The role of AI in Zero Trust.

Dave Bittner: Welcome to this special edition of CyberWire-X, where we explore the evolving intersection of cybersecurity strategy and cutting-edge technology. I'm Dave Bittner. Today, we're diving into how Zero Trust and artificial intelligence are reshaping the way organizations protect their data and streamline their operations. My guest is Deepen Desai, Chief Security Officer at Zscaler, who joins us to unpack how AI-driven Zero Trust can go beyond access control to deliver smarter, faster, and more unified data protection. We'll discuss how this approach helps security teams automatically discover sensitive data without manually building dictionaries or policies, all while rapidly diagnosing user experience issues, saving time, money, and more than a few headaches along the way. Stay with us. [ Music ] Deepen, it is always great to catch up with you. I would love to start off with the big picture here. I mean, Zero Trust has been top of mind for a lot of security folks for years now, but I'm curious, how is AI changing what that actually looks like in practice?

Deepen Desai: Hey, thank you, Dave. AI is changing the way folks think about Zero Trust and overall productivity in a huge way. Our CEO likes to call it a "gigawave," just like we've gone through several different major changes, whether it started with the industrial revolution, and then there was cloud, and then now we're in an age where it's AI, and it's a huge, exponential change that we're going through in every aspect when it comes to productivity, efficiency, and even the risk side of the element, where as we use AI, using it securely becomes the number one priority, and as with anything good, even the bad guys will start abusing it and using it to target the organizations.

Dave Bittner: Well, sticking with the basics here before we dig into some of the specifics, what problems are organizations really trying to solve when they move towards Zero Trust, and how does AI make that transition more achievable?

Deepen Desai: So number one objective for organizations that are transitioning to Zero Trust is to ensure that they have a very secure and proactive posture when it comes to defending against modern threats. There are three principles that are core to Zero Trust. Number one is you should never trust and always verify what identity, what machine the user is coming in from. You should ensure least privilege access. And then, third is if there were to be a compromise scenario, you should assume breach, and if you have it architected using true Zero Trust principles, the blast radius from that compromised endpoint will not be substantial. So that's the assume breach factor, which is the third one. How does AI help over here? In many different ways. So I'll give you a couple examples. When you implement a true Zero Trust architecture, you are essentially going to reduce your attack surface, both external and internal. You're going to have consistent security no matter where your users are. This is the prevent compromise stage. You're going to prevent lateral propagation. This is where, with a true user-to-app segmentation, you're able to prevent the attackers, even after they breach an identity or a machine to move within your environment. And then finally, you're able to reduce the opportunity for the attackers to exfiltrate data from your environment. Now, if you think of each of these stages, AI plays a very important role. Number one is you're able to better threat prevention using AI. This is where predictive ML, predictive machine learning algorithms, will play an important role in combination with generative AI as well. We're now in the age where agents are being deployed. We at Zscaler have also deployed around five to six agents, which are specifically tailored towards preventing bad things from entering the organization. So this is the prevent compromise phase. Now, equally important, as I mentioned, is the segmentation phase, which is where you're truly limiting that blast radius. AI has an important role to play over here as well. The fact that Zscaler is in the middle of all the communication that happens between Point A to Point B, we're able to leverage AI to recommend to these organizations that, hey, over the last three months, we saw these group of users communicating with these group of applications. Looking at the posture, we feel that these applications are engineering applications, or these applications are financial applications, which means these group of users probably are engineering department or finance department, and then the AI will recommend very specific, tailored user-to-app segmentation policies that the organizations can then implement and, again, fast-track that Zero Trust transformation journey.

Dave Bittner: Let me ask you about integration here, because, you know, a lot of teams are managing multiple security tools, and they're quite often disjointed, each one protecting a different layer. When we're talking about AI-enabled Zero Trust, are we unifying these into one comprehensive framework?

Deepen Desai: So the point you're making is the importance of platform. You know, best-of-breed platform is still extremely important, but if a platform starts to claim doing everything out there, then it dilutes the effectiveness, right? And I'll explain what I mean by that. So at Zscaler, we've always been very clear that, hey, we are the switchboard. We'll connect Entity A to Entity B, and the high-level goal is to make sure nothing bad comes in, nothing good leaks out. We will never do EDR-like functionality. We'll never get into identity. That's where we will integrate with best-of-breed identity platforms, whether it's Okta, Ping, Microsoft. We'll integrate with best-of-breed endpoint security platform like CrowdStrike, SentinelOne, but our core focus is that switchboard functionality, which is where we want to make sure we do a very good job. Now, your question around does AI help further, you know, integrate some of these things, it will help with these integrations between best-of-breed platforms, but the focus should still be on your strength, where you're able to do things more effectively by integrating AI into, just like I explained, at different stages of the attack.

Dave Bittner: What about data discovery and being smarter about that? I mean, a lot -- discovering sensitive data a lot of times requires manual configurations with dictionaries and policy tuning and things like that. Is that an area where AI can help automate?

Deepen Desai: That's an excellent point. That was the fourth stage that I described as part of the Zero Trust transformation journey, where you're able to stop data exfiltration. We are leveraging AI very, very effectively over there in order to prevent exfiltration of data inline. So this is where there are custom ML models per organization. The organization themselves are enabled to create these custom dictionaries and models that will detect things that are sensitive to them. We're also leveraging ML for data classification. Just like you mentioned, there's a lot of data that exists in those SaaS destinations. So using API, we are able to scan and tag, classify the data into several different categories, and AI does a phenomenal job at doing that with high efficacy and at scale. So you're able to protect the data that matters the most to your organization.

Dave Bittner: What sort of safeguards exist to make sure that this kind of automation doesn't inadvertently create new privacy or compliance risks?

Deepen Desai: That's a very good point. Look, securing the AI usage is one of the number one priorities, or one of the top priorities. As I speak to global CXOs, there are three things that are top of mind. AI or secure use of AI is number one, and the way I like to describe how to go about securing AI usage is, number one is discovery. This is where you need to know your AI usage and your shadow AI usage as well, because there will be a lot of those applications that are running in the environment that you're not aware of where AI is being leveraged, which can result in what you were mentioning, inadvertent data leakage. So discovery number one, you need to have a good handle on that. Zscaler helps customer with that with our switchboard technology, because we will be able to see all the AI usage from the environment and give a full picture. The second piece is placing guardrails around that AI usage, right? I mean, an example I can give you is, hey, I am okay with this AI app that is considered a sanctioned app as long as it's used for code generation, but I'm not okay if this AI app is being used for financial data analysis, right? So maybe that is a completely different app. You don't want to expose your financial data to this specific application, which is just sanctioned for code or test code development. So having those guardrails where you are able to inspect what goes into these AI models and what comes out of the AI model is equally important. This is where you are also able to prevent attacks like prompt injection. We're hearing about agent hijacking attacks. With proper guardrails, you're able to secure your AI usage. The number three thing, and this is where it's more proactive, you could also call it reactive, but having a Red Teaming approach around securing your AI or internal AI development environment so that you're able to discover issues before the bad guys do and fix them. Despite of having guardrails, you will always run into a thing or two that were missed, so having that proactive approach is important for discovering issues and continuously tightening that AI environment. And then the final piece is governance. This is, again, aligning with a proper data governance framework, AI governance framework. There are frameworks that are being defined by NIST, other global entities. There's active work happening in that space and there is tooling that is now becoming available that can help you map where you stand when it comes to compliance and governance in your AI usage. [ Music ]

Dave Bittner: We'll be right back. [ Music ] You know, Deepen, there's always that balance between security and usability for your employees, for the folks who are using your systems. Does AI help at all in making sure that a Zero Trust environment can detect and resolve user experience issues, maybe more quickly than you could in the past?

Deepen Desai: That's another very, very interesting use case where we are seeing a lot of success using our Zscaler Digital Experience product. AI can absolutely detect issues proactively. It can improve user experience. It can also do automated root cause analysis and kind of generate a report on why a user experience issue happened and recommend mitigative steps as part of that. So as a CXO, my focus was more on the cyber side of the house, but AI absolutely has many other use cases, user experience being one. There are a lot of other IT operation use cases where AI is playing a very important role. Same thing applies with many other departments like finance, marketing. We are seeing active usage of that.

Dave Bittner: I would imagine that this translates into time savings for your help desk teams as well.

Deepen Desai: It does. In my role, I have the pleasure of talking to a lot of these global organizations' CXOs, and the success stories that I get to hear, it's just phenomenal. I mean, on the topic of help desk, I heard a large global organization switching to agents. So literally, agents taking those initial questions, which were otherwise being answered by your help desk, and resulting in 70% to 80% less tickets that were hitting that help desk. So yes, AI does help saving time across the board.

Dave Bittner: Does it have a financial impact as well? I mean, when we're talking about consolidating tools and automating detection, should organizations expect that that could affect the bottom line, maybe help save some money?

Deepen Desai: Look, it's an evolving area where we are seeing cost saving happening using many different motions, slightly controversial, but look, as an industry, we're going to see a lot of efficiencies over the next -- I mean, I'm not even going to talk in years. I'm going to talk in months because of the pace at which things are moving. You are obviously seeing optimization in workforce that is happening across the board. The tooling sprawl absolutely can be addressed as well by unifying certain areas and doing it more effectively with the help of AI, so you will see efficiencies over there as well, and then the fact that you're able to do more with less and in less time itself will also result in, you know, efficiencies.

Dave Bittner: Where do you suppose we're headed with this, through this intersection between AI and Zero Trust? I've seen people have this notion of -- they refer to it as "self-healing security systems." I mean, is that on the horizon? Is that too far off to still be a fantasy, or is perhaps something like that in reach?

Deepen Desai: Last year, my answer was, yeah, we are far. This year, I feel like we're getting closer. It is still an augmentation play where these agents are getting augmented into your SOC teams. It absolutely takes care of, you know, some of the lower-tier response activity. It is able to weed out noise as well, like false positives. It is able to make your Tier 2, Tier 3 analysts more efficient and, you know, respond to issues much more quickly. With the right tooling and technology, you will be able to take actions in an autonomous fashion as well, with some guardrails so that you don't end up in causing disruption. So we are -- we're getting there. Probably in next 12 months, when we talk again on this topic, we will have a different answer. We may have some working models as well. But this is an active area of investment for us at Zscaler as well. The agents that we have deployed that I mentioned, one of the agent is remediation agent, which will come up with these policy recommendation, and, you know, it will, right now, assist the Tier 3, Tier 4 analysts, but it is fully capable of invoking those API calls if given permission to heal or to make those security posture enhancements to mitigate the attack.

Dave Bittner: When you're out talking to security leaders about Zero Trust and AI, are there common concerns that they have or maybe even misconceptions about transitioning to this?

Deepen Desai: Look, this was absolutely the case when the ChatGPT and the whole first six months of the generative AI coming to the scene. Over the last year, year and a half, we've been talking agents. It was more when the generative AI thing came out. Now, everyone -- most of the CXOs realize that you have to enable your business to adopt this more securely. But there is definitely concern around how do I secure it in a way that doesn't result in cyber or data exfil risk. There is also a bigger concern on adversarial AI usage. So if you think about it, there are three risks when it comes to AI adoption. One is insecure AI usage. We talked a lot about it, how we should go about securing it. I described four buckets. There is attacks happening on the AI itself, where an adversary will come in and poison the model that you're training for production, or they will steal data from the AI environment. Again, the four categories that I described will help you secure that AI application as well. But the third one is where adversaries are using AI to go after your employees, to go after your environment, to go after your business. That is an equally concerning problem because, just like we've talked about efficiency scale on the good guy side, the bad guys are also able to do that using AI, and that's where the number one thing is, you need to leverage AI to fight AI. And then the second thing is the importance of Zero Trust, because Zero Trust fundamentally will set you up, will set your architecture up in a way that you're able to defend against lot of these unknown unknowns that you're going to see when AI is being leveraged by the bad guys to attack your organization.

Dave Bittner: Yeah, you know, it strikes me that I can understand people initially having kind of a wait-and-see attitude when it comes to some of these AI developments. You know, like I don't want to be the first one to run out and adopt all of this stuff, but I can't help wondering, do we reach a point where there's a risk of being left behind if you don't get on board?

Deepen Desai: Dave, we are already in that phase where -- that's why I said, like initially, a lot of the CXOs were in that boat where, hey, I want to see how things go before I -- you know, they will just adopt the block-everything mode, and now, over the last year and a half, we're already in that boat where it's a mandate from board level, from CEOs that, hey, you need to get more efficient. You need to adopt AI. You need to try it out in different departments and make sure we're able to deliver better outcomes. So that fear of missing out is no longer the case. They know that they will be left behind if they don't enable the business in doing this. [ Music ]

Dave Bittner: And that's our program. Thanks to Deepen Desai from Zscaler for joining us and shedding a light on how AI-powered Zero Trust isn't just about better security. It's about better efficiency and visibility across the enterprise. By unifying data protection, automating discovery, and accelerating troubleshooting, organizations can simplify their security stack while strengthening their defenses. Thanks again for tuning in to CyberWire-X, where we connect ideas, people, and technology shaping the cybersecurity landscape. I'm Dave Bittner. We'll see you here next time. [ Music ]