernized AI agentic and genAI, but at the same time, they're still waiting to see what is approved, what is appropriate, how much should they go and how far should they go. And so you kind of see in some areas they may have test groups, pilot groups, functions that are starting to look at it and then you see in other areas where they've just put a hold on it, depending on what kind of regulation is coming out. And so that's probably the biggest thing on the regulated industries right now. They're still trying to figure it out as they kind of wade through the governance and the different regulations that are starting to shape up, and then how do they actually apply those? I would say things like the EU AI Act we're very, very clear in many ways where they broke down things such as you shouldn't be building a weapon, things like that. So that was a very easy, very clear one, but then when you start getting into kind of tearing that apart or opening up the onion more and more and you start to get into, well, if you are an organization that does do something like that, or if you are an organization that's in financial services, how far can you go? And then again, going back, what is data sovereignty? What's the data regulations look like? What are these different items? All of that is stuff that needs to be played out

0:05:21 Max Havey: Well, and it's interesting too, thinking about data sovereignty where those regulations are changing depending on where in the world you are, and that's sort of amplifying that problem. If you have a problem in the EU, you're going to have a similar but different problem in the Middle East or in America or in Australia. It's all kind of a different game depending on where you go

0:05:41 James Robinson: To that point. Right now, we're tracking dozens of regulations that are being created that are going to impact our customers and potentially then be applied to us as well. And so as those developers, as they become something that we have to also watch ourself, that's something that we're looking at internally trying to understand and also just trying to stay on top of to understand. For us, a lot of times as a security organization inside of a security company, we're very driven by what the market and what the field is asking for as well, or sellers are asking it because our customers are asking for that. So that comes into us and then we have to start initiatives internally to make sure that we can map and meet those regulations as well.

0:06:19 Max Havey: Definitely. Well, and something I'm kind of curious about is for CISOs and security leaders who are in these sort of highly regulated industries, how should they be going about going from something that's sort of like a speculative AI use case to applying these things in sort of the real world environment within their organization? What are some of the questions they should be asking around that and figuring that out?

0:06:38 James Robinson: I think the biggest one that we found is kind of a non-starter type of question is, "Are you learning from my data? And not only is that one that we get, our customers ask us that, but then also we ask our providers that that's one. The other one does go into wherever they're at in the world, is the AI that's being delivered within some type of area that they're comfortable with, or are you bringing all that information back together when you're starting to operate and apply AI to that dataset? The other one is are there any emerging threats or are you opening up the door? There's still a lot of rapid technology that's being developed. We've watched the come and the wave of MCP and now we're starting to see MCP now is being challenged in many ways and there may be another protocol that comes up. These types of things are areas where regulated industries has kind of let it go by, let the flood and the storm and let that go by and let others figure it out, and then they start to adopt. So I think that some of the earlier technologies that were developed by earlier, I mean last year,

0:07:41 Max Havey: Yeah, that's security for you.

0:07:43 James Robinson: Some of those technologies, now they're starting to take a look. At the same time I see that those organizations that try to take their AI governance committees that are being created and really not just make 'em a team that's a yes or a no, but an enablement team as well, one that has business included, not just legal, not just security, not just it, but other business partner and teams as well. Those are the teams I see moving much faster than the teams that are kind of the ones that are banding together to try to say no, or I need to know KNOW. They're the ones that are saying yes, just how do we get there?

0:08:20 Max Havey: It's sort of that go with the flow mentality. I've been watching a lot of Bruce Lee mos. I'm thinking about "Be water," that kind of mentality as it comes to enabling AI, finding ways to say yes and keeping things enabled without being too frictional with it all.

0:08:36 James Robinson: Yeah, that's correct. Exactly.

0:08:38 Max Havey: Well, sort of in that same vein, I know yesterday you had a briefing set session talking with Ben Fellows, the CISO from Hitachi, a really, really good conversation. Folks who weren't there, they really missed out. I really wanted to talk to you about the idea of data governance. That was a big topic that you guys were talking about in there. So can you take me through a bit about why data governance is something that folks in highly regulated industries like the one that Ben is in, why that's such an important thing that they got to keep in mind as they're sort of figuring out how to enable AI like this?

0:09:07 James Robinson: Part of it is going back to the data sovereignty discussion that we already had, but there's another area that we found is a pretty cool area. I'd say it's a little bit innovative, and that was our privacy and data protection team started to come up with this idea. We were challenging them and saying, "Hey, how do we go faster?" A lot of people go back to data classification. Data classification, you're kind of putting things into a couple of buckets. Is it super secret or is it something that we can basically release open or do we need to just handle it with some gloves or how do we actually approach it? We actually took it a step further and the privacy and data protection team took it way further and they started coming up with data categories. So now we can say, this AI system that we're bringing in is okay and approved for these categories, which really does help out the teams, and it helps 'em out way more. Now they understand when I said confidential data, did I actually mean something like code and intellectual property or did I mean something like our financials? Well, now we can actually say it's approved for financials, it's not approved for code and intellectual property. We can take that step further. That's something I recommend to many, many, many teams. Data governance goes into a lot of different areas. It also goes into can you discover where the data is? Can you understand how that data is actually being used inside of something? Are you taking that data and creating your own models with it? Are you taking that information and processing in a different way? Are you handling it differently? So data governance goes into many, many more areas, but kind of the lean into do the enablement for teams. I'm seeing that the number one thing is that move that we made, which I'd recommend to anyone, and I'm happy to share it with anyone. That move that we made to move into data categorization has really helped us out

0:10:48 Max Havey: Certainly. Well, it's sort of knowing what is the thing that folks need to be careful with. It's like everything could be considered confidential depending on who it is that's handling it and what you're using it for, and being able to have those categories in place is ultimately what makes it easier for folks to understand what they're putting at risk and how they can take a better part in not putting it at risk.

0:11:10 James Robinson: Yeah, exactly. That's exactly the idea there. And they know where their boundaries are at and what the application is approved for or the vendor is approved for as well.

0:11:18 Max Havey: Absolutely. Well, as a CISO at a security vendor, I think you sort of gestured at this a little bit. What was sort of your aha moment when it came to figuring out how to best sort of enable AI within the organization at Netskope?

0:11:30 James Robinson: Yeah, it was really just a flood and the wave, and that was one of 'em. We're a tech company, and so as a tech company, we need to be leaning into it. New technology is always helpful and a new approach is always helpful, and so I knew that it had to be an enablement factor for us. Also, customers were starting to ask more. The industry was starting to move faster, and now I think that we've maybe even gone a step further. It's almost living into what we're calling the FOMO moment right now, which a lot of people, I get requests from folks all the time that they say, "Can I use this tool?" And I say, "Well, what do you want to do?" "I don't know. I feel like I'm missing out," and in some cases I feel the same way, right? Yeah, I want my home lab to run OpenClaw, but I want to also protect where it's running and what it's doing.

0:12:16 Max Havey: Right, exactly.

0:12:17 James Robinson: And so that's exactly where a lot of people are at, and so I would say that aha moment for me was exactly when I started seeing the flight and trajectory and now kind of running with that same thing. It's taking off, it's flying now, but now it's also the FOMO moments are happening. I'm like, oh, I need to play with that. I need to do that right. At the same time as doing the day job.

0:12:38 Max Havey: Well, very much so. I feel like every week you blink and there's a new app that everybody wants to be using. It's the thing that we all, you want to stay ahead. It's, it is that FOMO sort of moment, and I felt that when ChatGPT first came on the scene back in 2023 or no, 2022, it was November 22. It was real. It was like a sea change moment. You're kind of like, you don't want to be behind the times with it all.

0:13:00 James Robinson: What'd you ask? What was your first question?

0:13:01 Max Havey: Oh, I think I did some dumb 2001 A Space Odyssey type thing. Like, oh, can you open the pod bay doors?

0:13:07 James Robinson: Mine, I just wasted tokens. I said, hi, how are you?

0:13:11 Max Havey: That's not awful. Well, I think now they would say that's awful, but at the time, we had to figure it out some way, shape or form.

0:13:17 James Robinson: You had to start somewhere, right?

0:13:19 Max Havey: Exactly. Well, James, kind of coming to the end of the questions here, what is one tip that you would give to security leaders, CISOs and technology leaders, even in the highly regulated sectors of finance and banking and real estate and retail and things like that? What's one tip that you would give them as they're sort of looking at better enabling AI like this?

0:13:42 James Robinson: Yeah, since think I shared the ambassador side last time.

0:13:47 Max Havey: Yes, I believe you did it on a recent episode. Go listen to it.

0:13:50 James Robinson: We're still getting a lot of good use out it now. We've enabled even more teams with it. Then the next one that we've been really pushing on internally and I'd recommend to anyone again, was I think I shared before with some others, start red teaming. Start finding a partner. They can start doing things, but enable your team also to start doing defense, have them start investigating. The other day, we found prompt injection internally that led us to SQL injection. From that, I asked the CSIRT team, the investigation team to go in and take a look and can they put it back together? Can they understand what happened? Right. That was as part of our testing that we were doing on a new product that we were releasing. We were able to find that, but then we also wanted to be able to go back and put that together to see if we can actually respond to it, and then from there, how do we enable the operations teams to be able to see it the next time it happens? Not that we ever want to release something with prompt injection, of course not, but it could happen, and as we know with defense in depth, you got to be prepared and you got to be ready and you got to be able to respond, and so I would recommend to anyone, get your teams ready From there, start to definitely position yourself in a way that you are starting to use those. Never waste an incident. We know this, so use those and start to put yourself in a position to be able to respond to 'em.

0:15:01 Max Havey: Yeah, absolutely. As an Eagle Scout myself, it's always that be prepared mentality that you want to be bringing to every facet of the work that you're doing.

0:15:09 James Robinson: Yeah. So I got a special gift for you here.

0:15:12 Max Havey: Oh, you do? Yeah. So incredible.

0:15:14 James Robinson: Now you get to be the CISO here.

0:15:15 Max Havey: Oh gosh.

0:15:16 James Robinson: With that, now I get to ask you questions.

0:15:18 Max Havey: Oh my gosh. Yeah. James, hit me.

0:15:19 James Robinson: What's been your most amazing thing that you've seen here?

0:15:22 Max Havey: Well, the most amazing thing, I got to interview a goat yesterday, a felt goat puppet. It was truly the highlight.

0:15:29 James Robinson: They had blue.

0:15:30 Max Havey: Yeah,

0:15:31 James Robinson: It was right by the session.

0:15:32 Max Havey: Yeah. Oh, yeah. Yeah. He was hanging out. He's a little goat with glasses dressed like a spaceman. Truly. I have never been so excited.

0:15:39 James Robinson: I think the GOAT accidentally bumped in the Bailey.

0:15:40 Max Havey: Yeah, I probably, that sounds correct. It's a total delight. It made me so happy. On the actual security side. I've seen a lot of really interesting conversations. I sat in on a good session with Steve Riley and someone from Illumio talking about sort of AI and the human perspective and what needs to go into all of that as we're seeing things become more robust as it comes to age agentic and generative AI and things of that sort. So yeah, continuing a lot of the AI conversations we're having, but the sorts of things that I just really said is Trevor from Illumio, that is the guy that Steve was talking to. Really, really good conversation. That's awesome. Yeah. And any other questions for me? Now that I have the mic turned on me?

0:16:22 James Robinson: There was an item that I heard at the AWS CISO Circle, and it was about this new idea, this new concept that we know people process technology, but what about the idea of going agent processed technology?

0:16:37 Max Havey: Oh

0:16:37 James Robinson: What do you think about that? Oh,

0:16:38 Max Havey: Agent process technology. So like agents that are using technology, they're using these tools themselves.

0:16:44 James Robinson: Substituting people.

0:16:45 Max Havey: Yeah, yeah. Agents standing in. I mean, that seems to be the thing that a lot of the security leaders I've talked to have been kind of like, that's coming. That's a thing we're going to see. I think you and I spoke about this in a different thing at one point about the idea of agents talking to agents and that kind of mirrors reflecting each other. It'll certainly be interesting. I will be very interested and chances are we'll probably have some conversation about this in the very near future if I had to guess.

0:17:07 James Robinson: We're starting to do it internally until we're having a lot of fun ourselves

0:17:09 Max Havey: Incredible

0:17:10 Max Havey: I look forward to seeing how this turns out.

0:17:11 James Robinson: Awesome. Awesome.

0:17:12 Max Havey: Well, James, thank you so much for taking the time here. I know you are a busy guy when it comes to this conference. Such a good conversation. I hope everybody else enjoys as much as I did here.

0:17:07 James Robinson: I did too. Thank you.

0:17:21 Max Havey: Fantastic. And with that, you've been listening to and likely watching the Security Visionaries podcast, and I've been your host, max. If you like this episode, share it with a friend and be sure to leave us a like, comment or a share. Truly every bit helps. You can find new episodes from our show publishing every week on your favorite podcast platform, Apple Music, Spotify, or our snazzy new video versions over on YouTube. You can find our episodes publishing every other week, hosted either by myself or my wonderful co-hosts, Emily Wearmouth and Bailey Popp. And with that, we will catch you on the next episode.