Why We Can’t Completely Trust the Intern (Even If It’s AI) | RSAC | Alex Kreilein & John Sapp Jr.
1When artificial intelligence can generate code, write tests, and even simulate threat models, how do we still ensure security? That’s the question John Sapp Jr. and Alex Kreilein examine in this energizing conversation about trust, risk management, and the future of application security.
The conversation opens with a critical concern: not just how to adopt AI securely, but how to use it responsibly. Alex underscores the importance of asking a simple question often overlooked—why do you trust this output? That mindset, he argues, is fundamental to building responsible systems, especially when models are generating code or influencing decisions at scale.
Their conversation surfaces an emerging gap between automation and assurance. AI tools promise speed and performance, but that speed introduces risk if teams are too quick to assume accuracy or ignore validation. John and Alex discuss this trust gap and how the zero trust mindset—so common in network security—must now apply to AI models and agents, too.
They share a key concern: technical debt is back, this time in the form of “AI security debt”—risk accumulating faster than most teams can keep up with. But it’s not all gloom. They highlight real opportunities for security and development teams to reprioritize: moving away from chasing every CVE and toward higher-value work like architecture reviews and resiliency planning.
The conversation then shifts to the foundation of true resilience. For Alex, resilience isn’t about perfection—it’s about recovery and response. He pushes for embedding threat modeling into unit testing, not just as an afterthought but as part of modern development. John emphasizes traceability and governance across the organization: ensuring the top understands what’s at stake at the bottom, and vice versa.
One message is clear: context matters. CVSS scores, AI outputs, scanner alerts—all of it must be interpreted through the lens of business impact. That’s the art of security today.
Ready to challenge your assumptions about secure AI and modern AppSec? This episode will make you question what you trust—and how you build.
___________Guests:
Alex Kreilein, Vice President of Product Security, Qualys | https://www.linkedin.com/in/alexkreilein/
John Sapp Jr., Vice President, Information Security & CISO, Texas Mutual Insurance Company | https://www.linkedin.com/in/johnbsappjr/
Hosts:
Sean Martin, Co-Founder at ITSPmagazine | Website: https://www.seanmartin.com
Marco Ciappelli, Co-Founder at ITSPmagazine | Website: https://www.marcociappelli.com
___________
Episode Sponsors
ThreatLocker: https://itspm.ag/threatlocker-r974
Akamai: https://itspm.ag/akamailbwc
BlackCloak: https://itspm.ag/itspbcweb
SandboxAQ: https://itspm.ag/sandboxaq-j2en
Archer: https://itspm.ag/rsaarchweb
ISACA: https://itspm.ag/isaca-96808
ObjectFirst: https://itspm.ag/object-first-2gjl
Edera: https://itspm.ag/edera-434868
___________
Resources
JP Morgan Chase Open Letter: An open letter to third-party suppliers: https://www.jpmorgan.com/technology/technology-blog/open-letter-to-our-suppliers
Learn more and catch more stories from RSA Conference 2025 coverage: https://www.itspmagazine.com/rsa-conference-usa-2025-rsac-san-francisco-usa-cybersecurity-event-infosec-conference-coverage
Catch all of our event coverage: https://www.itspmagazine.com/technology-and-cybersecurity-conference-coverage
Want to tell your Brand Story Briefing as part of our event coverage? Learn More 👉 https://itspm.ag/evtcovbrf
Want Sean and Marco to be part of your event or conference? Let Us Know 👉 https://www.itspmagazine.com/contact-us
___________
KEYWORDS
sean martin, phillip miller, rsac 2025, cybersecurity, ciso, startups, risk, marketplace, leadership, technology, event coverage, on location, conference