BARR Advisory CEO Brad Thies Shares His Take on Agentic AI in New Podcast
BARR Advisory Founder and CEO Brad Thies recently sat down with Alex Bovee, CEO and co-founder of ConductorOne, for a forward-thinking discussion about how agentic artificial intelligence (AI) is transforming the world of cybersecurity compliance.
Speaking on ConductorOne’s All Aboard podcast, Thies predicted that agentic AI will empower auditors to spend less time on menial tasks and more time leading strategic discussions that help organizations improve their overall security postures.
Businesses are “always looking to accelerate growth,” Thies said. “To raise your ceiling, you also have to raise your floor—what you say no to. And [AI] is giving a lot of opportunities with our clients and ourselves to raise that floor.”
Thies likened the auditing process to a doctor’s visit: “You go to a doctor’s office and you get your check-ups,” then the doctor determines what labs to order and sends those out to an external firm. As auditors, “we’re essentially working as the lab and the doctor at the same time,” Thies said.
“From our perspective, our professional opinion is what matters. The independence and impartiality that we have in the public is what matters. But we spend a lot of time doing a lot of analysis as well—evidence gathering, working through different evidence.” Thies said. “We see an opportunity with AI to raise our floor, so we can focus more on the diagnosis and judgment and opinion. That, I think, is really where our value comes in.”
The pair also discussed how cloud service organizations are using agentic AI and what that means for the auditors assessing their security and compliance.
“Everybody’s on their own different journey” when it comes to AI, Thies said. “It’s a shift in the way we think about things.”
According to Thies, the challenge for auditors is assessing whether their clients are developing AI or simply using AI, and how that impacts their level of risk.
“Autonomous agents running around an organization automating workflows in potentially non-deterministic ways is not without its own set of risks,” Bovee noted.
“For us, I don’t think it’s really new risk,” Thies argued. “The fundamentals are ever more important today. It’s the basics. Do you know where your data is? Do you know where it’s going?” What AI has done, Thies said, is accelerate that risk.
“A risk that maybe was a lower risk before, then you start to adopt AI, and data starts exploding…it just magnifies the impact,” Thies said, adding that this is a major area of focus in frameworks like ISO 42001, which mandates controls for establishing, operating, monitoring, and continually improving an organization’s AI management system (AIMS).
“It’s not so much about ‘here’s some prescriptive controls’ and ‘here’s some prescriptive risks you’ve got to think about.’ But what [ISO 42001 has] done, contrary to some of the other standards, is focus more on the impact,” Thies said.
“It definitely rings true that data is the biggest risk here, because [of] the access and the speed at which AI can discover data [and] use data,” Bovee said. “If you don’t have the controls in place, that’s obviously a massive problem.”
To hear the full discussion, listen to or watch the full podcast episode from ConductorOne.
Interested in learning more about ISO 42001 and other frameworks designed to help organizations ensure their use or development of AI is secure? Contact us today for a free consultation.