July 8, 2026

Summary:

This episode explores the evolving landscape of AI, agentic systems, and identity security. Geoffrey Mattson, CEO of SecureAuth, shares insights on managing the risks and opportunities of autonomous agents, guardrails, and secure deployment strategies in a rapidly changing AI environment.

 

Keywords:

AI security, agentic systems, identity management, guardrails, AI risk, cybersecurity, SecureAuth, autonomous agents, AI governance

 

Kew Topics:

  • The rise of agentic AI and its implications for security
  • Strategies for implementing guardrails and monitoring AI agents
  • The risks of autonomous agents and how to mitigate them

 

Bio: 

Geoffrey Mattson is a serial entrepreneur and globally recognized cybersecurity and AI executive with decades of experience building market-defining companies and technologies that protect the world’s most critical systems.

He is currently CEO of SecureAuth, where he is leading the company through a pivotal phase of growth as identity evolves into a dynamic control plane for managing complex relationships across humans, machines, and AI agents. SecureAuth is redefining identity security through innovations that help global enterprises continuously verify, delegate, and govern access in real time.

Prior to SecureAuth, Mattson served as CEO of Xage Security, where he led the company in Zero Trust for critical environments from energy to agentic AI. Under his leadership, Xage achieved rapid adoption across the U.S. military, global energy firms, and Fortune 500 enterprises.

Previously, Geoffrey Mattson was co-founder and CEO of MistNet.ai, an AI-native threat detection platform acquired by LogRhythm. He pioneered decentralized analytics and machine learning approaches for real-time cyber defense, and later served as SVP of Product at LogRhythm, driving global expansion and shaping the next generation of SIEM/SOAR solutions.

 

Geoff (00:46.776)

Hey, John, thanks for having me.

 

John Verry (00:50.505)

Looking forward to our conversation, I always start simple. Tell us a little bit about who you are and what is it that you do every day.

 

Geoff (00:58.926)

So I am the CEO of SecureAuth and SecureAuth is a 20 year old identity security company that has been flying under the radar. It’s the most important identity security company that you’ve never heard of, perhaps. We solve a lot of problems in very, very large customers, very highly regulated customers in banking and healthcare and defense, filling in gaps for what the larger vendors in identity.

 

by sometimes handling problems that are too difficult for some of the larger vendors. And then we also offer an end-to-end stack for smaller customers who want to use a single solution for all of their identity security requirements. And my background, actually, I’m a serial entrepreneur with a lot of experience in security and as well as AI before AI was cool. And I brought into Securoft because at this point,

 

Although, as I said, it’s a 20 year old company, it’s growing explosively. And this is a result of several factors, but the most prominent of which is, is lately, agentic AI security.

 

John Verry (02:12.807)

Well, that is exactly what you hear. But before we get to that, and thank you for teasing that, they call that a tease in the business. You might probably know that. I always ask, what’s your drink of choice?

 

Geoff (02:20.462)

Thank you.

 

Geoff (02:25.518)

My drink of choice is anything anyone else is buying generally.

 

John Verry (02:30.985)

So I just you just told me that I shouldn’t hang around with you is pretty much what I just heard.

 

Geoff (02:38.254)

That’s right though. Irish coffee, yeah, which I may or may not be having right now.

 

John Verry (02:43.367)

Yeah, exactly. Yeah, same with and I may not be drinking a hot toddy. So we’re equal. All right. So that is why we’re here to chat. Because as you already teased, increasingly authentication is not as, I mean, we’ve always authenticated the human entity and then we had system accounts and things of that nature, which were sort of compute assets.

 

Geoff (02:49.001)

Hahaha

 

John Verry (03:11.773)

Getting a little blurry, right? We’ve got, you know, agents which are maybe a proxy for a system account, but then now we got agentic systems which, you know, are more reasoning oriented. So it’s getting harder and harder to understand where the perimeter is and, you know, how do we actually treat these AI entities, right? Are they a non-human user? Are they extensions of a human user? Are they like a service account equivalent in some cases or…

 

Are they all of those and maybe even something fundamentally different? So that’s kind of today’s conversation. So give us your high level thoughts and then we can drill in a little

 

Geoff (03:48.61)

Yeah, well, thanks, John. I think this is a fundamental question because I really do think that, agentic puts identity front and center and security. And it is now, as my, my kid would call it, that used to be considered a, an NPC and non-playing character, insecurity was a cousin to security and, sometimes a little bit less interesting than some of the other areas. but now it’s has a.

 

we say main character energy, because really the only way to secure the use of agents is with a strong identity security solution. And so the sort of a merger of identity security is being accelerated by the deployment of agents. And as far as like how we think of them from an identity perspective, I think you hit the nail on the head is that

 

We have a human users and human users can be unpredictable, especially they can have their accounts taken over and they can, and that would be very unpredictable, but humans are inherently unpredictable, but they also, relatively slow compared to automated processes. You can count on a human not being able to do, X amount of queries and Y amount of time.

 

Whereas an automated process could do that. So these service accounts on the other hand, are automated processes. They are much more powerful. They can do things a lot more quickly. They can access data more quickly. could potentially do more damage, they tend to be relatively predictable. know, once you understand how an application acts, you can model its behavior pretty reliably.

 

Now with agents, we have sort of the best or both of both worlds. They are as unpredictable as a human, but they’re as powerful as a service account, right? So they need to have a new set of authorization capabilities. need to have controls put on them that don’t just take a human identity’s privileges and allow it to be applied to

 

Geoff (06:12.376)

to an agent and that have a richer set of capabilities than a service account because they need to have a broader scope than a service account. And I can give you an example of this. For instance, if you have an agent that’s just behaving itself, trying to do what it does, a user with its own privilege, one of our customers asked a question that caused the agent to start trying to

 

some medical records and sort of medical behavior, medical leave for certain women in the company. And it was actually trying to derive like which women were pregnant, right? Now, this is an HR violation, right? It’s not something you should do. It’s something we would trust the user to not do. And it’s something also a user wouldn’t be able to issue the amount of queries and aggregate them in order to do this, but an agent can. So,

 

It’s cases like that where the agents don’t even compromise. It’s trying to do its job. Still need to have controls put around it in order to protect the organization.

 

John Verry (07:22.673)

In that case, did the agent that was acting on the individual’s behalf, did it assume the authorization of the user interacting with it, or did it have its own sets of authorization?

 

Geoff (07:40.162)

Well, it has its own, but you’re thinking like, you know, so one way to think about this is that these agents don’t really expose, they don’t really create any new problems. There’s nothing new under the sun. But what they do is they, they magnify any existing gaps, any tech debt in identity architecture. So one piece of tech debt is.

 

that we give humans permission to do things, but we know because they’re human, they’ll have judgment, they have accountability. And also, as I said, humans can only do things so quickly. They can only enter so many commands through a UX, for instance, to be able to do something at a particular rate or speed. And all of these constraints are removed by agents. So what we’ve seen is a huge mistake.

 

that companies make is taking, allowing any type of agent, and as you mentioned, there are several types. There are essentially co-pilots that theoretically act on the behalf of the user. There are autonomous agents that provide a workflow function, and then there’s agent to agent clusters that are the most complex of all. But even just with these co-pilots, just allowing the co-pilot to take the permissions of a user.

 

is extremely dangerous, right? They are capable of doing things that users would never dream of. They’re capable of using their permissions in ways that humans would never imagine and that humans would also feel accountable for and avoid doing. And they can do things very, very quickly and do a lot of damage very quickly.

 

John Verry (09:24.893)

Yeah, we had a, had a, I had a client recently there in Gmail and, the woman was experimenting with using AI. I won’t tell you which to help her process her inbox, which had gotten out of control. And, it’s answered to focusing her on the most important things was to delete anything that it didn’t deem to be important. And like, but to your point, right? Like a human wouldn’t.

 

Geoff (09:49.257)

There you go.

 

John Verry (09:55.165)

would never do that, right? And it happens at scale, right? So before she could even, like she realized, you know, but how do you pull the plug on a process which is running, which you’re not directly in control of, right? It’s not like you can hit the stop button or the pause button. I mean, it’s that you gave the agent authority, the agent’s running wherever it is. So yeah, so I mean, that’s the kind of issues that you’re dealing with. So what you’re saying, I think, and just,

 

Geoff (09:56.448)

Exactly.

 

Geoff (10:01.727)

Exactly.

 

Geoff (10:13.345)

Right.

 

John Verry (10:24.669)

for the sake of people listening is we can have sort of the co-pilot. Co-pilot is a good model, I think, for most people to think about because a lot of people now are enabling co-pilot in their environment and they recognize that your co-pilot agent acts on your behalf. So it’s assuming your level of privilege, right? So if I have access to a group of files out on SharePoint, you that are unique to me, right? My OneDrive.

 

effectively, right? And then I’ve got shared access to other drives. I see that, but I don’t see anything else. Like, so if the, if the chief financial officer has access and HR officer has access to everyone’s payroll information, I can ask about the payroll information, but unless it’s misconfigured, I’m not going to have that access versus an agent might have a set of access that we do or don’t know about if it’s operating independent of

 

Geoff (11:07.062)

Exactly.

 

John Verry (11:18.173)

the user. So I can end up in either one of those two models, correct?

 

Geoff (11:21.39)

Yeah, exactly. you know, it’s as if the power of it, the wonderful aspect of it is these things can cut across different vertical SaaS applications, for instance, and do a lot of your work for you. But there is a risk, of course, to these untoward effects. And that’s if the agent is just acting on your behalf and, you know, trying to make paper clips by any means possible.

 

The other thing is, it can act like an adversarial piece of malware in your environment. It will ruthlessly try to and deviously and ingeniously try to accomplish its task by any means possible. We’ve seen what it like living off the land attacks for these agents is trying to do their job. That’s if it’s just trying to its job. The other big problem

 

John Verry (12:17.833)

Can you, I’m sorry, could you explain what you mean by a living off the land attack and how the agent did that?

 

Geoff (12:23.404)

Yeah, so what we’ve seen is the agents have been able to find ways to accomplish their objectives through very indirect multi-step means. Just similar to the way an attacker now can come in without installing malware and exploit weaknesses and pathways through your enterprise to get to an objective.

 

John Verry (12:49.705)

Okay, thanks.

 

Geoff (12:49.762)

So, you know, these things that we’ve seen this project glasswing and talk about mythos. We think basically that, you know, mythos is, is the, this latest model by Antropic as the code name. And it theoretically has very strong hacking ability. A lot of people on, you know, security acts, you know, say that there’s some overhyping and marketing involved here, but I’ll just tell you that I’ve met people from companies that.

 

You have been part of that project and some of our customers have been part of the project and it definitely is capable of finding very novel attack pathways. And it is the weakest model that will ever be released. You know, this year, you know, everything else that comes after it is going to be more powerful. So you’re basically when you bring these agents in, you’re basically bringing a nation state level hacking organization.

 

into your company that could try to accomplish, you know, whatever objectives you give it. But the other aspect of this is there’s theoretically guardrails that you could put in agents that will prevent them from being hacked or prevent them from misbehaving. But there’s a very large school of thought and there are a lot of experts in this area who say that these guardrails will never truly be effective. And why is that?

 

Well, the architecture of LLMs is such that the data and instruction are mixed. It is using language as both the data set and the instructions. And a good way to hack into a system is to use data to jump into the instruction area of memory and take it over. Essentially, LLMs are inviting you to do that.

 

On top of that, for every counter prompt that you put in, you know, the system record, for instance, of an LLM that says, don’t respond to this type of command, you know, all I need to do is come up with a different way of expressing that command. And so for instance, you know, one method is already pretty well known is, you know, attackers were able to get around some counter prompts.

 

Geoff (15:08.878)

in English by just issuing commands in Spanish. So basically you have the attack surface with SQL, the attack surface is SQL command or something like that. So it’s relatively constrained. The LLMs, it’s all the languages the LLM understands. So it’s not just the English language, it’s like every language the LLM understands. It’s enormous attack surface. It’s not like a typical application where there’s a finite set of vulnerabilities and

 

You know, we’ll discover them and we can patch them. It seems like something that can never be patched. So putting guardrails inside the LLM, the agent itself doesn’t look like it’s going to be completely effective. And you need have guardrails around. Sorry, click.

 

John Verry (15:51.411)

Have you seen that?

 

No, I’ve seen, um, so if anyone was listening, um, go to the Kara, which is a guard rail firewall manufacturer for LLMs. Uh, and, um, they have a gondol off the great, uh, exercise that you can do where gondol knows a password. And then your job is to social engineer, you know, and getting past the first stage is you just ask them for the password. Yeah. And then the second, you know, second way you can do it, like, this is what the language is encoding.

 

Geoff (16:00.014)

Mm-hmm.

 

Geoff (16:17.678)

Right.

 

John Verry (16:24.329)

Um, you know, all, you know, using don’t not using the word password, but using the word secret phrase or something of that nature. Well, because like you’re saying, all you’re doing is permutating, you know, different, uh, different ways of asking for that same information. I remember I got to, I don’t know, level three or level four, and I couldn’t get past that. But, but what I did was I got it to sequentially just give me, I realized that the firewall wasn’t allowing that sequence of characters to come out together.

 

Geoff (16:30.828)

Great.

 

John Verry (16:51.145)

So I got it to give me, the first letter or first two letters, you know, I figured out what it was doing and I could sequence through, you know, get one at a time, but it’s, just open to your imagination. And you see tools like prompt food and things of that nature where like people are building tools that will work their way through all of these types of permutations. The other thing, is really fascinating about it is when you, when you talk long enough with a model, for some reason you build almost trust with the model.

 

Geoff (16:54.99)

Geoff (16:58.614)

One at a time.

 

John Verry (17:21.033)

And you can ask it a question initially, like, tell me something you shouldn’t tell me. And then it will, it won’t. And then, but after a long enough conversation, you can ask the same question and it will, right? You know, the deterministic probabilistic issue, right? So, um, it is, it’s absolutely social engineering. That’s it. I often refer to that when we talk about doing AI red teaming for a customer, I’m always like, effectively, it’s a social engineering engagement with social engineering and LLM. So,

 

Geoff (17:33.952)

Yeah, it’s like social engineering, isn’t it?

 

Geoff (17:46.968)

Right, your social engineering, incredibly intelligent, but some kind of crazy person, right? Yeah, step on it.

 

John Verry (17:53.129)

It’s almost like a savant, right? Yeah. So what would you say the gaps are that you see, right? From an authentication and authorization model, you know, applied to AI, right? So clearly we have a challenge. Like, where are the biggest parts of the challenge? And then we can probably drill down a little bit, talk about how we might be able to solve some

 

Geoff (18:14.358)

Yeah, well, so we’ve been solving one particular problem for banking customers for quite some time, which is we have customers, banking customers have their own customers that need to access their accounts online, you know, from the internet and make financial transactions as a result, like move money from one account to another or pay something. And so we secure that using

 

you know, set of standards and, and, around a fine grain authorization, OAuth2. and this same set of technologies at its core can be used to secure the, you know, normally identity is concerned with the control plane, you know, sort of saying who is who and who’s allowed to do what. But for this particular problem, we need a gateway that sits in the data path.

 

and can act in real time and make a decision, authorize each and every action that an agent takes. But basically what we do is we, at a very simple level, we just, you know, put a gateway transparently between the agent and all the enterprise resources. And every single thing that it does, we make sure is within spec, within policy. And as I said, there’s a very well-developed set of, you know, policy technology.

 

to do this, we can talk about that, but it’s standardized and there’s a lot of support for it in the industry. The hard part is applying it in real time. And then also what we do is we record every one of those actions. We put it in a tamper-proof audit file that can be used for compliance. And the same data is also used for analytics. So we can…

 

determine if an agent is misbehaving. We can talk about how we do that. And we can do things to step up the controls of the agent if it’s misbehaving. And we can step them up all the way to automatically quarantining it. Or you can step in and manually quarantine it. So this is why using identity and authorization as leverage to control agents and to put guardrails around agents is so effective, as opposed to

 

Geoff (20:39.906)

You know, some mechanisms that you use like firewalling or ER or whatever else that kind of makes sense. You determining, you know, how trustworthy the agent is initially. And we do, by the way, have, we’ve opened up our trust registry. We, we, we label the inherent trust that different types of agents, the most popular agents that are used, you know, based on, how strong your internal controls are. also.

 

how broadly, how broad their scope of execution is, how much damage they can do if they go wild. But that’s being made available publicly. But then what we do is we monitor them internally. We allow you to have them in a sandbox where they’re given privileges that do not allow them to make any changes to things. You can gradually put them into production and finally giving them full privilege, but you can always pull them back into being completely quarantined.

 

So this identity, sorry, go ahead.

 

John Verry (21:39.305)

I think you’re touching on one of the core concepts of AI, Is that it’s one thing, I think we all focus on developing things and using things, but I don’t think we focus enough on monitoring and metricing and measuring and those things, right? Because we see this all the time where you’ve got ideas like model drift and we’ve got ideas like becoming unaware of

 

the model doing certain things that it wasn’t anticipated that it would do and things of that nature. So it sounds to me like what you guys are doing is in addition to giving them this ability to baseline what the model does under, quote unquote, normal sets of operating conditions, that once we actually approve that model, effectively you’re certifying it and accrediting it into operation, and then post that certification accreditation to operation, you’re gonna continue to monitor it to ensure that its behavior stays consistent with the behavior that we saw.

 

Geoff (22:12.942)

Thank you.

 

John Verry (22:38.077)

while we were in that initial phase, correct?

 

Geoff (22:40.376)

That’s exactly right. And, and the important part of this is, you you talk to a variety of different practitioners and insecurity and there’s different types of analytics. You know, that are done. There’s things like detection and response and, and Sims, you know, have their own long-term analytics in the identity space. A lot of what we’re doing is making very fast decisions about whether to let someone in or not, or authenticating them or whether to challenge them.

 

with more MFA, for instance. So our infrastructure is made to respond in real time to risk behavior. So we’re able, as I said, to look at every single action that that model is taking and determine and make a decision on whether or not to allow it or challenge it or completely quarantine the model. So basically, once again, the…

 

Working in transaction level identity security has provided a basis of a solution for agent at point.

 

John Verry (23:44.969)

Yeah, that makes sense. So one of the things which, you you probably see the same thing, early stage AI experimentation, I’ll call it, and a lot of clients, you’re going to see things where you’ve got an agent that is reliant on often a user’s own credentials. You know, they’re often embedding API keys in for systems that have some significance, Salesforce.

 

Geoff (24:13.582)

Yeah.

 

John Verry (24:14.249)

ServiceNow, JIRA, right? So what risks does that introduce and what should they be doing instead?

 

Geoff (24:24.238)

Oh, so I mean, just baking API keys in is really, really not a great practice at all. Um, as I said, uh, getting it very, very high, high level non-granular access, giving that to an agent, they can do all kinds of damage. Right. And we’ve also, you know, what we’ve seen is, um, well-intentioned people that don’t even understand that they’re doing this. Um,

 

being delighted and seduced by the capability of the agent and then just, you know, giving away the store. You know, for instance, there one bank, we, uh, who’s our customer, the CCO is saying, you know, my biggest threat group right now is the C suite themselves. You know, I’ve had an incident now where a C level person was vibe coding and they get these consent authorization screens and then they see this thing as

 

They just click through them. They’re like, what is this GitHub? What the hell is that? And just say, yes, yes, yes, I’m an executive. And doing so they were able to, they pulled data off of GitHub. not going to get too much into the details of this, but it was exposed publicly and it was a real incident. you know, so what we want to do is we love agents ourselves and we love the power of them and the delightfulness of them. And, you know, I will also, I’m a vibe coding CEO too.

 

we want enterprise to be able to embrace them, but we want to make things safe. What we’ve noticed is, you know, I just had a, at an AI, conference and agent, AI conference. And, and there was all kinds of talk about, you know, agent, agent communication and, and new types of granular interfaces to different types of tools. was zero talk about security, you know, I mean, this stuff is a lot of fun and super powerful.

 

but nobody wants to deal with the security aspect of it. It’s relatively, you know, boring. And we have to be the, you know, the, the old fogies in the room that don’t like this new fangled music, you know, or the security team is put in this position of, of, holding people back from the, from the wonder and the delight of, of agents and, and by coding and things like this, we want to do is, is change that equation. we say, yes, it’s boring, but we’ll take it off the table for, for you.

 

Geoff (26:47.406)

We will have a trust layer in your enterprise that allows you to deploy whatever agents you want, open call even if you want to. And we will make it safe to deploy in your enterprise.

 

John Verry (26:57.799)

Yeah. Yeah. So, so, yeah, the line that I’ve been using recently is, you know, we’re not the brakes with the steering wheel. Right. And I think they really need to kind of understand that, like, you’re like me, like, like I’m vibe coding at night for my own purposes, for purposes of work. Like, and, know, and I recognize that I don’t, I, you know, I’m sort of an NRA. can take my air with me, you know, you know,

 

Geoff (27:05.164)

That’s definitely a test of grade.

 

Geoff (27:24.91)

Exactly.

 

John Verry (27:25.673)

Over my dead body, right? Like I like look like you’re not taking my AI away from me, right? It’s too important to the way that I work and I’m able to get more work done I’m able to get it done better And it’s only gonna only gonna go up from here. But that being said like you can wipe out like One of my favorite things talking about like cyber in general, is that you know, we historically look at cyber as value as value preservation,

 

you’re mitigating risk, but it can also be value creation. And if we want to take advantage of the value creation that AI brings, we’ve got to do so in a way that’s also value preserving. Because to your point, you can have poor judgment, make poor business decisions at scale, right? A thousand times faster than you used to, which just means that you’re going off the cliff a thousand times. It used to take two years of bad management to run a company into bankruptcy.

 

You you can do it in two minutes now, right? Hey, thank you AI, right? So you mentioned something there that was really interesting to me and it was the next question I was going to ask you. So it went in perfectly. Where this gets really interesting, right? Is this, you know, so we’re going to call it chained agent, multi-agent, agentic AI where, you know, my agent is talking, you so I’m booking something with your agent, like your, my agent, your agent are communicating in such a way.

 

Geoff (28:22.05)

Yeah.

 

John Verry (28:49.097)

for some type of a transaction in a simple world that’s probably low risk. You know, it’s, me, um, me wanting a haircut at your haircut salon. Right. And we’re negotiating schedules, you know, in a broader one. I listened to podcasts the other day where this actually was the issue, you know, where, uh, two agents were playing in prediction markets, uh, uh, calcium or poly market. I can’t remember which one it was, uh, and bad things happen and the person lost an insane sum of money.

 

Geoff (29:16.663)

Yeah.

 

John Verry (29:16.755)

I mean, many hundreds of thousands of dollars like that, you know, on bad agent, agent communication. So, what are the, you know, what are the implications that, how does that change trust boundaries? How does that change access control? Like, how do we, can we control what happens beyond our agent? Right. I mean, it’s sort of like supply chain.

 

risk management, third party risk management with chained agent, right? We’re not in control.

 

Geoff (29:50.089)

Yeah, I think there’s two aspects to unpack there. But let me just first for context, talk about what you had just mentioned about how you can do a lot of damage to your enterprise very quickly with AI. On the other hand, as you mentioned, it can be a competitive weapon. If you as a security team can enable

 

your company to run with this. You know, we’re seeing is, is top down pressure board saying you need to adopt agentic workflows for efficiency and for agility. And we’re seeing bottoms up, as you said, you know, you, my, my cold dead hands will be pried away from my agency. You hear that from engineers to the C-suite to marketing people. And if you can be

 

the security team that facilitates that, that allows that, that lets them run free and takes the security risk off the table. That is a huge business enabler, huge competitive enabler. And you can use that for some period of time. You know, while everyone is very slow to allow full adoption, it’s especially in a lot of the regulated industries we deal with, you know, your company can stand out and you can do quite well as a result of that, right? But you know, having said that, so how do you get to this, this case of the agent to agent? That’s really interesting.

 

It’s like I said, I really do think that this agentic stuff is interesting, but the security stuff in the background, there’s really nothing new here. We support business to business use cases right now where I can give a, forget about agents, just the mundane aspect of I need to be able to interoperate with a supplier and the supplier needs to interoperate with

 

with downstream suppliers. We have a solution where we can allow you, can allow a outside entity to access our internal resources. And of course we constrain them. We are able to delegate a certain amount of authority to them and we allow them to subdelegate authority downstream as well, right?

 

Geoff (32:03.928)

And in doing this, we also allow them to be able to control, administer their own authority. So we’re not the help desk for all of our partners, right? This same pattern is perfectly applicable for inter-agency, agentic communication. There are methods and standards in place for us to delegate authority.

 

to down scope it and to delegate it to outside organizations or for one agent to delegate it to another. And there are methods we can talk about where policy can be shared across these organizations as well. So I think this is, as I say, it’s a solved problem from a technology point of view. The problem is a lot of people have not implemented this type of security identity architecture.

 

And a lot of larger vendors have left it as a gap. As I say, at Securoft, we fill in the gaps that these larger vendors have left open, one of which is this business-to-business authorization capability. So that’s directly applicable to agent-to-agent as well.

 

John Verry (33:19.881)

Interesting. Yeah, it does. So let me ask a question. So, you know, I heard someone and I thought this was clever, maybe not perfectly accurate, but somebody referred to MCP servers as the, an AI, you know, like the equivalent of a USB hub for AI, which I was kind of a cool, cool analogy. How does that change the equation? Right? I mean, like, you know, you can, you can fire up

 

Geoff (33:37.294)

Thank

 

John Verry (33:48.17)

Claude Cowork and open up an MCP server and any, you you can connect it to now, you know, it’s sort of Zapier, you know, back, IFTT, if you remember those tools where suddenly you had this ability, sort of like, sort of kind of the same idea, like how does that, how does that change this whole equation?

 

Geoff (34:06.094)

Yeah, I it’s like I said, that’s another aspect that’s wonderful and delightful. You know, I think MCP servers, they’re kind of just a sort of flavor of API servers really, right? But they’re ones that are very accessible. They may not be the most efficient, but they’re very accessible and easy to set up. And we love that, encourage it. So what we do is we just say, point your MCP server traffic to us.

 

We’ll talk to the actual real MCP server. The agent will think it’s talking to the MCP server. The MCP server will think it’s talking to the agent. We’ll sit in between and we’ll make sure that everything the agent does is okay, right, based on your policies.

 

John Verry (34:51.546)

So it’s effectively an MCP proxy.

 

Geoff (34:54.318)

Yeah, it’s, it, yeah. Or a gateway. We would consider a gateway. It’s a little bit more, functionality than that, but yeah, you can think of it as a proxy. Exactly. Yeah. And so this is, you know, this is highly differentiated. Um, and it’s something we’re using with large, very regulated customers works really well.

 

John Verry (34:57.395)

gateway.

 

John Verry (35:02.939)

Interesting.

 

John Verry (35:14.119)

Is that just that now I’ve not heard of an MCP proxy or MCP gateway prior, maybe just because I haven’t looked for it. Is that actually a product offering you have? That somebody could buy that somebody could somebody could buy.

 

Geoff (35:26.894)

Yeah, the pie go from it’s called agent. Yeah, it’s a yes. I mean, you can buy it’s called the agent authority. You can only buy it, but you can use it for free right now. If you want for monitoring, it will, we will record all of your transactions and you can use that as a basis to craft policies. Now bear in mind that we can use the

 

policies of your current identity system. We can apply them automatically to this. But yeah, you can use it right now. And then if you want to go further, can activate with the paid license, the authorization capabilities where it will actually control every action. And you can activate the analytics where it will detect if anything is going untoward. That’s completely available right now and we’d encourage people to try it. takes about

 

two minutes to set up. We offer it as a cloud service. course, it seems so that can set it up immediately. It’s a SaaS service. Having said that, of course, as I said, we work with a lot of regulated companies where we provide private SaaS service, right? So as the agility is controlled and as the agility of SaaS, but it’s completely 100 % controlled by them. yeah, feel free to check out secureout.com and look for

 

John Verry (36:37.833)

Yeah, I would just guess great.

 

John Verry (36:45.513)

Yeah.

 

John Verry (36:51.689)

That’s pretty cool.

 

Geoff (36:52.556)

Yeah, our agentic capability.

 

John Verry (36:54.793)

At school. so, you know, if you, you, if you look ahead, right. And, know, cause this isn’t going away anytime soon. Um, you know, I always repeat the line that I’m stealing from somebody else, you know, things have never moved this fast before and they’ll never move this slow again. And I think we definitely can say that’s what we’re talking about here. So what does, um, what does, uh, like a for a mid market organization, which a lot of our clients are.

 

Geoff (36:58.766)

Yeah.

 

John Verry (37:22.045)

What does a best practice identity model for a genetic AI look like going forward, right?

 

Geoff (37:27.286)

Yeah, so for mid-market, if you can use a SaaS service, as I said, I think what you want to do is take the risk off the table immediately, simply, and easily. I know this is going to sound like a blatant pitch, but fine, use another competitor’s if they have this, but use our service. All you have to do is you can make a change to your

 

the way your agents are operating, you can push that in a minute or two using existing tools. We can show you how to do that. And then have our MCP gateway, our API gateway, intercept your actions and make sure that your agents comport with whatever policies you have in place. And we have standard sets of policies that, know, mid-market companies can use so that they don’t have to

 

write them themselves if they just want to fall back on a default. But put that in place immediately, sooner rather than later. As I said, you’ve mentioned these many cases where people lose a lot of money or they have a breach or they have some sort of compliance violation as a result of these agents being used in well-intentioned ways. Let us take that off the table for you right now.

 

We can make this simple. You don’t have to configure a lot. You don’t have to think about a lot. You can proceed very quickly and agilely with your agents. We interoperate with your IT vendor that you’re using, your Microsoft, and your other identity-oriented providers. But we can simplify this process and effectively provide a secure deployment pathway for agents in your environment.

 

John Verry (39:19.795)

So, so effectively what I think you’re saying is you need to find a way to monitor what your agents are doing. And ideally not only monitor what they’re doing, right. But enforce a prescribed set of behavior or preclude a non prescribed, you know, effectively whitelist or you want to look at it as a blacklist, certain forms of behavior. okay.

 

Geoff (39:47.982)

Exactly.

 

John Verry (39:49.586)

So.

 

I would assume that at some point though, that there will be the sort of the equivalence of zero days, right? Like there will be unexpected agent behavior that we didn’t expect to see. didn’t whitelist or blacklist and it does. you know, much like other people get inoculated by a zero day, you know, eventually like these will all become part of what we’re monitoring for and the, know, and, there’ll always be new novel.

 

know, attack modalities or unanticipated behaviors. But over time, we would expect that these to get less and less. And that really that is the probably the best we can do.

 

Geoff (40:35.34)

Yeah, I think so. what we’ll do in the meantime is look at the behavior. We’ll discover all the agents in your environment. And we will classify the behavior of each individual agent and then also map it into agents that act similar to it. So we’ll come up with a set of individual and group behaviors. And we’ll notice if it tends to drift.

 

John Verry (40:56.553)

Mm-hmm.

 

Geoff (41:03.71)

from individual or group. What we’ve noticed is if there is, sometimes there is a model change and that spurs a lot of new use cases. And so suddenly a particular type of agent tends to change all at once. So that would be a false positive if we did it on an individual level. But looking at individual group, we have a pretty good sense of whether an agent has been either compromised

 

or is being used in an untoward way by an employee, know, unauthorized way. And so we’ll continue to do that to catch these, you know, the type of zero day scenario you’re talking about. And I do think at some point, you know, the industry will coalesce around a set of agentic, you know, solutions that’s probably smaller than what we have today. Right now we classify over 50, you know, different types of agents in terms of their trust level, you know, on our website, you can have a look at that.

 

John Verry (42:00.458)

So give me an example, like when you say, because even the term agent, you know, I mean, I’m sitting here listening to you and I’m like, okay, is coworking agent is code, code, code, agent, are they individual agents? Is it just Claude is Claude and a, and now is when you get to dispatch and you get all of the features that they keep layering on top of this stuff, you’re like, you know, and even skills, right? Like, I mean, like, you know, I mean, how many people are going down and what’s at skills dot chair or whatever it is and downloading skills.

 

Geoff (42:05.569)

Yeah.

 

Geoff (42:16.494)

All

 

John Verry (42:29.651)

You know, and who knows half of those have shit in them that shouldn’t be there. then, and then, you know, yeah. Yeah.

 

Geoff (42:33.706)

And sorry, agentic frameworks too, right? You know, like a land chain or something like that. You could think of that, right? As an agent per se, right? Yeah. So yeah, completely agree. you know, the way I classify it is, you know, anything that gives arms and legs to an AI agent, AI is right now LLMs, but anything that gives an LLM arms and legs.

 

John Verry (42:43.527)

Yes. Yeah.

 

Geoff (43:00.334)

Anything that gives it API or MCP access to anything else, be it in your system or not, we will classify as an agent, as opposed to, know, LLMs that just answer questions. So, you know, cowork is definitely an agent, right? Cloud code is definitely, so co-pilots are agents, agents that do run autonomous systems are agents, and then agent-agent, which is coming, those are also agents. Anywhere you combine the…

 

John Verry (43:27.561)

Right. And then of course, we’ve got any agent that somebody develops.

 

Geoff (43:29.55)

crazy power of LLMs with actual tool usage and data usage. Those are agentic. we saw this last year, 2025 was supposed to be the year of the agent. I think 2025 was the year of talking about the agent. And this is the year of the agent we’re seeing this explosion as a result of, first of all, the LLMs got really powerful. The foundational models seem to have stepped up in terms of capability.

 

John Verry (43:58.858)

Especially from a coding, the advances they’ve made from a coding perspective are

 

Geoff (44:00.852)

yeah. Insane. Insane. Yeah. And then on top of that, you also have sort of the public imagination was captured by open claw, you know, for better or worse, but that really brought home what agents can do and made some sort of fun and delightful too in a way. So, you know, so those two factors, just the raw power and now the real life examples of

 

John Verry (44:05.843)

stacker.

 

Geoff (44:29.758)

agencies, they can cause this explosive demand. And, you know, lot of our customers like yours, you talked to CISOs, they’re just in this squeeze where, but you know, top down and bottom up are demanding this and they have to be the ones that make it safe. And that’s traditionally been a very difficult challenge.

 

John Verry (44:48.265)

So the one thing which is interesting though, to your point, and then I wonder if, I don’t know if you saw what Mark Cuban said recently. He said the greatest opportunity in AI is not in the foundational model space, but it’s in the helping mid-market organizations actually implement this technology because they’re all right. And I will tell you this is that I think I’m smarter than the average bear by a little bit. And I’m struggling right now, even with figuring out the stuff that I want to work on and how I do it because

 

Geoff (45:03.117)

Right.

 

John Verry (45:16.481)

It’s like, OpenClaw comes out, security, okay. I think I’m gonna go forward on that, and as I’m starting to do that, Nemoclaw comes out. Well, I better look at Nemoclaw. And then I’m like, well, I wanna orchestrate it. Then Hermes comes out, and I’m like, well, Hermes looks interesting. And then iCore, if you’ve ever watched that guy on YouTube, he’s pretty brilliant. You can do everything natively with Claw, and then I’m like, well, I think he’s right. It’s just, that’s adding memory, but I can add my own memory.

 

And then you see Carpathi, and if you don’t follow Carpathi, anyone listening to this on Twitter, he’s the god. I mean, he’s brilliant. Like, I mean, he brings out the LLM model, you know, with using Obsidian. So I’m like, okay, well, let me switch gears. Let me go to Obsidian Plus, you know, and then I see Paperclip, and it’s like, well, if you’re to run a team of AI agents, you know, here’s this idea where you can run a company. It’s…

 

Geoff (45:50.968)

Yeah.

 

John Verry (46:08.093)

The problem is it’s all moving so fast that I think actually it’s going to delay some adoption and it’s only going to faster. people are, I’m getting confused and I invest a lot of time into understanding this stuff. Like if you’re running a $20 million mid-market organization that does marketing, how do you stay on top of this enough or?

 

Geoff (46:24.205)

Yeah

 

John Verry (46:36.775)

You just, like, I don’t know. it’s, I find it overwhelming. And I gotta think there’s a lot of other people out there that do right now as well.

 

Geoff (46:43.466)

I completely agree. A lot of our customers, they keep saying, well, we’re trying to come up with an AI strategy, including the security aspect, but it just keeps moving and changing so quickly, it’s impossible to strategize. And so that’s why I’m saying, what you need to do is, maybe you about as like vibe deployment, but don’t come up with a strategy, 10 year strategy, just implement something right now that protects you and lets your users run free.

 

let people play with Nemo and OpenClaw and Cloud Code and Cloud Cowork and everything else, put some basic controls in place, you’ll work out in the future how to extend them, right? So, we think that there’s basic hygiene, basic authentication, basic authorization can be applied to these agents right now while you’re working out the larger strategy and while things are evolving, right?

 

John Verry (47:38.151)

Yeah, we could probably spend another hour because there’s a bunch of other thoughts that I would love to add, but I’m looking at the clock and we’ve already been at this longer than we should have. yeah, yes, well said. So if somebody wanted to get in touch with you or your organization, what’s the best way to do that?

 

Geoff (47:42.54)

Yeah, great conversation time.

 

Geoff (47:50.594)

First, a little bit interesting times, yeah.

 

Geoff (48:02.11)

you can, you know, our website secure off.com or you can ping me on LinkedIn, Jeffrey Madsen or on a X as well.

 

John Verry (48:11.547)

Excellent. Jeff, thanks man. Appreciate it. Fun conversation.

 

Geoff (48:13.55)

Thank you, bye bye.




Back to Blog