From Mitiga Mic: Field CISO Brian Contos in conversation with Jess Vachon — three-time global CISO, host of Voices of the Vigilant, and Marine Corps veteran.
Ask a security leader where they feel most exposed, and you won’t hear a story about a missing product. Organizations have spent decades and enormous budgets on people, process, and technology. The exposure shows up somewhere else.
There’s a gap between the tools and what the tools can see, and where the attackers are actually operating. We try very hard to cover all those areas, but we’re limited by budgets, limited by staffing, and limited by the combination of the two — the skills to operate the tools efficiently.
Key points
- The real exposure isn’t a missing tool. It’s the gap between what tools can see and where attackers operate — and that gap is widening as environments fragment across cloud, SaaS, identity, and AI.
- Identity compromise is the number one risk. Attackers don’t break in anymore; they log in.
- Non-human identity — service accounts, API keys, CI/CD tokens, AI agents — is the blind spot. Most organizations have no real inventory of it.
- The agentic SOC is worth exploring but not worth trusting unsupervised. Keep humans in the loop and protect the analyst pipeline.
- Defenders have to move as fast as the AI moving against them, which takes full-fidelity data, real-time correlation, and forensics in one place.
Where security leaders feel most exposed
That gap is widening. The environment security teams built their programs to protect has moved out from under them. On-prem became cloud, cloud became SaaS-heavy, and identity is now federated everywhere. Dwell time is compressing, and the window teams have to react is shrinking with it. AI is expanding the attack surface today, and post-quantum computing is the next wave behind it. “We’re in a period of time where everything is changing for us,” Vachon said, “and those gaps we thought might be there are widening, and it’s very hard to know exactly where they are.”
Why identity compromise is the number one risk
When Contos put the usual suspects on the table — cloud misconfigurations, identity compromise, AI-driven attack paths — Vachon didn’t hesitate. Identity compromise. “I don’t want to say 100%, but the data shows that’s where the issues are. We can train our staff as much as possible, but they’re still getting compromised — whether it’s email, whether it’s smishing, they’re still falling for these tricks.”
So Contos put the operational reality plainly. People aren’t really hacking in anymore. They’re logging in. And finding the one anomaly that matters is manageable when you’re watching a single user touch a single application. It stops being manageable across dozens or hundreds of SaaS apps in a multi-cloud environment. Then, multiply that by AI infrastructure.
Human vs. non-human identity: the blind spot
There are now two identity problems, not one: the human identity, and the non-human identity. On the human side, the discipline exists: MFA, PAM, IGA. It isn’t perfect, but it’s a mature space and teams know how to run it. The non-human side is the blind spot. “Service accounts, API keys, CI/CD tokens, AI agents — most of us don’t have a good inventory in those areas,” Vachon said. “And that’s where we’re seeing a lot of the threats.” Her phrase for the state most organizations are in: dangerously blind.
The tools that teams bought three and four years ago weren’t built for the age of AI. Non-human identities are spun up for ease of implementation, handed administrative privileges to avoid headaches, and pointed at systems that access other systems — and now create their own agents. The inventory problem compounds faster than the inventory gets built.
Investigation, not investigation theater
When prevention fails — and at the volume, velocity, and variety of attacks teams now face, some of it will — the question becomes how well you can investigate across everything at once. Vachon was direct about how hard that is when the data is scattered. “We have data everywhere, and our tools aren’t keeping track of that data everywhere. Very few tools allow us to do that correlation between a SaaS platform and an AI system.”
The result, she said, is that a lot of organizations claim an investigation capability they don’t really have. “Some of it’s theater — which was okay up until a few years ago, because a few years ago things were going a lot slower. Now things are moving a lot faster, and we don’t have the time to catch up.”
The fix is to take fragmented evidence and stitch it back into a single pane of glass that shows what actually happened and how it correlates across the organization. That takes real telemetry, real horsepower, and forensics. And that means retaining logs for a long time so the history is there when you need it. Fragmentation, data volume, and the absence of tools that pull it together quickly — those are the three things working against the defender at once. “The key,” Vachon said, “is we have to be able to move as fast as the AI is moving.”
That speed is changing what good security operations even look like. Teams that once let a few bad things through rather than block legitimate work are now moving aggressively: block it, quarantine the asset, disable the account, kill the session — non-destructive actions they can roll back if they got it wrong. As Vachon framed the economics: security started with cut it off, then the business said don’t, we’re losing dollars, and now the calculus has flipped again — if we don’t cut it off, we lose more. Roll it back if needed. That’s the safer move now, and it only works if the tooling is fast and the data underneath it is rich.
Can you trust an agentic SOC?
Naturally the conversation reached the agentic SOC. Vachon is exploring it and cautious about it in equal measure. What would it take to trust one? Educated staff. “We are nowhere near being at a point in any organization where we can afford to let agents run unsupervised by unqualified people. That’s just a recipe for disaster.” Models drift, injection is real, and if a threat actor gets access to an agent running your SOC and no one’s watching, they have the keys to the castle. There, they can make it look like nothing’s wrong, or like everything is.
The smarter framing, the one both came back to, is collaborative: AI takes the heavy lifting it’s genuinely good at — processing enormous volumes of data at speed — and humans own judgment and oversight. It also means not gutting the talent pipeline. Cut first- and second-level SOC roles entirely and you lose the farm team that grows junior analysts into senior ones. Vachon’s phrase for the thing to protect: the human supply chain.
Where Mitiga fits
Everything in this conversation points at the same requirement. Defenders need a platform that moves as fast as the AI moving against them — one that is AI-enhanced, human-led, and human-monitored. One that pulls fragmented signals into a single story in near real time and brings the forensics with it.
That’s Mitiga. Mitiga catches attacks from anomalies and threat intelligence and contains them before they cause business impact. It’s delivered through the Zero-Impact platform powered by Helios AIDR — built to defend with AI, defend your AI, and defend from AI-powered attackers and grounded in Mitiga’s Cloud Security Data Lake so AI and analysts work from the same full-fidelity, investigation-ready evidence. The payoff is operational. 90% improved detection and response speed, 70% fewer false positives, and 67% faster alert closeout.
When Contos described exactly that — correlation, alerting, and forensics in one platform, fast enough to act in near real time — Vachon’s read was unambiguous, saying, “From what I know of your product, it covers a lot of those areas. It’s an area CISOs need to be looking at for tooling.”
Attackers no longer break in. They log in. Mitiga keeps you in control when they do.
Let them come.
FAQ
What is non-human identity in cybersecurity?
Non-human identity refers to the credentials and accounts that aren’t tied to a person: service accounts, API keys, CI/CD tokens, and AI agents. As Jess Vachon notes, most organizations manage human identity well (MFA, PAM, IGA) but lack a reliable inventory of their non-human identities, which is exactly where a growing share of threats now lands.
Why is identity compromise the top cloud security risk?
Because attackers increasingly log in rather than break in. Stolen or abused credentials let them operate as legitimate users across SaaS and cloud, where a single anomaly is hard to spot among dozens or hundreds of applications. Identity has become the primary control plane for detection and response.
How does Mitiga help with identity-centric investigation?
Mitiga delivers Zero-Impact Breach Prevention with Agentic Proactive Security powered by Helios AIDR. It correlates fragmented signals across cloud, SaaS, identity, and AI into a single investigation-ready view grounded in the Cloud Security Data Lake, so teams can move from alert to containment in near real time.
