How to Secure Your AI Workloads: Expert Advice from AWS
How do you scale generative AI inside the enterprise without exposing sensitive data or introducing hidden risks? In this interview, Stewart Tinson, Project Director of Newton Media’s AI-360, sits down with Milan McGraw, Head of Generative AI & Machine Learning at AWS, to break down what every organisation needs to know before deploying AI at scale. Milan shares practical, real-world strategies for securing AI systems — from first pilot to full production — and explains how AWS Bedrock enables private, controlled, and compliant foundation model usage. You’ll learn how to: Prevent sensitive data from leaking into models or external systems
Apply least-privilege access and robust identity controls
Build guardrails that protect both users and the organisation
Stand up effective AI governance and risk management programmes
Balance speed of innovation with regulatory and compliance demands
Educate teams across the enterprise to use AI securely and responsibly Key Topics Discussed: - Enterprise AI security fundamentals
- Model and data isolation in AWS Bedrock
- Defending against prompt injection in agentic and autonomous systems
- Designing governance frameworks that support innovation
- AI literacy and internal enablement programmes
- Long-term model lifecycle and deprecation planning
- Continuous risk monitoring and posture improvement Whether you’re launching your first use case or scaling AI across a global enterprise, this conversation delivers clear, actionable guidance to help you build AI systems that are secure, trustworthy, and built for growth.

Securing AI at Scale: Practical Strategies for Enterprise AI Security Implementation
How do you secure hundreds of AI use cases across a global enterprise without slowing innovation? Stewart Tinson sits down with Ray Ellis, who leads AI security for a major multinational manufacturer. Ray shares battle-tested strategies from reviewing over 700 AI use cases, revealing how to balance rapid innovation with robust security—and why data quality remains the most overlooked risk. You’ll learn how to:
- Build AI security programs that enable rather than block enterprise innovation
- Implement risk-based escalation paths giving leadership visibility without bottlenecks
- Secure AI through threat modeling and red teaming adapted for AI systems
- Address data quality challenges and defend against data poisoning attacks
- Deploy prompt injection defenses using technical controls and human-centric guardrails
- Implement continuous monitoring frameworks that catch drift before breaches occur
- Combat deepfake threats through detection technologies and awareness programs Key Topics:
- Insights from reviewing 700+ enterprise AI use cases and common security gaps
- Why AI security should be “the pointy edge of the sword” not implementation teams
- Risk frameworks mapping 16 key AI security risks to likelihood and impact
- Understanding business processes, actors, and data flows before AI deployment
- Prompt injection explained: direct versus indirect methods and detection strategies
- Whether attackers lead the AI arms race—and why governance may be the differentiator
- Data quality controls as the foundation of responsible AI programs
- Deepfake detection as critical next investment for security teams
- Creative AI security education: gamification and choose-your-own-adventure training
- Building AI security career paths for the next generation Whether building your first AI security program or scaling globally, this delivers frank, practical guidance from someone navigating the complexity firsthand. Learn to secure AI while maintaining innovation speed.

Third-Party Risk in the Age of AI and Quantum: Protecting Your Supply Chain from Emerging Threats
How do you protect your organization when your suppliers’ suppliers become your biggest vulnerability? In this interview, Stewart Tinson, Project Director of Newton Media’s AI-360, sits down with Amyn Sarif, a leading third-party risk management expert, to explore the cascading risks that emerge when AI-powered attacks and quantum computing converge with complex supply chain dependencies. Amyn shares practical strategies drawn from recent breaches at Jaguar Land Rover, Salesforce, and Volvo Group, revealing why continuous monitoring and automated assessments are no longer optional. You’ll learn how to: - Map your entire vendor ecosystem beyond direct relationships to fourth and fifth-party suppliers
- Implement continuous monitoring systems that detect breaches in real-time rather than months later
- Automate vendor risk assessments to move beyond manual spreadsheets and annual reviews
- Prepare your cryptographic assets for quantum computing threats before they become exploitable
- Build effective incident response playbooks through tabletop exercises and breach simulations
- Leverage AI defensively while defending against AI-powered credential theft and phishing attacks Key Topics Discussed: - Third-party risk versus supply chain risk management
- Recent supply chain breach case studies and lessons learned
- AI’s role in both offensive attacks and defensive security strategies
- Post-quantum cryptography transition planning
- DORA compliance and continuous vendor assessment requirements
- Automation strategies for scaling third-party risk programs
- Industry collaboration and threat intelligence sharing Whether you’re managing InfoSec, AI security, or enterprise risk, this conversation delivers actionable strategies to identify hidden supply chain vulnerabilities before attackers exploit them.

The ABC of the EU Digital Omnibus- Part A.
The EU Digital Omnibus: Simplification or Regulatory Rollback? The Commission promises €150 billion in annual savings. Max Schrems calls it “the biggest attack on Europeans’ digital rights in years.” Part A of our “The ABC of the EU Digital Omnibus” series features three expert practitioners: Dastan - AI governance advisor to boards and C-suite
Lesley Holmes - Data Protection Officer, MHR International Danni - AI governance specialist across education, tech, and public sectors Key Issues: SME Exemptions- Lesley: Removing AI literacy requirements “opens the door for small and mid-cap cowboys.” Dastan warns: “Large, sophisticated players will arbitrage this ambiguity. Smaller companies will inherit uncertainty.” Subjective Personal Data - Managing data sharing when the same dataset has different legal status for different partners? Lesley: “With difficulty.” Germany’s Article 15 Limits - Restricting data access rights could block employment disputes while solving problems that don’t exist. 2028 Sandbox Timeline - Dastan: “US companies deploy agent AI today. Waiting for perfect sandbox won’t work. Otherwise it’s a museum exhibition.” Strategic Reality - Dastan: “Europe is caving in under pressure. EU introduced product regulation without the product.” 2026 Actions: Get governance right. Identify shadow AI. Build attestation graphs. Continue as if AI Act fully implemented. Red Lines: Never deploy AI you don’t understand. Never disable AI logging. Maintain universal standards. Practical guidance for compliance and governance professionals.

The ABC of The EU Digital Omnibus- Part B
The EU is proposing to delay and simplify the AI Act before it’s fully implemented. Is this responsive governance for fast-moving technology, or undermining a regulation that’s “barely started”? This expert panel examines whether compliance should depend on voluntary standards, what happens when AI literacy shifts from mandatory to “encouraged,” and why Germany’s proposed Article 15 restrictions may violate existing case law. Key debates: Standards vs. Law - Should policy effectiveness depend on voluntary industry standards? When harmonized standards are delayed, who bears the compliance risk? Panelists discuss whether companies have incentives to deliberately slow standardization work and what happens to compliance roadmaps when standards bodies miss targets. Bias Detection Trade-offs - Can you meaningfully test for discrimination without real sensitive data, or does synthetic data introduce new biases? The panel debates whether allowing all AI providers to process special category data for bias testing genuinely helps or normalizes large-scale collection of previously forbidden data. AI Literacy Downgrade - Does “encouraged” training work, or are regulators giving up? Practitioners share whether boards fund non-mandatory literacy programs and whether Central/Eastern Europe has resources to foster encouraged training. Article 15 Restrictions - Germany’s push to limit access rights to “data protection purposes only” could prevent employees from using data requests for labor disputes. Can you distinguish data protection purposes from evidence-gathering when someone needs data for both? Panel
Ray Eitel-Porter, author of “Governing the Machine”
Michael Olanipekun, Senior AI Governance Specialist, JLR
Andreea Mare, Data Protection Officer, Superbet
Nikola Saranov, Data Protection Officer, Valtec
Alexandru Gheorghe, Founder, Data Privacy Consultant. Inperspective Business

The ABC of The EU Digital Omnibus- Part C.
EU Digital Omnibus Part C: Expert Panel on High-Risk AI, Data Protection & Implementation Reality The EU Digital Omnibus proposes sweeping changes to GDPR and the AI Act—before organizations have finished implementing all the original requirements. The Commission claims $150 billion in annual savings, but critics argue these changes primarily benefit big tech while creating more complexity for enterprises already mid-implementation. This expert panel examines whether these proposals genuinely simplify compliance or introduce dangerous new uncertainties. Key Topics: Special Category Data Processing - All AI systems, not just high-risk, can now process sensitive data for bias detection. Panel debates: Can you fix bias without the data that reveals it? How do you differentiate genuine testing from pretextual collection? Subjective Data Definitions - The same dataset could be “personal data” for one organization but not another, based on intent rather than objective characteristics. Experts discuss re-identification risks as AI capabilities evolve. Implementation Timeline Chaos - Should organizations pause compliance work or push ahead despite regulatory uncertainty? Discussion covers the “panic window” risk and why responsible AI principles remain essential regardless of shifting deadlines. AI Literacy Downgrade - Does shifting from mandatory to “encouraged” training signal Europe’s retreat from rights-based governance? Panel
Kate Ashworth-Brash, Global HR Technology & AI Governance Director at IBM UK Ltd
Josh Gallan, Data Protection Advisor at Bird & Bird
Ilina Georgieva, Specialist Scientist in AI Governance, TNO Netherlands
Seto Adenuga, AI Governance and Ethics Manager, Kainos
Bose Ayokunle, Data Protection Manager, UK Government Department Essential for DPOs, compliance officers, AI governance leads, legal counsel, and risk managers navigating practical implementation challenges in Europe’s evolving regulatory landscape.

Why CVSS is Failing CISOs: And what works instead.
How do you prioritize tens of thousands of open vulnerabilities when resources are finite and CVSS scores miss critical context? In this wide-ranging conversation, Stewart Tinson speaks with Stephen Fridakis, former CISO of Oracle Health, Google Health, HBO, and the United Nations, now advising clients across manufacturing, healthcare, and beyond. Stephen introduces the eBar framework—a revolutionary approach to vulnerability prioritization that adds business context, exploitability testing, and real-world risk factors that CVSS completely ignores. You’ll learn:
• Why CVSS classifications are becoming irrelevant without understanding your specific implementation, business impact, and network topology
• How the eBar framework prioritizes vulnerabilities using sensitivity, exploitability, and contextual risk scoring
• Why overlooked medium vulnerabilities often create larger blast radius than isolated critical findings
• How to communicate technical risks to boards using before/after states and operational impact (canceled surgeries vs. abstract data loss)
• Why the CISO role has fundamentally shifted from technical implementation to business enablement and cross-functional leadership Key topics:
Vulnerability debt accumulation • The critical importance of pen testing over automated scanning • Managing 12-13 overlapping security and privacy frameworks • GenAI security risks including fraud, synthetic identity, and non-human identity management • Healthcare innovation vs. regulatory compliance • EU AI Act vs. NIST frameworks and jurisdiction conflicts • Future CISO role convergence with compliance, legal, and information management Hard-won wisdom from someone who’s secured everything from UN peacekeeping operations to HBO content releases.

Data Sovereignty Wars: Why Southeast Asia’s AI Security Playbook Differs from the West
When data sovereignty laws mandate that Malaysian data cannot legally touch Indonesian servers even within the same company, conventional AI scaling dies. This is AI security beyond Western playbooks. Jane Teh operates where theory meets enforcement. With 22 years in cybersecurity including 10 years London-based consulting, she now advises enterprises across Southeast Asian financial services, manufacturing, and telcos where every AI summit centers on one topic: data sovereignty, data sovereignty, data sovereignty. Speakers: Jane Teh, Founder, VortiQ [x], and Stewart Tinson, AI-360 Project Director You’ll learn:
• Why Chinese AI hardware at 3-5x lower cost than US equivalents changes infrastructure decisions
• How adversarial training teaches AI to think like attackers using synthetic data
• The three-lines-of-defense banking model adapted for AI governance and accountability
• Human in the loop vs human on the loop - when each governance model applies
• Local explanation techniques that satisfy auditors without exposing IP to attackers
• Why Malaysia’s 2027 open financing regulations flip accountability to consumers Key topics:
Sovereign AI architecture with multi-region gateways • Geopolitical model selection balancing cost vs client geography • Fraud detection AI when attackers subtly modify transactions to bypass thresholds • Model poisoning through manufacturing data pipeline injection • Explainability vs security trade-offs in HFT and insider threat detection • creating AI disconnected from current reality • IoT/SCADA integration exposing legacy OT systems The reality of implementing AI security where geopolitics meets data sovereignty meets AI-powered attackers moving faster than human response time.

AI Without the Hype: A Former Health Plan CISO’s Reality Check
Why does every CISO who turns on Microsoft Copilot discover broken SharePoint permissions within hours? Why demand 99.9% AI accuracy while accepting 60-70% from humans? And why are security leaders still worried about problems they should have solved two years ago? Stewart Tinson speaks with Rick Doten, former CISO of a major US health insurance company and advisor to six AI security startups weekly, for an unfiltered reality check. Rick dismantles the mythology that ChatGPT represents “day zero” of AI, explains why organizations confuse agents with agentic AI, and talks about Model Context Protocol utilizing JSON over RCP—service-oriented architecture from 2005. You’ll learn:
• Why AI exposes existing security problems rather than creating new ones
• The critical agent vs agentic AI distinction determining security implications
• How AI code generates 50x volume requiring 5x more scrutiny
• Why 95% project failure rates miss the point about necessary iteration
• What boards actually need: strategy, compliance, security—not technical details Key topics:
A2A communication expansion • Copilot permission failures • MCP as API gateway • AI-assisted vs vibe coding • Business impact assessment • Bias as human problem • Seven-gated remediation • Formula 1 governance • Education gap • Third-party risk • Maturity progression • Drift vs misalignment Whether building AI governance frameworks, managing deployments, or advising boards on strategy, this delivers honest perspective from someone who’s seen every implementation pattern and rookie mistake.

Ships Can’t Shutdown: Why Maritime Cybersecurity Rewrites Every Rule You Know
When cyber incidents at sea mean navigation failure, propulsion loss, or crew death—enterprise security assumptions break completely. Systems can’t shut down mid-ocean. IT support is days away. Deepfaked executive calls could trigger physical catastrophe. Speakers: Amit Basu (CIO & CISO at International Seaways, 30 years maritime IT, co-founder Professional Association of CISOs, managing 80 ocean-going tankers) and Stewart Tinson (AI-360 Project Director) You’ll learn:
• Why “graceful degradation” replaces shutdown protocols when ships must keep moving despite breach
• Edge AI: vessels running local decisions on constrained connectivity for weeks
• Out-of-band verification defending against deepfaked executive calls
• How behavioral analytics baselines ship networks then escalates anomalies to shore SOC
• The 18-month phishing explosion—from detectable errors to expert-baffling perfection Key topics:
Maritime edge computing • Graceful degradation • OT/IT convergence • Crew access management • Nation-state targeting • AI fraud supply chain • Deepfake defense • CISO personal liability • Board communication • Vendor evaluation • Agentic AI threats • Systemic risk from shared models From 1986 banking automation to Starlink tankers, Basu explains why AI doesn’t just expand what we can do—it expands who can do it, compressing time between adversary idea and execution.

AI Governance 2026: The Compliance Gamble Facing Every High-Risk AI Deployer
Are you building your EU AI Act compliance strategy on a foundation that was never designed for the purpose? With harmonized standards still in draft and the high-risk provisions approaching, organisations face a strategic gamble: bet on the standard arriving in time, or accept a double compliance burden. 80-90% of requirements are common across all pathways — but the remaining 10-20% carries material consequences. You’ll learn:
• Why the EU AI Act QMS is fundamentally different from ISO 9001, 27001, or 42001
• What the four compliance pathways actually require — and their different burdens
• Why ISO 42001 does not lead to EU AI Act compliance
• How AI governance is being confused with AI management — and why it matters
• A practical 90-day readiness plan from frontline practitioners
• Why directors face personal, uninsurable liability for AI decisions Key topics:
EU AI Act high-risk compliance • Quality Management Systems • PREN18286 • Harmonized standards • AI sovereignty • Shadow AI • Automation bias • Data integrity • AI literacy training • Director liability • Conformity assessment • Role-based competency Essential viewing for CISOs, CIOs, CFOs, Chief Legal Officers, and board members responsible for AI strategy, regulatory compliance, and risk management.

AI Governance 2026: Why Technical Readiness Without Human Transformation Creates Hidden Liability
Are your leaders making high-stakes AI decisions without the psychological readiness required for sound judgment? Between 2023-2024, DHS applied an enterprise AI risk framework to 400 use cases. The lesson: systems testing perfectly in controlled environments fail unpredictably at scale—not from tech limitations, but human factors. This pattern is repeating as organizations deploy AI faster than they build governance capability. You’ll learn:
• Why use case drift is inevitable and how to detect it before it creates liability
• The three levels of AI governance most organizations never reach
• How to build “breathable compliance” that evolves with deployment reality
• Why regulatory fragmentation demands human-impact-first design over compliance checklists Key topics:
Failure Mode and Effects Analysis • Zone of Disrupted Identity • Foreseeable use mapping • Interdisciplinary teams • AI psychology • Statistical error resilience • Handoff thresholds • Psychological safety • PPTA framework • Ethical North Star For CISOs, CIOs, CFOs, and Chief Legal Officers. Studies from Deloitte, McKinsey, Infosys, and PWC confirm AI adoption is accelerating while governance maturity remains uneven and fragmented. The competitive advantage belongs to organizations closing this gap.

Quantum-AI Collision: Why Your Encrypted Data Just Became a Regulatory Time Bomb
48 hours before this conversation, Stanford operated a quantum computer at room temperature. The timeline for quantum threats didn’t accelerate—it collapsed. Meanwhile, Shadow AI is already exfiltrating corporate data through well-meaning employees. How do CISOs, CIOs, and CFOs prepare for threats that arrived faster than predicted while managing vulnerabilities already active in their organizations? Speakers: Ryan Cloutier, Quantum Security and AI Security Readiness Specialist at ArtQubit, and HerveLe Jouan, Co-founder and CEO of Filtar.ai You’ll learn:
• Why encrypted data from historical breaches now constitutes future regulatory violations
• How “live post-breach recoil” creates retroactive compliance exposure under current regulatory standards
• What Shadow AI is and why it’s the most dangerous vulnerability in enterprises today
• How agent swarms will use “micropoisoning” to bypass existing security controls within 24 months Key topics:
Post-Quantum Cryptography migration urgency • Harvest now, decrypt later threat models • Shadow AI governance frameworks • Agent-to-agent security architecture • Micropoisoning attack vectors • Human-in-loop design for critical systems • Cyber-informed engineering principles • Data quality as security foundation For enterprise security leaders, compliance officers, and technology executives in banking, healthcare, financial services, and critical infrastructure facing immediate decisions about quantum readiness, AI governance, and infrastructure resilience in 2026. When quantum can crack encryption keys in seconds and AI agents coordinate attacks faster than human defenders can respond, traditional cybersecurity assumptions become actively dangerous. Discover what practical response looks like when the timeline for preparation just collapsed to room temperature.

Agentic AI Security: Why “Govern Later” Is Creating Your Next Breach
Can your organisation answer two questions about every AI agent it runs: who is it, and what is it allowed to do? If not, you already have a problem. As enterprises accelerate agentic AI deployments, security teams are discovering that service account controls, legacy credential practices, and siloed governance aren’t built for autonomous systems that have intent, memory, and context. Speaker: Dr. Isi Idemudia, AI Security & Governance Practitioner at HCL Tech, interviewed by Stewart Tinson, Project Director at AI-360. You’ll learn:
• Why the “build now, govern later” culture is silently promoting POC credentials into production environments
• How financial services firms are implementing dual attribution to close the audit trail gap in agentic workflows
• Why tying credentials to task checkpoints — not clocks — is replacing time-based secret expiry
• How to implement hard blocks on privilege inheritance when agents spawn other agents
• Why mTLS must replace TLS for agent-to-agent and agent-to-MCP communication
• Where ownership of behavioural baseline tracking sits — and why IAM, SecOps, and AI Governance rarely agree Key topics:
Agent identity vs. service accounts • Privilege inheritance & confused deputy attacks • Dual attribution for audit trails • Credential offboarding failures • Short-lived vs. long-lived secrets • Just-in-time identity at scale • Post-quantum encryption planning • Human-in-the-loop kill switches for spawned agents For CISOs, IAM leads, AI governance practitioners, and security architects navigating the identity challenges that come with enterprise agentic AI.

Secret Cyborgs: Why Shadow AI Is Your Biggest Governance Risk in Life Sciences
`Secret Cyborgs: Why Shadow AI Is Your Biggest Governance Risk in Life Sciences` Are your employees already using AI without you knowing — and handing over your proprietary data for free? Surveying 150+ life science exhibitors, Matt Wilkinson found the pattern repeating everywhere: organisations with no AI governance, while staff use personal free tools and unknowingly train models with confidential data. The Samsung ChatGPT leak wasn’t a one-off. It’s happening quietly across commercial teams right now. Matt Wilkinson, CEO & Founder, Striven — ISO 42001 AI Management Systems Practitioner, recovering PhD chemist, and AI adoption specialist in life sciences, reagents, automation, and SaaS. You’ll learn:
• Why “secret cyborgs” are expanding your risk surface without realising it
• How to move from AI tools to genuine AI advantage — and where humans must stay in the loop
• Why the risk of NOT adopting AI now outweighs the risks of adopting it
• How AI is transforming Voice of Customer and Key Account Management in regulated industries
• What commercial teams actually need to do today under the EU AI Act and GDPR Key topics:
Shadow AI risk • ISO 42001 in practice • Human AI Sandwich framework • AI adoption tiers • Voice of Customer intelligence • Key Account Management governance • EU AI Act for commercial teams • GDPR country-level variation For CISOs, commercial leaders, and marketing and sales professionals navigating AI governance in regulated industries — this is the conversation you need before your next compliance review.

Emotional Perception & The Future of AI Patents
Emotional Perception v Comptroller: The UK Supreme Court Ruling That Rewrites AI Patentability The UK Supreme Court has unanimously dismantled the Aerotel test after 20 years, replacing it with a framework that fundamentally changes how AI and software inventions are assessed for patent protection. Stewart Tinson sits down with Bruce Dearling, Partner at Hepworth Brown and the instructing attorney for the Emotional Perception case, to unpack what this landmark ruling means in practice. Key takeaways: • The new “any hardware” threshold makes overcoming the statutory exclusion significantly easier — if a claim recites a processor, you’re over the first hurdle • UK patent law is now aligned with the European Patent Convention’s approach to assessing invention, moving away from blanket rejections • Examiners must now consider interactions between technical and non-technical features and their real-world technical effects • Bruce explains why he disagrees with the court’s classification of neural networks as computer programs — and the consequences this may carry • Intangible assets account for 92% of company value, making accessible patent protection a commercial imperative • The UK digital economy supports £230–280bn annually — a stronger patent system directly supports national competitiveness • SME funding remains a critical barrier to translating good technology into viable businesses Essential viewing for patent practitioners, AI founders, in-house IP counsel, investors, and enterprise leaders navigating the most significant IP ruling in a generation.

AI Governance Beyond PDFs: Building Auditable, Legally Defensible AI Systems
Can your AI governance survive a real audit? Most organisations have documentation — PDFs, model cards, checklists — but can’t prove what their AI actually did at any given point. That gap between governance intent and governance evidence is where legal exposure lives. Three practitioners with experience spanning regulatory compliance, big tech product management, and data science explore what failed governance looks like, why current documentation falls short, and what enterprises need to do differently. You’ll learn:
• Why governance PDFs represent intent, not proof — and what auditors actually need
• How cryptographic audit trails create externally verifiable evidence at minimal cost
• Why the U.S. regulatory landscape is fragmenting across federal, state, and local levels
• How drift monitoring prevents models from deciding based on outdated reality
• A practical framework for risk tiering, use case inventories, and cross-functional governance Key topics:
AI governance evidence • Cryptographic audit trails • Merkle trees • Regulatory fragmentation • Drift monitoring • Risk tiering • Use case inventories • Human-in-the-loop verification • Vendor governance • AI tool proliferation Essential viewing for CISOs, CIOs, Chief Legal Officers, and enterprise leaders responsible for AI risk, compliance, and governance.

Rule and Reason: Why IP Law Is Losing the Battle with AI
Copyright law was built for a different world. Its rules were designed around physical property, cottage-scale copying and a clear dividing line between creator and creation. Artificial intelligence has torn up all three assumptions. Stewart Tinson speaks with Mark Sherwood-Edwards, technology lawyer and founder of Clearview Legal, about why the legal reasoning around intellectual property has become, in his word, incoherent — and why that matters to every enterprise deploying or building on AI today. They work through the landmark UK Getty Images vs Stability AI case, in which images complete with Getty watermarks were reproduced by a model trained without permission — yet no infringement was found. They examine why courts repeatedly confuse copyright with antitrust, why the EU Database Directive rewards inefficiency, and why the question of whether AI-generated work attracts copyright protection at all has produced a global split that creates real commercial risk for technology businesses. Mark’s argument, grounded in economic property theory rather than legal convention, is that copyright’s underlying purpose — protecting the investment in intellectual work so that it can be traded and exploited — is being systematically undermined. Not just by AI, but by decades of incoherent legal reasoning that conflates copying with ripping off, confuses market function with judicial assessment, and applies time-limited protection to non-rivalrous assets while granting perpetual rights to physical ones. For CLOs, general counsel, and technology executives navigating AI adoption, this is a session with real commercial edge: what are the actual IP risks when deploying AI tools, what should enterprise contracts say about data use and derived data, and where does the liability sit when an AI gives the wrong answer? Guests: Mark Sherwood-Edwards, Founder, Clearview Legal | Host: Stewart Tinson, AI-360 Online

Ten Minutes to Deepfake: Why Your Organization Isn’t Ready for Synthetic Media Threats
How quickly can someone create a convincing deepfake of your CEO? Ten minutes. That’s not a future threat—it’s present reality that most organizations remain completely unprepared to address. While 72% of recruiters encounter AI-generated CVs and HR departments brace for 2026 as “the year of deepfakes,” enterprises continue approaching synthetic media through outdated cybersecurity frameworks that fail to protect against what’s actually happening: workplace harassment with no clear reporting path, and biometric authentication systems creating new vulnerabilities rather than eliminating them. Speakers: Danielle Hopkins, AI Governance, and Stewart Tinson, Project Director at AI-360, You’ll learn:
• Why detection tools are losing an arms race they can’t win
• What verification systems actually work when you can’t trust what you see and hear
• How to protect employees from deepfake harassment your HR department has no framework to address
• Why biometric authentication is making your organization less secure, not more Key topics:
Financial fraud prevention • Workplace harassment response • Biometric vulnerability • Voice cloning threats • Executive exposure management • Multi-channel verification protocols • Fragmented regulatory compliance • Training without creating fatigue • Positive deepfake applications • Organizational governance structures • Children’s safety concerns • Platform liability questions Essential viewing for CISOs, CIOs, CFOs, Chief Legal Officers, and HR leaders responsible for protecting their organizations and people in an era where digital authenticity is no longer the default assumption.

Mobile Identity vs SMS OTP: 5 APIs could get you there
When 15-20% of SMS one-time passwords fail to deliver, you’re not just losing security—you’re losing customers. Companies switching to network APIs report 4-5% growth uplift. SIM swap attacks are up 1,000% in some markets. SMS pumping fraud costs tens of thousands monthly. Authentication delays cause measurable abandonment. Yet enterprises remain stuck on infrastructure everyone agrees is obsolete. Bahadir “Bob” Yavuz, Head of Products at GTC, and Stewart Tinson, Project Director at AI-360 You’ll learn:
• Why SMS delivery rates run 15-20% below submission rates—and what that costs you
• How network APIs like Number Verify deliver verification in 1-2 seconds vs 15-20 for SMS
• The Indonesia model: 200+ million users, 20% improvement, all three telcos collaborating
• Which APIs can achieve both an enhanced quality of security, and quality of service to the end user Key topics:
Synthetic identity detection • Number Verify vs SMS OTP • SIM swap attack patterns • GSMA Camara and OpenGateway standards • Data quality in fraud detection • GDPR privacy-by-design architecture • Telco collaboration requirements • Real-world deployment case studies • False positive rate management • Network API productization For CISOs, CIOs, CFOs, and security teams evaluating authentication strategies, this session provides the business case, technical reality, and deployment roadmap for moving beyond SMS.

AI Literacy: Why Role-Based Training Beats Every Generic Program
Is your organisation’s AI literacy program already out of date before it launched? With AI tools proliferating week by week, generic training programs and 25-page policies are creating a false sense of security — not capability. The gap between informal AI experimentation and structured organisational readiness is where shadow AI estates form, data governance breaks down, and staff learn to click through compliance training without retaining anything.
Speakers: Craig Clark, Director at Clark and Company Information Governance Services, and Stewart Tinson, Project Director at AI-360.
You’ll learn:
Why role-based AI literacy — C-suite, operational, technical, and governance — is the only model that scales
How to move from unstructured experimentation to assessed, accountable AI adoption
Why measuring effectiveness by attendance alone is a mistake, and what to measure instead
How to prevent shadow AI estates and data governance blind spots
Why leadership must visibly model responsible AI use or risk programs failing entirely
Key topics: Role-based AI capability • Shadow AI estate risk • Enterprise vs. personal tools • Critical thinking and over-reliance • Measuring program effectiveness • Keeping literacy programs current • Leadership modelling • AI as augmentation
For enterprise leaders — CISOs, CIOs, and those responsible for AI governance and workforce capability — who need practical frameworks, not theory.

Agents Aren’t Magic: Moving from Excessive Permissions to Governed Workflows
Most organizations are still in what one practitioner calls the “proof-of-concept hangover phase” — giving agents excessive permissions and broad data access just to make the demo work. Wiz’s AI posture research confirms it: agents deployed without tenant isolation, with excessive or potentially admin-level permissions, and unconstrained data access. The question is no longer whether agentic AI is transformative. It’s whether your architecture can actually govern it. Speakers: Aron Eidelman, Security Advocate at Google Cloud, and David Pierce, AI Security and Data Observability Architect at PayPal You’ll learn:
• Why the governance response to an agent hallucinating a destructive command and an agent being actively exploited via prompt injection is architecturally the same — and where deception-based detection creates a meaningful exception
• How to apply SRE error budgets to agentic AI: when an agent burns through policy violations or triggers guardrails too frequently, autonomous execution degrades gracefully back to human oversight
• Why human-in-the-loop approval becomes meaningless the moment alert fatigue sets in — and which decision types still require a human by design
• What AI Passports and Google Cloud’s emerging agent identity principal type mean for least privilege and orphaned credential risk
• How to quantify security risk in financial terms that justify board-level investment Key topics:
MCP attack surface • Ephemeral agents • GFCI control model • Agent error budgets • Failure domain isolation • Friction logs • AI Passports • Agent identity • Deception detection • Risk quantification For CISOs, security architects, and engineering leaders deploying agents into production.

Shadow AI & Supply Chain Risk: Why Banning AI Achieves Nothing
Can you really call it “Shadow AI” if you’ve never told staff what’s off-limits? Craig Clark, Director of Clark and Company Information Governance Services, argues that most organisations approach AI adoption the wrong way — starting with prohibition rather than engagement, and buying before they’ve defined the problem. AI has been embedded in workplaces since Microsoft Word introduced a spell checker. The real governance challenge is gaining honest visibility, setting guardrails staff will actually follow, and evaluating vendors rigorously in an immature, fast-moving market. Speaker: Craig Clark, Director, Clark and Company Information Governance Services You’ll learn:
• Why banning AI backfires—and what to do instead to gain genuine visibility
• How to set simple, proportionate guardrails staff will understand and follow
• Which signals show whether AI is delivering value or just introducing risk
• Why vendor SLAs promising 100% compliance should be treated with scepticism
• How to build post-deployment governance that is proactive, not reactive
• Why the worst AI risks may not have emerged yet—and what that means now Key topics:
Shadow AI • Supply chain risk • AI guardrails • Vendor due diligence • AI literacy • Risk appetite • Proof of concept • Post-deployment governance • AI procurement • Third-party risk For CISOs, CIOs, compliance officers, and senior leaders accountable for AI governance and risk management.

Agentic AI’s Hidden Tax: Why $50K Token Bills Are Catching Firms Off Guard
Are you prepared for the AI cost line that doesn’t yet appear on your budget? Rick Doten founded Prescient Cyber Risk earlier this year, and his first months advising boards, VC firms, and startups have surfaced a critical blind spot: agent token cost. Only 2% of the people he speaks with currently run agents in production—
yet those who deploy without a token cost strategy are discovering monthly bills of $50,000 before anyone raises the alarm. Meanwhile, 90% of AI security is work organisations already know how to do. The gap is in what they’re not yet planning for. Speakers: Rick Doten, AI & Cybersecurity Advisor, Prescient Cyber Risk; interviewed by Stewart Tinson, Project Director, AI-360 at Newton Media. You’ll learn:
• Why 90% of AI security is traditional cybersecurity—asset management, identity, data protection, and vulnerability management
• How to manage agent token costs before they become an unplanned CFO problem
• The 7-step automated remediation framework replacing manual security patching
• Why AI enablement and AI governance are not the same thing—and how to sell the reframe internally
• What VCs now require before funding AI security startups, and what it signals for enterprise buyers
• How to structure board-level AI strategy around three questions: plan, compliance, and security Key topics:
Agentic AI adoption • Agent token cost • AI governance frameworks • Automated remediation • AI enablement vs governance • Board AI strategy • VC investment dynamics • AI security startups • Third-party AI risk • Crowdsourced threat intelligence For CISOs, CIOs, CFOs, and enterprise risk leaders preparing for the shift from AI pilots to production in 2026.

`AI Startups: Why Technical Excellence Without Business Focus Fails`
`AI Startups: Why Technical Excellence Without Business Focus Fails` How many technical teams at an early-stage AI startup can accurately describe their ideal customer? According to Alexander Berkovich, a principal engineer with close to 20 years across HP Research Labs, GE Healthcare, and Blackmagic Design: close to zero. That gap — between building impressive technology and building what clients actually need — is where AI startups quietly lose. Stewart Tinson talks to Alexander about the structural, cultural, and human factors that determine whether a technical team and its business leadership can function as one. Speaker: Alexander Berkovich, AI startup advisor and former principal engineer (HP Research Labs, GE Healthcare, Blackmagic Design, Akridata) You’ll learn:
• Why hiring cheaper, junior technical staff to preserve runway slows development and increases churn
• How documentation and process actively accelerate speed — not slow it down
• Why “technically difficult” often means something entirely different to the CEO and CTO
• How to structure POC feedback loops so client insight reaches the product roadmap
• What a non-technical founder should actually look for when hiring a CTO
• Why the business case — not the technology — must be your starting point Key topics:
Tech-business gap • Startup hiring • Documentation & process • MVP scoping • CEO-CTO communication • ICP awareness • POC feedback • Founder-CTO relationship • AI differentiation • Team culture For CTOs, technical founders, and early-stage investors who need to understand why brilliant technology alone doesn’t build a company.

AI & UK GDPR: What Leaders Get Wrong About Data Protection and AI Risk
Is your AI deployment actually a GDPR problem — or are you solving the wrong issue? Most leaders either over-panic about AI and data protection, or ignore it entirely. Craig Clark, Director of Clark and Company Information Governance Services and a practising CISO, cuts through the noise: AI only becomes a UK GDPR issue when personal data is involved — but when it is, the risks are serious and often misunderstood. Speakers: Craig Clark, Director at Clark and Company Information Governance Services; Stewart Tinson, Projecgt Director, AI-360. You’ll learn:
- Why AI is not automatically a GDPR issue — and the one question that determines whether it is
- Why consent is not the most important lawful basis, and which lawful basis actually fits AI use cases
- Why a global firm’s AI agent hallucinated its entire sales strategy throughout 2026 — and what human oversight would have prevented it
- How to approach DPIAs as a design tool, not a compliance tick-box
- Why facial recognition bias disproportionately harms people who are not middle-aged white men
- What to actually ask AI vendors regarding data usage and sharing Key topics:
UK GDPR & AI • Lawful basis for AI • Special category data • DPIAs • Transparency obligations • Human in the loop • AI supplier due diligence • Facial recognition bias • Data minimisation • Security non-negotiables Essential viewing for CISOs, CIOs, legal, and compliance leaders deploying AI in data-sensitive environments.

MCP Security in Production: Supply Chain Risk, Proven RCE & Identity Gaps
Most enterprise AI teams are deploying MCP servers with minimal security in place. Researchers have already proven remote code execution on publicly accessible MCP servers — and the supply chain currently has no signed repos, no attestation, and no chain of custody. You’ll learn: -Why MCP authorization is currently all-or-nothing — and what that means for enterprise risk
-How indirect prompt injection through MCP tools can manipulate agent behaviour with zero user awareness
-Why token pass-through breaks audit trails and how OAuth 2.1 delegation (RFC 8693) addresses it
-What the non-human identity governance gap looks like — and what security teams can do today
-How to offer developers well-lit paths rather than becoming the department of no Key topics:
MCP supply chain risk • Tool poisoning & rug pulls • Indirect prompt injection • Token delegation & confused deputy • Non-human identity governance • SLSA-based attestation • Log4Shell parallels • SAST/DAST/SCA for MCP • AI gateway & tool registry • Zero-trust metadata-driven identity
For CISOs, security architects, platform engineers, and AI/ML teams responsible for securing agentic AI in production. All viewers will receive a c’heat sheet’ compiling links galore courtesy of David Pierce & Aron Eidelman.

The most chaotic deepfake webinar in the world
When 40% of security professionals fail to spot deepfakes under test conditions, what chance do your employees have? Seven practitioners from the front lines—building detection systems, implementing governance frameworks, selling solutions, and cleaning up after attacks—deliver unfiltered reality about deepfake threats targeting enterprises right now. Speakers: Bahadir “Bob” Yavuz (Global Telco Consult, fraud detection specialist), Alexandra Jorison (Identif.ai, deepfake detection), Ray Ellis (AI Security Lead, multinational FMCG), Richard Mendoza (Senior vCISO, Compass MSP, AIGP certified), Craig Clark (Director, Clark & Company, education/public sector), Aruneesh Salhotra (Founder, Investor, OWASP AIBOM Project Lead) David Clarke (vCISO, ISO27001-SOC2) Key topics:
Account takeover economics ($5K-$10K per incident) • Network-layer authentication using signals attackers can’t fake • Zero trust principles applied to human identity verification • The Arup $25M case study • Challenge-response protocols for video calls • False positive crisis in detection platforms • Shadow AI governance failures • Resource constraints degrading security team attention spans • Business case realities when proving ROI before incidents • Education sector vulnerabilities including Nudify apps targeting children • Third-party risk from vendors overselling detection capabilities Seven practitioners who’ve implemented systems, governed deployments, sold solutions, and handled the aftermath. The unfiltered reality of protecting organizations when seeing is no longer believing. By registering you agree to share your information with our commercial partners.

DevSecOps for AI: Why 90% Stays the Same—and the 10% That Changes Everything
Is your DevSecOps pipeline ready for AI—or just ready for the AI you tested last week? AI systems behave probabilistically. The same prompt injection attack can succeed 50 times in a row, then fail completely the next minute. Traditional shift-left testing was built for determinism. AI isn’t. That gap is where risk lives. Three members of Google’s security advocacy team break down what actually changes—and what doesn’t—when AI enters your DevSecOps pipeline. You’ll learn:
• Why 90% of AI security is still traditional security—and exactly where the novel 10% creates new exposure
• Why DevSecOps transformations fail within a year—and the top-down cultural shift that prevents it
• How the latest DORA research shows AI agents amplify existing practices, good or bad, at scale
• What AI runtime security (e.g., Model Armor) does that a WAF cannot
• Why AI logs capturing PII and system instructions in plain text demand a new approach to observability Key topics:
Non-determinism in AI testing • Continuous evaluation vs. pre-deployment scans • Model Armor & runtime security layers • Sensitive data redaction in logs • Prompt injection defense-in-depth • Agentic workload security • WAF limitations with AI agents • DevSecOps governance & top-down culture For CISOs, DevSecOps leads, and security architects navigating AI adoption: the pipeline you spent three years building is mostly still valid. This session tells you exactly what to add. All viewers will receive a c’heat sheet’ compiling links galore courtesy of Aron Eidelman.

Deepfake Fraud in Banking and Financial Services: Detection, Compliance and the Race to Keep Up
Deepfakes have moved beyond social media curiosities into a direct threat to the financial services sector. Synthetic identities are bypassing KYC controls, cloned voices are targeting call centres, and automated fraud pipelines are scaling faster than most security roadmaps can respond. In this panel discussion, three practitioners examine the deepfake threat from genuinely different vantage points — compliance and audit, detection technology, and enterprise fraud systems — to assess where the industry stands and what needs to change. Panellists: Nikita Kuzmin, Product Manager, Western Union Vunavia McDuffey, Compliance Consultant, RBC Bank Parya Lotfi, Co-Founder, DuckDuckGoose AI The panel covers: Why deepfakes are shifting from social engineering tricks to full identity replication capable of passing standard verification controls
Whether organisations should treat deepfake fraud as a distinct threat category rather than absorbing it into existing AML and fraud programmes
Why 60–70% detection accuracy is not an acceptable benchmark for financial services — and what happens when 40% of deepfakes pass through undetected
The build-versus-buy decision for detection capability, including where vendor solutions repeatedly break down during integration
A real-world case study of a fraudster who opened 46 bank accounts at a major Dutch bank using face-swapped identity documents — caught only because of a gender mismatch on the 47th attempt
Why static detection models can degrade within days, and what continuous retraining and production feedback loops look like in practice
Concrete 90-day actions for CISOs, CIOs, and compliance leaders, starting with controlled deepfake attack simulations against their own systems This session is essential viewing for senior leaders in banking, financial services, and insurance who need to understand the gap between current defences and the industrialisation of deepfake-driven fraud.

AI Governance Reality Check: Most Enterprises Can’t Answer an Auditor’s Questions
When an auditor asks how your AI made a decision, can you answer? For most enterprises right now, the answer is no. AI adoption has outpaced risk management since ChatGPT’s arrival. Boards now recognise AI as a systemic risk to reputation, intellectual property, and regulatory standing — not just a productivity tool. Yet most organisations remain at Level 1 governance: policies on paper, basic intake processes, and zero visibility into what their agents are doing in production. Speakers: Mahesh Varavooru, Founder at Secure AI, and Stewart Tinson, Project Director at AI-360 You’ll learn: • Why paper-based governance will fail an EU AI Act audit — and what Level 3 looks like in practice • How runtime guardrails work as an AI-era firewall, intercepting every prompt and LLM response in real time • How to defend against prompt injection, jailbreaks, hallucination, and PII/PHI leakage in production systems • Why multi-agent systems amplify governance risk — and how to govern them at scale • How to reach Level 3 maturity in weeks to months — and make governance an enabler, not a blocker
Key topics: AI Governance Maturity (L1–L3) • Runtime Guardrails • Prompt Injection Defence • Hallucination Management • Shadow AI & Data Loss • Multi-Agent Security • EU AI Act Compliance • Board KPIs • Human-in-the-Loop • DevSecOps Integration Essential viewing for CISOs, CIOs, Chief Risk Officers, and compliance leaders scaling AI in regulated environments.

The 10 Billion Identity Crisis: Defending Against Industrial-Scale Deepfake and Synthetic Identity Fraud
How do you convince skeptical CFOs to invest in deepfake detection? Stewart Tinson sits down with Ofer Friedman from AU10TIX, who reveals a stark reality: 10 billion synthetic identity sets exist for sale—more than Earth’s entire population—and fraudsters now have one-click tools to weaponize them at industrial scale. You’ll learn: How to build the business case for deepfake detection with boards facing regulatory and reputational risk
Why the shift from onboarding to ongoing fraud targeting existing customers is critical
Which device intelligence and network signals actually work beyond visual artifact detection
How to prepare for agentic AI fraud—autonomous systems that launch attacks without human intervention
Why identity verification and cybersecurity are converging into unified defense strategies Key topics:
The second revolution of AI fraud and fraud-as-a-service platforms • Why humans can no longer spot deepfakes reliably • Geographic attack hotspots across Americas and Asia • Real-time live session attacks as the most challenging threat • How well-crafted synthetic identities operate undetected for years • AU10TIX’s 25+ year background bringing airport security standards to digital verification • Agentic AI as the next wave of autonomous 24/7 fraud • Why annual vendor reassessment is now the minimum standard
Whether you’re a CISO, fraud leader, or compliance officer navigating EU AI Act requirements, this delivers brutal honesty about the threats you’re facing—and what industrial-grade defense actually requires.

Who Owns AI Security in the Enterprise? Governance Is Still in Its Infancy
Who actually owns AI security in your organisation — and how mature is your governance around it? Two senior CISOs from vastly different environments give a straight answer: ownership sits with the CISO for now, and governance, even in well-run programmes, is still in its infancy. AI is shifting enterprise risk from defending infrastructure to defending decisions. Agentic AI operates semi- or fully autonomously, traditional security controls don’t fit probabilistic systems, and no single vendor covers the full attack surface. Speakers: Andy Holliday, CISO at Petrofac, Lester Godsey, CISO at Arizona State University and Stewart Tinson, Project Director, AI-360 You’ll learn:
• Why the CISO is the only realistic owner of AI security risk for the next 5 years
• Why agentic AI breaks deterministic security controls and what to do about it
• How ASU built an actionable AI framework supporting 60+ large language models
• Practical controls: API key hygiene, command whitelists, blast radius reduction
• Why no single vendor can cover AI security end-to-end Key topics:
Agentic AI risk • AI governance maturity • Threat model transformation • CISO ownership • Incident response for AI • Ethics & training data bias • Vendor landscape reality • Probabilistic vs deterministic controls For CISOs, CIOs, and risk leaders making decisions about AI adoption now.

AI for Leaders: Governance, Risk & Why Strategy Must Come First
Is your organisation adopting AI without a defined strategy or governance? If so, you’re not alone — and the consequences range from data breaches to reputational damage to safeguarding failures. AI is a strategic risk, not a silver bullet, and definitely not a magic data fairy. Without clear ownership, rules, and accountability, AI can proliferate across your organisation in ways that cost more — in time, money, and trust — than not using it at all. Speakers: Craig Clark, Director at Clark & Company Information Governance Services, and Stewart Tinson, Project Director, AI-360. You’ll learn: Why “understand your why” must precede any AI rollout
Which risks senior leaders most commonly overlook — from data leakage to safeguarding
How to measure AI value through outcomes, not adoption metrics
Why accountability for AI governance sits with the C-suite, not IT or compliance Key topics:
AI strategy • Risk appetite • Data protection • Bias & fairness • Safeguarding • AI literacy • Governance models • Return on investment • Executive accountability • AI use case tiering For CISOs, CIOs, and senior leaders who need to govern AI responsibly — before it governs them.

Why Your Healthcare CISO Isn’t Buying Deepfake Detection: Real AI Security Priorities
When a Group CISO with 25 years in security says “I’ve not seen anything that actually works very well” about deepfake detection technology, that’s not skepticism—it’s prioritization. Christopher Neal runs security for a multi-jurisdictional healthcare organization where one wrong decision in an operating theater has consequences far beyond brand damage. His priorities reveal where enterprise AI security actually matters versus where vendors want it to matter. SPEAKERS: Christopher Neal (Group Chief Information Security Officer, Ramsay Healthcare—operating hospitals across Australia, UK, France, Sweden, Norway, Denmark) and Stewart Tinson (AI-360 Project Director) You’ll learn:
• Why deepfake detection ranks low when you’re protecting operating theaters, not just bank accounts
• The “99% accuracy problem”: why near-perfect AI models create dangerous human complacency
• How to structure AI governance when clinical ethics trump technical controls
• Red flags that separate enterprise-ready AI vendors from consumer products with sales wrappers Key topics:
Automating SOC analyst grunt work while keeping humans in the loop • Clinical versus administrative AI risk tolerance • Vendor red flags including single-tenant architectures and identity integration failures • Third-party AI risk assessment when transparency stops below US defense scale • Board reporting on AI threats without operational noise • Why generative AI made criminals faster but didn’t create novel attack classes • Organizational resilience over individual blame • Measuring security ROI skeptically • Using closed AI models for patient data protection • The medical dosage nightmare scenario when AI confuses milligrams with micrograms • AI governance committee structure separating cyber, legal, privacy, and clinical ethics responsibilities A healthcare CISO who spent tens of millions at previous organizations chasing 90% CMDB accuracy explains why he’s not chasing deepfake detection tools.

Retroactive AI Governance: Why Bolt-On Security Is Setting Enterprises Up to Fail
Many organisations rushed to deploy AI. Now they’re scrambling to bolt on governance after the fact — and discovering they don’t even know what’s in their environment. How do you secure what you can’t see? Celina Stewart, Director of Cyber and AI Risk Management at Neuvik, breaks down why retroactive AI governance isn’t working, where the real risks hide in AI’s unique tech stack, and what executives need to do now before agentic AI makes the problem significantly harder. Speakers: Celina Stewart, Director of Cyber and AI Risk Management at Neuvik, and Stewart Tinson, Project Director, AI-360 Online You’ll learn: • Why companies that implemented AI first are now scrambling to retrofit governance they weren’t built for • How third and fourth-party risk in AI supply chains introduces threats most vendor questionnaires never reach • Why shadow AI and BYOD are creating visibility gaps that make it nearly impossible to implement effective controls • What a third-party risk management programme tailored specifically for AI should actually address — including memory injection controls • How agentic AI demands a shift from zero trust to continuous trust, and what “Know Your Agent” looks like in practice Key topics: Retroactive AI governance • Shadow AI visibility • Third and fourth-party AI risk • AI tech stack security • Insider risk from AI tools • Vendor rebranding and marketplace noise • Agentic AI continuous trust • Know Your Agent (KYA) • AI-specific vendor diligence • Employee AI education Essential viewing for CISOs, CIOs, and enterprise leaders responsible for AI security, governance, and risk management.

The AI Governance Illusion: Why 75-80% Compliance Is Easier (and Harder) Than You Think
If your AI governance framework can explain what data trained it, who signed off, and what happens when it fails — you’re 75-80% compliant in most jurisdictions. So why are most organizations still struggling? In this panel discussion, two practitioners with combined decades of experience across multiple continents and industries reveal why the gap between governance policies and operational governance is where real risk lives — and what to do about it. You’ll learn:
• Why regulatory interoperability using ISO 42001 beats building separate compliance programs
• How shadow AI is creating unaudited risk across your organization right now
• What autonomous agent-to-agent interactions mean for accountability and compliance
• Why “human in the loop” is often governance theater due to automation bias
• The minimum viable governance framework scale-ups and SMEs can implement in weeks
• What Web 2.0’s trajectory warns us about AI’s current moment Key topics:
ISO 42001 • Regulatory interoperability • Shadow AI • Autonomous agents • Data provenance • Explainability gap • Human oversight • Third-party AI risk • Automation bias • AI literacy • Minimum viable governance • Contract evolution Essential viewing for CISOs, CIOs, CFOs, and Chief Legal Officers navigating AI governance across jurisdictions — with practical frameworks you can implement immediately.

Responsible plus Cool- AI Security Fundamentals
Why are 95% of enterprise AI initiatives failing according to MIT research? The answer isn’t what most CISOs expect. After deploying AI systems across financial services, healthcare, and conversational AI platforms, three security leaders reveal an uncomfortable truth: companies aren’t failing because their AI is flawed - they’re failing because they’re building on fundamentally broken infrastructure. Speakers: Cynthia Colbert, Co-founder at Innovation 8 (15+ years cybersecurity, fraud, and AI in financial services); Srini, Bay Area Tech Entrepreneur (secure AI infrastructure for enterprises); Neil, Copenhagen-based AI Risk and Security Leader (conversational AI deployments) You’ll learn: Why AI doesn’t create new security problems - it just scales your existing failures faster
How traditional security controls outperform AI-specific guardrails in production
The three-tier deployment strategy that separates the 5% who succeed from the 95% who fail
What “human-in-the-loop” actually requires versus security theater most companies perform Key topics:
Identity and data governance as core AI security • POC-to-production challenges in regulated industries • Old security fundamentals vs. AI guardrails • Digital sovereignty realities in Europe • Hallucinations and systematic AI errors • Deepfake-enabled fraud scenarios • Autonomous agent accountability gaps • Real-world conversational AI deployments For CISOs, CIOs, CFOs, and Chief Legal Officers making AI deployment decisions in 2026-2027, this conversation cuts through vendor promises to reveal what actually works when moving AI into production.

Agentic AI Security: Goal Hijacking, Supply Chain & Controls You’re Missing
Is your agentic AI system doing what you think it’s doing — or has its goal already been redefined? As enterprises rush to deploy AI agents, most security teams are focused on the obvious threats and missing the attack surface that matters most: the supply chain. Plugins, config files, and schema definitions are now active attack vectors. And unlike traditional prompt injection, goal hijacking doesn’t announce itself — it changes agent behaviour slowly, persistently, until the damage is done. Speakers: Dr. Isi Idemudia, Global Lead – Responsible AI Technical Regulation & AI Agency Governance at HCL Tech, interviewed by Stewart Tinson, Project Director at AI-360. You’ll learn: Why goal hijacking is fundamentally different from prompt injection — and why it’s harder to detect
How to identify a compromised agent using tool call frequency and behavioural baselines
What MCP server supply chain attacks look like in practice — and how to lock down your registry
How the Tool Action Policy Gate (TAPG) framework protects GitHub Copilot and Amazon Q deployments
Why enterprises building agents must invest equally in monitoring and controls Key topics:
Agentic ingress/egress mapping • Goal hijacking vs. prompt injection • Zero-click attacks (EchoLeak/Copilot) • MCP server supply chain risk • Behavioural anomaly detection • Policy as code • Kill switches & automated rollback • Environment isolation & risk classification If you’re a CISO, CIO, or security leader deploying agentic AI tools, don’t miss this conversation with a practitioner who red-teams these systems for a living.

Garbage In, Garbage Faster: Why Agentic AI Exposes Your Organisational Debt
If Agentic AI follows your documented processes, what happens when those processes don’t reflect reality? Most organisations assume AI will figure things out. Business Architect Laura Van Weegen argues the opposite: AI doesn’t create new problems — it removes your ability to ignore the ones that have existed forever and a day. Undocumented workflows, undefined decision ownership, and human workarounds masking broken systems all get amplified at machine speed. You’ll learn:
• Why “garbage in, garbage faster” is the real Agentic AI risk
• The critical difference between feeding AI data versus information
• How process debt compounds the same way technical debt does
• Why exception handling is the new decision design priority
• What one conversation reveals more than most AI readiness assessments
• How to build explainability in from day one Key topics:
Agentic AI readiness • Information architecture • Process debt • Data vs information • Contextual blindness • Decision ownership • Explainability vs traceability • Semantic infrastructure • Exception handling • Organisational accountability • Workflow documentation • AI governance Essential viewing for CISOs, CIOs, CFOs, and Chief Legal Officers evaluating Agentic AI deployment — before the human safety net disappears.

Operationalising AI Governance: From Framework Theory to Engineering Reality
Operationalising AI Governance: From Framework Theory to Engineering Reality 400 teams. 6 reviewers. Blown SLAs. Blocked releases. That was AI governance done wrong — and most organisations are repeating the same mistake now. Privacy and security are just 2 of 9 responsible AI pillars. If your governance programme doesn’t cover all nine, your AI systems carry risk you haven’t measured. In this session, Tom Layson draws on 15 years across Microsoft, Amazon, and KPMG to reveal what it takes to move AI governance from theory to operational reality — and why treating it as a checkbox exercise is the most expensive mistake you can make. You’ll learn:
• Why AI governance requires fundamentally different approaches to privacy and security
• How to embed governance into the SDLC from design phase — not bolt it on at the end
• The playbook matrix model that maps responsible AI pillars to development phases
• Practical tools for fairness testing and synthetic data generation
• How to secure C-suite backing and shift governance from “tax” to advantage
• Why education trumps checklists for driving cultural change Key topics:
Operationalising AI governance • Responsible AI pillars • SDLC integration • Fairness and anti-bias • Explainability • Data lineage • Synthetic data generation • C-suite sponsorship • Prompt injection risks • Regulatory compliance Essential viewing for CISOs, CIOs, CDOs, and enterprise leaders building AI governance programmes that work.
