CISO Insights · JUL 15, 2026 · 3 MIN

Why Agents Can't Be Governed Like People

Read about Amy's perspective on how Amazon Web Services is using AI to defend at machine speed, including why the 30-day patch cycle no longer holds and how her team is building new authorization and identity models for autonomous agents.

Abnormal Studios

On the 42nd episode of Enterprise AI Defenders, host Evan Reiser (CEO and co-founder, Abnormal AI) is joined by Amy Herzog, VP & CISO at Amazon Web Services. Amy’s argument is that AI has not changed what attackers are after, credentials, data, and system access, but it has changed the speed and cost of getting them, for attackers and defenders alike.

That reframing keeps AI in familiar territory. AWS defends against more than 400 trillion network flows a day, and it did so before AI; no human watching a dashboard was ever going to keep up with that. Amy’s long-standing instinct is to find the most repetitive, volume-based, pattern-based work and move it to machine speed, leaving people free for the judgment calls that need local context and creativity. AI is the newest tool for an old discipline, not a break from it. Part of the adjustment is unlearning old assumptions: the field built up muscle memory treating certain attacks as difficult, expensive, and therefore unlikely, and much of that risk scoring no longer holds now that speed and cost have collapsed. She puts herself in the middle of the hype debate, skeptical of shiny tools but unwilling to dismiss durable benefit, and advises measuring precision and recall on human work first, so a team can tell what the technology is genuinely better and worse at.

The clearest place that shift shows up is vulnerability management. A comprehensive search across a system is now fast and cheap enough that "we can't talk about 30-day patch cycles anymore," Amy said. The move from a month to minutes cuts both ways, since attackers operate at the same tempo, and her most pragmatic advice is to start measuring response in minutes. It is frightening, she admits, but illuminating, and it drives what a team actually needs.

The idea Amy is most animated about is that autonomous agents are a distinct kind of security principal, unlike either a person or a deterministic system. Agents have no notion of eventual consequence, the fear of getting fired that quietly governs human behavior; they are "trained to seek a goal." A deterministic system can be tightly constrained, and a human can be given role- or attribute-based permissions, but an agent sits between the two and matches neither. So AWS is building new authorization models and new identity models for this new type of principal.

That leads Amy to a take she calls spicy, and admits is strange coming from a security person: the field over-indexes on perfection. The reflex is to abandon a whole technology the moment an agent makes a mistake. Her counter is to hold agents to a measurable bar rather than an impossible one, asking whether they perform better than humans even when they are not perfect, and to risk-manage the gap deliberately. That rigor runs through how she inspects her own teams. In business reviews she looks past the mean to the 10th and 99th percentiles, the best the team could do and its longest pole; in operations reviews she counts failed experiments, and if the number is zero, something is wrong.

Amy’s longer-term bet is that defense has to move from reactive to proactive. Instead of cataloging what a bad actor could do, she wants to define the invariants that must always be true of a system, that any sensitive flow must carry multi-factor authentication, for example, and then verify them continuously. That means security teams embedded in the developer workflow, launch-blocking, "builders alongside AWS builders," with the business-owner partnership to scale. She is optimistic about it: adopting these tools pulls security teams closer to the builders they protect and gives them a shared language, and she sees this as the moment to win the long-running argument for investing in strong security foundations. Underneath all of it is the principle she would give every CISO: "keep the threat actor and their capabilities at the center of everything that you're doing."

Listen to Amy's episode here and read the transcript here.

Keep reading