Speaker:: Various (Gadi Evron MC, Ilia Shumailov, Greg Notch, Chris Blanco, Ariana, Art, Rob Joyce, Andrew, Josh, Zraini Ramolingum) Title:: Flash Talks Duration:: 18 min Video:: https://www.youtube.com/watch?v=f0E_Vl5JQG0 ## Key Thesis A rapid-fire set of 1–3 minute talks from conference attendees covering emerging ideas, concerns, and calls to action at the intersection of AI and security — ranging from trusted AI enabling new private inference paradigms to the urgent need for agentic red teaming, the multiplayer gossip problem in multi-agent workspaces, and the imperative to pull non-technical colleagues into AI literacy. ## Synopsis Gadi Evron MC'd an open floor session with speakers recruited from hallway conversations. Key contributions: **Ilia Shumailov** (CAMEL paper author, described by Evron as "one of the smartest people in AI security"): Proposed that trusted AI models can enable a new kind of private inference, replacing some cryptographic approaches. His example: Yao's Millionaires Problem (comparing wealth without revealing values) can be solved by two parties agreeing on a model, a prompt, and constrained output format — no fancy cryptographic scheme needed if both parties trust the model. The killer application he sees is trusted execution environments where you want private code auditing: load the model as a private auditor inside the TEE and query the codebase without being able to compute hashes. The trust assumptions are different from traditional cryptography but may be acceptable for many use cases. **Greg Notch** (CSO, Expel): Called the conference a moment-marking event. Two asks: (1) go back and ensure your companies, families, and friends understand what happened here; (2) if you still have AI skeptics in your network, reach out to them — "they have no idea what's coming." **Chris Blanco** (Head of AppSec, ClickUp): Identified a "gossip problem" in multi-agent enterprise platforms that hasn't been widely discussed. When multiple agents with different access scopes share a workspace and are "eager to please" each other, information (including injected malicious content) can spread from agent to agent faster than any control can intercept it. Unlike the "single player" prompt injection problem, this multiplayer environment means a summarized intent or poisoned object can propagate across the entire workspace before anyone notices. Tagging information provenance at ingestion time and tracking cross-agent flows is the nascent mitigation space. **Ariana** (cybersecurity researcher): Presented on pig butchering scams — a multi-billion dollar human trafficking-driven fraud industry. Current data shows threat actors are not yet using AI to scale these operations, but the risk is imminent. Her team is working on AI-assisted defenses. Noted she was formerly an AI skeptic, now converted. **Art** (Kraken): Invited feedback on their research into mechanistic interpretability of large models — specifically domain-specific (cybersecurity-focused) feature ablation and obliteration. Website: CRACN.ai. **Rob Joyce** (former NSA, led NSA's offensive operations): Implored CISOs to deploy continuous agentic red teaming on their networks. His argument: NSA succeeded because they knew target networks better than the owners, operators, and security products did. Agentic systems are now doing that same detailed research — finding latent flaws, unpatched systems, shadow IT, and misconfigurations at scope and scale. "Whether you like it or not, somebody's going to do it to you." **Andrew**: Noted the friction of making a local Claude Code triage agent run continuously in a loop with the right context. Suggested this is an unsolved UX/infrastructure problem that represents a startup opportunity. **Local model advocate** (unnamed): Advocated for local models on private GPU hardware as the last 10% solution — doing things cloud-based models push back on. Running 8x 3090s successfully. **Josh** (Massivescale.ai): Advocated for simplifying AI security communication to non-technical leaders using the "digital employee" mental model — five questions: Who are you (identity)? What are you doing (behavior)? Where are you going (segmentation)? What are you eating/serving (data governance)? What if you go rogue (anomaly detection)? Published an Agentic Trust Framework on CSA's blog. **Zraini Ramolingum** (Snowflake): Called for the community to push AI tool vendors to build enterprise-grade security controls into features at release rather than as afterthoughts, and to partner across organizations to create that pressure. ## Key Takeaways - Trusted AI models may enable a new private inference paradigm for some use cases previously requiring cryptography (TEE auditing, Yao's millionaires-type problems) - The multi-agent gossip problem is an underexplored attack surface: poisoned content spreads faster than controls can intercept in eager-to-please multi-agent workspaces - Agentic red teaming should run continuously — the same capabilities attackers are using to map your network are available to you - AI skeptics in security leadership are now a liability; community members should pull them along - Local models (private GPU clusters) provide a capability tier that cloud providers won't offer — relevant for offensive research - Enterprise GenAI tools are shipping features without enterprise-grade security controls; community pressure on vendors is needed - The "digital employee" mental model translates AI security concepts to non-technical executives effectively ## Notable Quotes / Data Points - Rob Joyce: "We succeeded [at NSA] not because we had amazing people... but because we knew more about the networks than the people who owned them" - Ilia Shumailov: referenced Yao's Millionaires Problem as a tractable use case for trusted AI private inference - Ariana: pig butchering is "not using AI yet to scale it" but the transition is near — multi-billion dollar industry - Art (Kraken): research site CRACN.ai — domain-specific feature ablation/obliteration of frontier models - Josh: Agentic Trust Framework published on Cloud Security Alliance blog - Chris Blanco: "I'll coin [this] as a single player problem... I'm worried about what I'll call a gossip problem" #unprompted #claude