On the 38th episode of Enterprise AI Defenders, host Mike Britton (Abnormal AI) speaks to TJ Mann, the Global Chief Information Security Officer at Lockton, about what it takes to defend a global insurance brokerage that handles sensitive client and partner data. Lockton sits in a trust-heavy position: clients expect risk guidance, and the organization itself must model strong internal security practices. TJ describes his job as owning the global information security program, strategy, and operations, with an emphasis on embedding security into architecture, culture, and metrics that the business can use.
AI is making fraud attempts feel less like spam and more like “someone who knows your business.” In TJ’s view, the immediate risk is not abstract. It is the growing effectiveness of hyper-personalized social engineering, including deepfake voice, video, and business-context-aware phishing that uses public breadcrumbs to sound legitimate. “We are seeing… hyper personalized social engineering,” he says, describing a near-term future where these attacks scale faster than traditional training and controls were designed to handle.
A core theme in TJ’s approach is that the cloud moved the battlefield. It did not just change where data lives. It changed who can touch it, how it is accessed, and how quickly an attacker can move once they gain a foothold. That is why TJ treats identity, APIs, and SaaS exposure as the practical perimeter. “Identity… is the new perimeter,” he says, emphasizing that modern compromise often starts with credentials, an integration, or a configuration mistake rather than a classic network intrusion. In his words, “The bad guys don’t need to breach your network anymore. They just need to compromise one identity, one integration, or one misconfiguration.” That framing is blunt, but it is useful. It tells security leaders where to allocate scarce attention: identity hardening, API standards, vendor assessment, and visibility into SaaS and data-leakage paths.
Lockton’s response to AI-enabled fraud also leans heavily on the part of the system that gets ignored until it fails: the employee’s next action. TJ says the team has doubled down on awareness, using real examples of how the organization is being hit, and teaching people how to report quickly. The goal is not to create amateur investigators. It is to build a consistent reflex, because the hardest attacks are the ones that look normal. With deepfakes, TJ notes, even small cues matter, and training has to move beyond generic reminders into specific “what you saw” examples that employees recognize as relevant to their day-to-day work.
On the defender side, TJ is clear-eyed about where AI is already helping and where it is still early. The most immediate gains show up in detection correlation and threat hunting, where models can connect weak signals across identity, network, phone, and cloud logs that would be tedious or improbable for a human to stitch together. He also shared a concrete operational win from a recent SIEM transition: by adding a capability that duplicated logs and used AI to identify what telemetry was actually being used, the team found a large percentage of logs they were paying to ingest but not using, and cut that cost by over 30%. It is not a flashy headline, but it is a real example of AI improving security outcomes by improving security economics.
TJ’s governance posture is equally pragmatic. Lockton is embracing AI internally, but procurement and deployment are governed by guardrails that account for privacy and regulatory realities across geographies. He describes a cross-functional process spanning privacy, compliance, and security to review tools with AI features, validate the need for them, and avoid accidental data exposure or model training on sensitive information. Looking ahead, TJ expects a wave of capabilities that sound like science fiction today, such as dynamic trust scores for identities and more “self-protecting” data controls. But his operating principle is grounded: embrace what is already working, invest where the perimeter actually is, and make reporting and identity discipline part of how the business runs.
