Proof Beats Promise: The Trust Crisis AI Is Creating

Added: 2026-05-08

[00:00:07]Lakshmi Hanspal, our chief trust officer with DigiCert. Welcome to My Security TV and welcome to uh Sydney. You're from San Francisco, right? That's right, Chris. Thank you for having me here.

[00:00:15]It's wonderful.

[00:00:16]>> Wonderful.

[00:00:17]Uh DigiCert and chief trust officer. Uh I think let's start with trust. I think is the key word out of here and we're just talking uh pre-interview about the role.

[00:00:27]Introduce us to how you you go about your role and then we'll learn more about DigiCert. So, DigiCert is a critical infrastructure service provider uh within Australia. If you think about it, we have more than 90% of the ASX 200 and all four of the major banks. Um so, uh uh public key infrastructure, domain name services, as well as certificate lifecycle management, identity. We're going to talk about some of those. This is a space in which DigiCert plays. And as chief trust officer, the role of trust officer is evolving in the industry. And as a chief trust officer, the way to think about it is the need and the necessity for the organization depend on the maturity level where they are.

[00:01:08]The chief trust officer needs to be able to deliver trust as a business commodity to the customers. It's no longer a feeling.

[00:01:18]Uh it is not about I see, I I think, or I believe. It's like I know. And here's how you can measure trust. So, that is the the basic primitive of a chief trust officer. Think of it as having all the responsibilities of a traditional CISO, security, risk, privacy, uh governance, operations, and adding onto it the ability to deliver trust in an ecosystem where proof beats promise.

[00:01:49]So, how do you deliver the proof of trust? And engaging with customers in assuring that they could be in the best trust posture possible when utilizing DigiCert's platform and services. Well, I was about to say, you've just almost described the business of DigiCert as well, right? It's about establishing that trust. Uh the certification, the PKI, or the the public key infrastructure is about ensuring that that trust is there.

[00:02:15]There's a lot of happening and changing within that space as well, particularly with AI uh and the speed uh of sort of digital transactions occurring now.

[00:02:25]Yeah, give me give us a state of play as to to where it's all at and particularly with the adoption of AI tools uh and imagine AI agents uh having to certify each other as well. Absolutely. I think AI has uh uh disrupted the scale of operations across all organizations and it has really changed the attack surface vector for many organizations. Um so, one of the things is that AI is getting deployed in infrastructure, in services, in workflows at speed and scale. And this means this has increased the number of systems, identities, and interactions that need to be protected. And what we are seeing is that the traditional um controls that were in place to protect organizations, the uh the attack surface is getting hard to defend because of the scale and complexity in which it is changing. And then AI can act autonomous or semi-autonomous. So, when we think about how do we protect um systems using AI or or securing AI, it is changing that game as well because it's going to be I think two things if you think about um you know, how I think about it, it's securing by double I.

[00:03:44]And the two I's are identity and intent.

[00:03:49]Both need to be verified and validated for AI and securing by double AI is the way to go. Now, I think traditionally you would have heard about secure by design and this is something we've talked about for decades uh with practitioners. I come from a technology, AI, and cybersecurity background. We continuously talk about shifting left and secure by design. I think where the where the world needs to move with AI is secure by identity and intent and both verifications are needed. And we can talk a little bit about what I mean by intent as well.

[00:04:21]Well, definitely expand on on what you mean. I take it that's the intent cuz it's also machines to machines as well, right? So, I understand that.

[00:04:29]And without moving into sort of identity management uh tool sets as well, where where does where's the sort of the sweet spot there for DigiCert itself? Uh for PKI and the future of of PKI, yeah, what what are the trends and where's DigiCert sitting right now? Yeah. I think the challenges of the organizations today is that they're losing visibility fast with everything that's changing in their distributed ecosystem. So, if you think about AI being deployed in various workflows, if we can't enforce identity, we can't differentiate between legitimate and malicious activity. So, that's the first part is about enforcing identity. The second one is about lifecycle management.

[00:05:12]AI services, workflows, agents need to be managed across their lifecycle, not just at deployment because traditionally systems have done it only at deployment and that no longer suffices. And that is where we think about intent. It's about the behavior of the system and the intent it is Is it operating with the intent that it's like a contract? An intent has to be according to that contract or has it deviated? And so, one of the things I talk about is the security or the risk has shifted from protecting perimeter to um verifying and validating identity and intent. And by doing so, we can measure unmanaged drift and uh hidden exposure within ecosystems. How does How does DigiCert get adopted within an enterprise? I suppose is another good good part to to cover is Yeah, where where does it sit within an enterprise uh and it's a service, right? In terms of what you're providing? Yes, and it's a It's a sort of a conglomerate of services. So, if you think about public key infrastructure, PKI, domain name services, uh DNS, and certificate lifecycle management, these are core trust infrastructure that has worked silently in the background for decades.

[00:06:38]AI is introducing new challenges in these ecosystems. And this is where trusted identity and uh lifecycle management comes in place. So, what DigiCert does is it unifies identity and it unifies lifecycle management and then it enforces trust core components in every AI interaction and intent. So, AI identity, AI intent, uh or the contract, verification of models. So, if the particular model says, "This is what I am supposed to do," no matter how many autonomous services it spawns, they all operate within that intent contract. And then the third is management across the lifecycle. There are AI agents that are going to be ephemeral. They may be uh they may operate within seconds to minutes to days to months to perhaps years. So, anywhere in that lifecycle, the management has to happen. It is not just at inception. And we mentioned security by design. Are you seeing activity with AI agents that are starting to attack and being used as an attack vector in this area as well? So, therefore you're going to need AI to protect uh the the infrastructure here? Yes, so we talked about securing AI.

[00:07:56]Using AI for security is the other aspect. Uh so, it's a So, it's an ally as well as an adversary uh and the and a double-edged sword in that sense. And so, when we think about AI for security, the ability to operate these attack surfaces that are over-expanding and AI to help us with that, again, those uh ecosystems and those AI agents and LLM models need to be validated, verified intent, identity applies to those systems because you're you're you're depending on those systems for your defense at scale and not at human uh response uh but at machine response scale. And staying on security by design, how does it sit with other architectures? Uh sort of again, to even other approaches, zero trust comes to mind.

[00:08:46]Uh yeah, how do how does it all sort of sit there? Or is it as you mentioned, a lot of people under underappreciate DNS and the like? They're the the fundamentals. Yeah, does it sit there as the sort of the base uh aspects or is it integrated uh with other models or other architecture? Right. So, I think the models of zero trust, we talked about secure by design. I'm introducing the secure by double I, which is secure by intent and identity, which is important in the AI uh space. And uh the other principle, least privilege and others, I don't think they go away. They are needed in any They are needed as defense in depth in any ecosystem.

[00:09:24]Uh the way that where the way AI changes the game is that each one of these need to adapt and adopt at scale given the autonomous or the semi-autonomous nature of a generative AI systems or agentic AI systems, which can act on you and my behalf. And so, how do you measure? So, the So, the two main challenges are uh sprawl. So, these these agents, you start with one and lo and behold, it's multiplied like rabbits.

[00:09:54]Um and then uh so, that's sprawl. And the second is identity. control or can address sprawl. So, how do you increase your visibility and observability?

[00:10:04]Again, no secret sauce there. It's discovery, inventory, enforcement.

[00:10:09]Rinse and repeat. Again, go discover, enforce, accurrate into inventory, and enforce, right? So, this we've been doing it for decades. We continue to do that with AI agents because if you you can't measure what you can't see. So, how do you continue to or you can't protect what you can't see? So, how do you build that observability? The second is with identity. So, AI trust, for example, DigiCert has introduced or we just recently announced AI trust, which is like think of it like a passport for AI agents and any of the services they would spawn, they also get a passport just like our children get passports with association with us as parents.

[00:10:49]And then and then the the validity contract or verification contract for the intent. Here is what I am supposed to do. And so, that intent and that comes by measuring behavior of the agent and any sort of what we would call unmanaged drift from that intent is hidden exposure in organizations today.

[00:11:14]So, how do you measure that? And this is new muscle memory. We have not been doing it for for decades we've been relying on static controls and verification and traditional systems are not scaling to where we need today. It needs to move to continuous trust with intent and identity verification.

[00:11:33]How do clients adopt it in terms of and so, as you say, it needs to be on boarded now and adopted? What's DigiCert doing in terms of new AI sets or is the platform changing? Yeah, what's what's kind of new there and I was going to then come to your customer discussions that you're having here in Australia and where you're finding the discussions here? Yeah. So, where DigiCert is going with AI trust is that we want to protect agent agent identities. We want to protect LLM model integrity and we want to do this at scale and for the life cycle. And that the critical aspect of and for the life cycle is where organizations are missing it and creates hidden exposure.

[00:12:12]It is done at the level of inception when you deploy it, when you stand it up per se, but but the life cycle of the agent changes, as I said, from seconds to minutes to to longer time frame. So, you need to be able to do it for that life cycle across identity and intent. And I think that's the differentiator for us what we bring to the market today.

[00:12:35]Pivoting to conversations with customers in Australia, I think it's very exciting.

[00:12:42]We are hearing a lot from our customers here that perhaps are differentiating to what we heard in other regions like Americas or EU or or Japan and other regions in Asia. So, one is there's a lot of excitement about the national AI plan. I think Australia is one of few countries that have taken predictive and planned steps in in what they want to get out of AI. So, if you think about the plan, it's about hey, let's capture the opportunities. This is we're operating in an era of efficiency, so we need to capture the opportunities, but let's so let's do it in a way so that we can democratize the benefits. And I think that's wonderful. I don't think I've heard of another plan that that is talking about democratizing the benefits. And then while we're doing this, protecting the safety of Australian citizens. And I think the plan is sort of simple with those three pillars, but it connects into further, for example, what should AI data centers be doing? What should infrastructure be doing? How does DigiCert operating in Australia, which we do not just in sales, but we have customer support. We have tech. We have professional services and and we have in fact, DigiCert [snorts] supports Australian gatekeeper PKI and we've also recently signed up a few months ago with national energy PKI. So, that means that we're operating with a lot of in region and sovereignty protected services within Australia. So, we're very excited about that when we hear that from customers. But they are worried. They are worried about a few things. One is how do they get started?

[00:14:27]With everything that is going on, with all the prioritization, how do they get started?

[00:14:31]>> Well, it's not how, it's also where.

[00:14:32]Where where >> Where do they get started and how, right? And we and it's simple in my mind. It's one application at a time.

[00:14:39]One agent AI system at a time. I do I don't think there's any sort of secret sauce.

[00:14:44]>> have you seen any trends there?

[00:14:46]>> most critical systems.

[00:14:46]>> Yeah, okay. Start with the most critical systems where you believe that they are critical to reputation, to regulatory obligations and anything else that's important to you. Second, it's about creating observability first. Inventory what you have.

[00:15:01]Enforce policy. So, whether that's identity policy, intent verification.

[00:15:06]And then all of this needs to be done with automation. This is no longer operating at human scale. If anyone's operating on a spreadsheet and prayer today, they must be reassessing how they need to operate. So, this is at automation scale. This is at machine speed.

[00:15:21]And then just rinse repeat. This is the you know, the magical sauce if someone wants to know. Well, the other aspect is any trends that you're seeing in industry, financial services I imagine are probably in front. But yeah, any other sort of industry that you're seeing is either doing well or might be lagging behind. Things like health services and where where you might be seeing them. So, I think AI, as we as we said, is is in every single vertical. We can think about retail, health services, financial services, tech and other domains. And everybody wants to adopt efficiency. I mean, some organizations have AI efficiency targets tied to their EBITDA goals as well.

[00:16:03]However, where the challenges come in and how I believe practitioners should be thinking about this is about when AI becomes a hammer, everything starts looking like a nail.

[00:16:17]So, let that not be your approach. Be very deliberate, thoughtful on what and why you would use AI. So, I think that's business case. So, that comes from the business. Secondly, from a tech perspective, make sure that you can adopt and scale and adapt to every single mechanism available to you to make that AI secure. You know, DigiCert provides that in in our cryptographic capabilities, certificate management, AI trust and all that. And there are other vendors that provided you with the higher levels. The the layers that we operate are more closer to network applications and services maybe you need something at at the and there are other vendors that do that as well.

[00:16:58]But ultimately, it is about find a unification on your identity and intent verification.

[00:17:05]A fragmentation or a sprawl in that would still create problems. The other one is team structure and again, most of your clients are you you talk to the CISOs. Yeah, but how are you finding that they're managing their teams within that and any particular skill sets or is everyone having to to upskill at the same time? Yeah, particularly in this area you talked about I imagine some even have cryptographic teams depending on the size of the enterprise.

[00:17:31]But yeah, who who who >> obligations. If you think about financial services and health care organizations, they have cryptographic teams. They understand this.

[00:17:39]They are finding it challenging to bring the business along with understanding the risk. The risk has shifted from the perimeter. It is now with identity and intent and that could be anywhere in your ecosystem. That messaging they need to bring the business along even if they have cryptographic teams. There are other customers that we're speaking with that are just trying to understand look, I think you know, cryptographic PKI DNS operate very quietly in the background. The rules are changing. The regulatory obligations are changing.

[00:18:11]It's like plumbing and electricity in your home. You know, we take that for granted and suddenly the codes change and we're like we got to replumb and rewire things around. And that's what's happening to the cryptographic and and DNS services within the industries right now. And and the change is so rapid that you need to be ready by 2029. I mean, the the ASD, the Australian Signals Directorate has come up with with a mandate for especially federal agencies, but other financial organizations also to be ready by 2029 with AI security, but also post quantum readiness, right? So, that is there. But coming back to the national AI plan, about 17 to 20 million is going when I we talked about AI adoption, is about reskilling.

[00:18:57]Is about retraining and how do you operate in the AI era? And I think that's important. And how do you bring vendors with you in this journey that are thinking about helping you with that reskilling and repurposing the teams that you have today. Well, look, maybe to close off, how can people find out more or what would be your call to action?

[00:19:15]You're here in in Australia. I think you've got some time left here as well.

[00:19:18]But yeah, what's a your key call to action for the Australian audience and I I would say the key call is start now. Don't wait.

[00:19:26]Inventory, policy enforcement, automation. Just those three things. That is your secret sauce. Rinse and repeat that.

[00:19:35]You can always reach me, you know, on LinkedIn and at DigiCert. We are here to help.

[00:19:41]One thing I would say is that we've done it for scale to ourselves. So, we are not just selling solutions. We are practicing it.

[00:19:48]>> Nice. Well, Lakshmi Hanspal, thank you so much. Thanks for joining us on My Security TV here in Sydney and enjoy the rest of your time in Australia. Thank you for having me here.

[00:20:00]>> [music]