Podcast highlights from Smells Like Identity Hygiene
Artificial intelligence is reshaping cybersecurity, and CISOs are facing the challenge of doing more with less. In a recent episode of Smells Like Identity Hygiene, host Rosario Mastrogiacomo sat down with Ed Amoroso, former AT&T CISO and CEO of Tag Cyber, to unpack how AI in cybersecurity is evolving, how Shadow AI is disrupting identity, and why human oversight remains non-negotiable.
Flat Budgets, Rising Threats
CISOs today are staring down flat or shrinking budgets—even as AI-driven risks grow. For Amoroso, that shift signals maturity, not decline.
“We’ve developed some bad habits where we expected more money each year. That worked for a while, but not anymore. Now it’s about optimizing what you have into a rational portfolio.” — Ed Amoroso
This means CISOs must learn to do more with what they already have. Rather than chasing constant budget increases, they must prioritize efficiency, maximize returns, and make smarter choices about where to allocate resources. The conversation is shifting from unlimited growth to sustainable AI in cybersecurity programs that deliver measurable value.
The takeaway: CISOs need to think like executives, aligning with business peers and building programs that can thrive under real-world financial constraints.
AI and the Future of Work
While some fear disruption from AI, Amoroso takes a more optimistic view, emphasizing opportunity over alarm.
“Anything manual is going to go away. Anything that can be automated will be. But the thing that can’t be mechanized is human judgment, empathy, communication, and education.” — Ed Amoroso
Automation will handle repetitive, operational tasks at scale, freeing people to focus on higher-value contributions. The future of AI in cybersecurity, Amoroso argued, will lean heavily on human qualities—empathy, creativity, and critical thinking. These skills will complement AI, not compete with it.
For security leaders, this shift means preparing teams for new roles where insight, oversight, and governance become the real differentiators.
Agentic AI as a New Identity
The rise of agentic AI—autonomous AI agents—creates an entirely new challenge for cybersecurity. Unlike traditional machine identities, which are largely predictable, AI agents combine automation with autonomy and unpredictability.
“Agentic AI really should be a whole new category of identity,” Rosario observed. Amoroso agreed, noting that the potential scale of agentic AI could dwarf human identity.
Managing these identities will require new approaches: tracking provenance and lineage, governing interactions between agents, and ensuring continuous uptime. Traditional IGA or PAM tools were not designed with this complexity in mind, meaning organizations will need to extend or reimagine their practices for AI in cybersecurity.
Shadow AI: Unmanaged Risk
Shadow IT has long been a challenge, but Shadow AI is now emerging as its successor. These are AI-driven features embedded into tools or systems without security oversight.
“Shadow is another way of saying ‘don’t know.’ Most businesses don’t have a good inventory of what’s going on. That’s what bites you—not the known risks, but the unknowns.” — Ed Amoroso
Unseen AI agents could be making decisions, sending emails, or accessing sensitive systems without proper visibility or ownership. For CISOs, the real danger lies in the lack of awareness. If you don’t know an AI identity exists, you can’t govern or secure it.
Organizations must take steps now to inventory AI usage, enforce ownership, and set guardrails before these hidden risks spiral out of control. Building clear policies for Shadow AI will be just as important as policies for user accounts or machine certificates.
Deepfakes and Disinformation
The conversation also explored the threat of deepfakes and disinformation, a domain Amoroso admits is less understood.
“It’s a weird concept—you and I could be easily spoofed, with strange things coming out of our mouths. I don’t know if signatures or bills of materials will be enough.” — Ed Amoroso
Unlike traditional security risks, deepfakes target trust itself. They blur the line between what’s authentic and what’s fabricated, challenging enterprises to rethink how they prove authenticity. Identity will once again be central—anchoring digital content to verifiable sources and trusted creators. As AI in cybersecurity grows, these challenges will become more pressing, requiring new standards for digital provenance and content security.
Identity Hygiene Evolves into AI Hygiene
The lesson is clear: cybersecurity is no longer just about people or machines—it must now extend to AI. Visibility, accountability, and ownership will determine whether organizations can adapt to this next wave of disruption.
“If you’re the naysayer always coming up with examples of why AI doesn’t work—you’re like the people who doubted the internet. They all got fired. Don’t try to stop the wave. Get a surfboard and ride it.” — Ed Amoroso
For CISOs, embracing disruption is no longer optional. AI hygiene—ensuring AI agents are tracked, governed, and accountable—must become part of the core cybersecurity discipline. And since Shadow AI is already proliferating across enterprises, establishing oversight today will define whether organizations can secure tomorrow.
To hear the full conversation, including Amoroso’s take on disruption, Shadow AI, and the future of AI in cybersecurity, check out the episode of Smells Like Identity Hygiene: Watch Now.
