Why Agentic-First Startups Won't Disrupt Enterprises as Fast as Everyone Thinks | Kris Lovejoy

Introduction to Agentec AI

0:00You know, Agentec AI is a hot new thing. Every large enterprise in the world is trying to figure out how to use it. It's really easy to build really cool things. It's really hard to run them at scale securely, compliantly, resiliently, reliably. My prediction is that by about 2031, about half of all of the kind of the traditional IT systems administration tasks, the line one, line two tasks,

0:30they will be provided by Agentec AI, and then humans will be in either in the loop or over the loop, if you will.

Guest Introduction

0:39So, Chris, it's great to finally talk. I know that this has been in the scheduling mode for months now. Yes. I usually start by having you introduce yourself and give some of your background, if it's relevant, and what you're doing at Kindrel. Sounds good. So, my name is Chris Lovejoy. I am the global strategy leader for Kindrel.

1:11Kindrel is a company that is fairly new on the scene. We've been around for about four years now. We're actually a spinoff from IBM. So, about four years ago, IBM took the organization that did a combination of strategic outsourcing and IT integration projects, spun it out, and we became a publicly traded independent organization.

1:42And so, today, we are really focused in three, I'd say, major areas. One is in IT modernization programs. So, think about that as, you know, modernizing your legacy infrastructure data centers, whatever the case may be, moving those workloads to the cloud. Second area is in and around security and resiliency, which is kind of my domain or historic domain. And then the third is really specializing in data and AI

2:12and bringing, you know, generative, agentic, all forms of AI to, you know, enable customers new ways of working, if you will.

Agentic AI Adoption

2:23Yeah.

Agentic AI Adoption

2:23And on, exactly on that point, you know, agentic AI is the hot new thing. I would, I think it's safe to say every large enterprise in the world is trying to figure out how to use it. Yes. There have been many pilots over the last year, but very few systems have gone into production, at least in a way that's of any scale that's significant.

3:01You know, we're coming out of the age of experimentation and, you know, where we've all been dabbling in using AI and, you know, agentic AI in particular now. And we're seeing the benefits of the capabilities, you know, but not in production. We are finding it very costly. We're finding it somewhat insecure. We're finding it to be unreliable. And most importantly, it's not scalable. Oh, and if you're in Europe, you know, there are sovereign concerns as well.

3:34So, you know, there are some things that are preventing us from going into what I'd call the age of industrialization. around agentic AI. And so I think, you know, it's going to be a little bit that we're in this transition period. I mean, we'll get there eventually.

Kindrel's Role in Agentic AI

3:50Yeah. And so what are those? And actually, I'm just going to ask before we get too far into it. When you're talking in your role to enterprises about agentic systems, what is Kindrel's role? Is it, are you building stuff? Are you acting as a consultant? You know, what's Kindrel doing in those conversations?

4:22So quick analogy, if we were to say that, you know, there's a bullet train, bullet train can go 150 miles an hour, and it's sitting on tracks that limit it to about 30 to 60 miles per hour. And this is actually a true story about, you know, trains in the eastern seacoast of the U.S., legacy infrastructure set up in the 1930s, you know, keeping us back. In that context, what do we do as Kindrel? Our job is to build the train so we can work with the customer and build the agentic AI, that workflow.

4:58The other thing that we do, and this is where we really specialize, is we will modernize the infrastructure on which that train is going to actually operate. So our real focus is on preparing the IT infrastructure layer, getting the data layer ready, making sure that you've got all the monitoring, the registration, all the stuff that one would need to actually use agentic AI at scale, that's where we play.

Agentic AI Challenges

5:23Okay. And are you seeing any enterprises adopting agentic AI at scale yet?

5:33It is very rare to see one at scale. I'd say that what I see is vertical use cases. So, for instance, you know, there's some use cases like know your customer or within the healthcare space, you know, invoicing. Or, you know, if you have a sales, you know, a cash order process that you can, you know, automate using agentic AI, that seems to be successful. But those are vertical use cases, horizontal use cases where there is an integration of AI workflows across the business horizontally.

6:12I have yet to see that. Yeah. Yeah. And that's the big promise, right? That you take a business process or workload, break it down into steps, decide what agentic AI could handle and what a human has to handle and presumably speed up the whole process.

Horizontal Applications of Agentic AI

6:32Let me ask, are you talking to any enterprises about that more horizontal application? We are, as a matter of fact. It is, it's, it's beginning. And I'm, I think, you know, for most, it is interesting as to what they're looking for when you're talking about the horizontals. A lot of our customers, you know, we're talking to right now, obviously, there's a lot of economic insecurity. And so there's the, you know, sort of this combination of nobody really wants to spend capital because they're worried.

7:05And they're also, they're not only worried about spending the capital, but they're, they're being pressured by their boards to implement AI. And so there's this combination of they, I don't have any money, but they want me to spend money on AI. So, you know, what do I do? And so where we're beginning to talk to customers and because we're beginning to see some success on our, our own is we've been, you know, four years ago when we came out of IBM, we created an AI ops platform that enabled us to manage, you know, our, manage our customer systems with a high level of automation.

7:42Over time, we've begun to agentify. And so where we're beginning to integrate with customer or work with customers is in thinking about IT service management. So that is, those are all of the processes that are required to manage an IT infrastructure. So we've got a kind of a maturity model, if you will, that allows customers to begin to integrate agentic AI to automate all of those IT service management processes.

8:12Now, the benefit is that it radically reduces the cost of IT service management, in some cases up to 90%. And then you can take those funds and you can use those funds to do the modernization. So it's like a modernization dividend, if you will. So that's where we're really beginning to see customers looking at that from a horizontal. But I'd say it's a bottoms up. It's going to take some time before, once you get the foundation ready, you know, the tracks laid, if you will, before you can have that, the uniform approach to integrating from a vertical perspective.

8:46Yeah, yeah, and that's interesting.

IT Service Management

8:49That's what I've heard, too, that a lot of the early applications are in the IT service area, partly because those guys understand it. And it's easier, the change management's easier. When you talk about IT service management processes, just give me one of those processes that would be ripe for agentic adoption.

9:22Sure. So problem and incident management, configuration management, patch management, those are all, you know, good examples of things that can be agentified. Okay, and is Kindrel building, you said that you do build the infrastructure. Yeah, in that case, let's take that case of IT service management.

Building Agentic Systems

9:52How do you go about that? I mean, do you look at the process, break it down, decide what can be agentified? Identified, and then do you build the agents? Does the customer build the agents? Do you recommend off-the-shelf agents? How does that work? Well, today, what we're typically doing is, so a customer, you know, when they work with us, we have, you know, our processes, we have very, very, very well-defined runbooks for how we would implement those processes.

10:25So the ontology is defined, and then through AIOps, we also have a lot of information about how that process actually is executed in practice. Like, so we can see the environment in which it executes, what the problems are, et cetera. So what we do is we have what we call an agentic framework and a policy kind of ingester. So what we do is we take that process and we take the data, the insights, we feed it into our kind of engine that crunches the workflow and crunches the insights and builds the agent.

11:01And so we build those agents that allow for the sort of the automation of the process. Now, what differs from customer to customer is how much true autonomy they want to give these agents. So there's this question of, is it an autonomous agent with a human on the top or is it an agent with a human in the middle? There's a big difference there. And so we're seeing some differences there in kind of the way customers want to see those checkpoints be instantiated. But we will build those agents and then we will actually run those agents.

11:36We'll register them and run them on our platform. We are beginning to look at running our agents on other people's platforms as well. And not to be announced, but this is, you know, a direction that we're thinking about right now. Yeah. And you, you said at the beginning that, that you've spent, you guys have spent time integrating, or maybe I misunderstood, but integrating agents into your workflows.

12:07Can you talk about how extensive that has been, particularly on the horizontal? Oh, it's, you know, it's, it's always a, it's, it's a funny thing. We were just talking about this the other day. It's like, how do you actually describe this? Because the definition of an agent is so different. Is it, you know, is it like the orchestration agent or is it the incremental agents? It's so, it's so hard is the number of tokens that are digested. What I would say is go back to the kind of the ITIL processes.

12:41So there are 34 ITIL processes of those 34 ITIL processes. There's a subset figure 20 that can be identified of those 20. We have just, just define ITIL for. Oh, I'm sorry. I'm sorry. So IT infrastructure library, think about that as the best practice mature, best practices, the implementation blueprints and the maturity model for how you manage IT. So when you're in kind of the business, you're an IT administrator, you know, ITIL, that's kind of like your Bible.

13:16You know, you're going to go and patch a system. ITIL tells you, okay, if you automate this, then you've gotten to ITIL for level three maturity because you're using this level of automation. Very well constructed and defined. So we think about everything within the context of ITIL working toward an ISO certification. So ISO becomes kind of the pinnacle of how you operate. So when we think about agentic AI, we are breaking down those processes into kind of discrete components that are mapped to the IT infrastructure library, and then we agentify those processes.

13:59So in answer to your question, we are working through the agentification of those processes right now, and we have agents that will help get to various levels of maturity within that context. Yeah. And are your agents all based on, like, the granite models, or are you model agnostic? Can you go out and find the best model, or do you have models in-house that you've built that are underlying, that are the brain, so to speak, of the agents?

14:39Yeah. Our models, we tend toward open source. So any time that we can use open source models, that's what we will use. However, you know, there is an IP question for customers, and sometimes they want us to use their models. So it really just depends on the customer with whom you're actually interacting. Right. Right. And these, you were talking about, you know, there's a big difference if you have a human in the middle. You know, there's an agentic workflow, or on top, sort of managing the agent or agents.

15:18Which, do you have, and have you built an orchestration layer that gives visibility and management tools to a human to keep track of what the agents are doing, what they're allowed to do, and that sort of thing? Yes. Absolutely. So that is, we have something we call the Kindle Agentic AI Framework that was released, I think, about six months ago.

15:48That's exactly what it does. So part of it is the policy and sort of digestion and agentic creation engine. And then there's another component part of it, which is the orchestration engine. Now, think about, you know, in the orchestration engine, think about that as a tool which allows for a single enterprise to manage kind of agentic workflows. We've also got underneath that, we've got another capability we call Kindle Bridge.

16:22So think about that as multi-tenants, because there's a concept of reusability. So what we want to be able to do is take an agent that worked over here for this customer. Now we want to be able to reuse that agent over here for other customers, because that allows us to scale the use of the agents in a trustworthy way. So bridge is the mechanism by which we will register. So discover, register, define the policy that needs to be monitored, monitor,

16:54and then enforce policy across a spectrum of agents that are operating across multiple orchestration frameworks.

Security Concerns with Agentic AI

17:03Yeah, and security is a big concern.

17:12You know, I've got OpenClaw running on this laptop on my main computer, and I know it's dumb and I keep on meaning to move it. But these, from what I understand, you know, agentic systems are full of security holes. So how do you address that, or how do you, you know, instill confidence in your customers

17:43that what you're delivering to them is secure? You know, it's really, it's interesting. There was an article today, one of the media outlets, about Claude having done an exceptionally good job of, you know, identifying vulnerabilities within software. And it was kind of well touted. And I thought to myself, you know, it's good and bad. You know, on one hand, it's nice to know that, you know, these QA checking tools are improving over time.

18:16That's great. The problem is it gives people a false sense of comfort, right? Because, you know, it is, the challenge is context. And this is where the human comes to play nowadays is, you know, let's say you've got an agentic, you know, an agent that goes out and it checks to see whether or not there are vulnerabilities within a particular system. It finds, and I'm making this up, finds a communication protocol that is unpatched.

18:49So, you know, goes ahead and patches that protocol. Well, guess what? That protocol was configured the way it was because it's tagged to, or it's tied to a 15-year-old legacy, you know, system in the back. And now you've patched it, now it no longer works. So now you bring down the system. So it's not just a question of vulnerability. It's a question of context and configuration and the complexity of the underlying infrastructure. And as we started out with, most customers are working with a hodgepodge of stuff,

19:21multiple clouds, some legacy stuff, some SaaS stuff. And the intricacy of that integration is where the problems lie and that lack of understanding of how these things interact and why the context for why they are configured the way they are becomes really problematic and is why you need humans in the loop to make sure that you're not doing something dumb. Yeah, and I guess would humans necessarily be aware of why that patch is not there?

19:58I mean, you know, people come and go and documentation is not always what it should be, is rarely what it should be. So, yeah, how do you know that context? How do you communicate that context to an agentic system? Therein is the question, right? So then you bring in generative AI, right? Because the knowledge base becomes very important. And, you know, I think this is the interesting thing is, you know, going back to, you know, you can't have 150 mile per hour train on a 30 mile per hour track.

20:39I mean, these are the issues that are holding organizations back. And so, you know, when we talk about the need for modernization and the need for uplifting these legacy systems, what you're pointing out is exactly the practical reality of why you can't just dump agentic AI into your infrastructure and think it's going to work. Because it's more than just knowing where your systems are. You have to know why they were configured the way they were. Yeah. And where is that knowledge generally in an enterprise?

21:10Is it in people's heads? Is it in documentation? It depends. I mean, if you have a really good, you know, ticketing problem and incident management system, you know, ticket resolution system, oftentimes that history may be, you know, well-defined. Like if you've got a CMDB, service nail, that sort of thing, you'll have those records. Sometimes you don't. Smaller organizations won't. It just really depends on how robust your compliance has been.

21:40And let me emphasize that because this is the dual edge of, you know, compliance. It's like we say, you know, compliance is hard. Compliance adds complexity and cost. It also forces hygiene. And there is a reason why there is hygiene. There is reason why auditors look at the record keeping in and around things like, you know, managing critical infrastructure systems. It's because situations like this happen and you have to be able to go to the manual or go to the database or whatever it is so that you can figure out what happened and can unroll it again.

22:13But, you know, this is – that's why I have a fraught relationship with regulation or hate, love, hate, whatever you want to call it. It's good and also, you know, it's really painful at the same time. Yeah, so in modernization, when you talk about modernization, particularly with the IBM history, I go immediately to COBOL.

Modernization Challenges

22:40What are the main challenges of modernization in general enterprises? Is it upgrading the language in which systems were built or does it have to do with microservices and containerization and all of that?

23:03That's a good question.

23:07Every organization seems to be a little bit different. You know, there's some common patterns. Let's say if you wanted to go to, as an example, like you're going to be doing an SAP modernization, you know, what you find becomes really, really hard is, you know, the SAP, you have to go from SAP legacy into RISE, right? So we all know we're going to have to move to RISE. And so there's a, you know, they're usually most organizations want to do like a two-step.

23:39So they want to first move to the cloud and then they're going to move to RISE after that. And then what becomes the problem? Well, the problem isn't necessarily lifting and shifting SAP, the application. It's the networking. It's the provisioning. It's all of the stuff that is integrated into SAP that needs to be kind of reoriented to support a cloud environment. That becomes really painful. And so I'd say it depends. The answer is it really depends on the application environment that you're trying to move.

24:13And each of them have their own specific foibles, if you will, that you have to watch out for. Now, companies like ours who have the experience and what it means to lift and shift will know, like, you have to look here, you have to look here, you have to look here. But it is each one, as I said, is painful. Can I just add one thing, though, because you're bringing up COBOL? And this is a let's talk about quantum for a second, because this is a part that, you know, so your folks are listening to agentic AI.

24:44And I'm going to I'm going to wax rhapsodic about this issue. So today we have like 800 billion lines of COBOL code that are supporting critical infrastructure services of that 400 billion lines of that code are supporting our COBOL code that was written 20, 30, sometimes 40 years ago. Now, most organizations would say, oh, OK, well, that's fine, because I got a mainframe and the mainframe is the most secure, you know, and that's right.

25:18It is absolutely secure. Here's the challenge is it is built to be backward compatible. So when a mainframe runs, that 40 year old code basically runs like it was 40 years old. Right. So that again, to keep that in mind. Now, why is that important? That is important because most of this old COBOL code has crypto relics in it. So what happens is the cryptography for that application is actually baked into the code and it doesn't actually manifest itself until it's in memory.

25:53And so there's really no way to find it. So one of the things that, you know, we're finding now is actually generating a lot of questions about modernization is actually going back to some of these legacy environments, COBOL, Java environments, where the cryptography was actually built into the code. And now you have to do this archaeological dig to figure out what are the crypto relics to find out now, what do I do with those crypto relics?

26:27Do I have to refactor the application? Do I, you know, like what are the choices? But this is another one on the horizon beyond the gen that we're all going to be thinking about. Anyway, thank you for letting me take a little detour. Yeah, yeah. Well, even in that, in reviewing millions of lines of COBOL, who, I mean, are, at this point, are you using AI to do that review? I mean, or are there still, you know, COBOL fluent engineers that can spend weeks reading millions of lines of code to follow what was done and, you know, where any vulnerabilities are or problems and that sort of thing?

27:22I think that this is one of the areas, this is one of the bright spots for AI is actually in doing code refactoring. We've seen a lot of success. We use those tools today because one of the, you know, challenges I'd say for a modernization program is kind of that front end, just that kind of the discovery process and understanding, like, what is it that you need to do? I think this speeds up the process. It doesn't make the, you know, the modernization program, it makes it less ugly.

27:55It's still ugly, but it makes it easier to undergo because you have the, you know, you have the tools at the dispose, at your disposal on that front end side. Yeah. Yeah. So, so you have this orchestration layer. You're building the agents. On the customer side, what, is there some metric of how many agents a single human can manage? I mean, there's a lot of talk about how middle management is going to shift from managing people to managing hybrid teams, which include dozens, if not hundreds of agents.

28:42And then, you know, presumably there'll be a layer of management below middle management that is specialized in managing agents. How is, how many people, I mean, how big is that specialized workforce going to be? Does it need to be specialized? Do you need to have people that really understand the orchestration software, understand how, you know, the fundamentals of how agents work and, and are competent to, to manage multiple agents?

29:22You know, it's, it seems to be shaking out in a fairly logical way, which means that, you know, so going back to, you know, sort of, if you're talking about using agents for IT, you know, service management, and your team is kind of organized logically. So you have one team that does kind of security management, which is security, health checking, and compliance, and audit.

29:54And then you've got another team that's doing problem and incident management, and another team that's doing provisioning. It seems that kind of the ownership of the agents is falling within those contexts, because there's a logic to it. They own the process. They own the tools, the underlying environment. They know how it works. They know what good looks like. They know what bad looks like. And the scaling of managers, you know, kind of the ratio of managers to agents is really dependent.

30:24It's not clear right now. It's really not clear. It's more about, you know, the sophistication of the agent and the, that kind of defines, like, what the structure needs to be. As well as, honestly, the amount of auditing, you know, compliance and checking that needs to take place. You know, the more heavily regulated, the more, you know, you're talking about a critical infrastructure industry where uptime is everything, the more humans you're going to have in that mix. And so, therefore, like, the scale, you know, in one organization might be one to a hundred.

30:59Another could be one to a thousand. It just depends. Yeah, yeah. I mean, IT services is, as I said, a good place to start because those guys are, that's the language they speak, right? They spend time on technology. But what happens when you're applying agents to a business process outside of IT?

31:30I've heard people say, well, you need, you know, the structure, the IT department has to become decentralized where you have, you know, in sales, you have an IT guy that sits in sales and can manage agents for the sales team. And other people say that, you know, you just need to upskill the entire organization so that everybody is competent in working with agents.

32:02How do you advise enterprises? So we've got, actually, one of the interesting practices that we built recently is a kind of a reimagining workforce and kind of operations because this is exactly the problem that a lot of organizations have. Now, I can't say that there's a perfect answer to any of this because we're all inventing it at the same time. But the way our recommendation right now, if you think about, like, what we're doing, where everybody has to have a base knowledge of how these tools are used.

32:41And I think this is pretty common is this concept of lean in, give everybody a base set of education, give everybody access to a base set of licenses and either require or heavily request that people become engaged in using these technologies, not only so they understand art of the possible, but they understand what's going wrong or can go wrong. But at the same time, but at the same time, then they have the specialists, the ones that are responsible for owning, implementing, and running the tool, just as if they would run like Salesforce.

33:18You've got a Salesforce admin. Now you've got the Salesforce, you know, agentic admin. Now, whether they sit in sales or they sit within IT, I think it really depends on the organization. In some organizations, Salesforce sits with the business line. Some organizations, it sits with IT. It's just the pet. Yeah. And so do you see this adoption accelerating or are we still at, you know, enterprise leaders are still kind of feeling their way forward, you know, educating themselves?

34:00And, uh, leaning on companies like Kindrel to, to help figure this out or, or is, do you see it, uh, being adopted all over the place? And you think, oh my God, these people don't really understand what they're doing. A lot of them. Um, and yeah, I think it's, I'd say the experimentation is accelerating. I think it means there's so many projects that are underway.

34:30And I think that the level of success for those kind of siloed projects is improving. So, you know, six months ago, I would say very rare to see a successful use case. Now we're seeing more successful use cases. That's good. Am I seeing more like large scale implementations? I'm seeing a lot more talk about large scale implementations. I'm not seeing a lot more large scale implementations yet. Will we get there? Sure. But not, you know, I think it's, it's like you're pushing this gigantic like bubble down the, down the road, you know, and it's all this experimentation.

35:09But it's just getting pushed and it's getting bigger and bigger and bigger and bigger, but the road still isn't, it's still gravel. Yeah. Yeah. Yeah. Well, that's, uh, what, what I wonder. And, and, and the, you know, the, the media and, and the hype always runs far ahead of reality. Uh, uh, uh, uh, you know, research is sort of shows the promise and then the press picks it up as, and the impression among, uh, the, the public is that this is happening.

35:48But, uh, but do you think it's, uh, sort of like self-driving cars that we've got, uh, you know, the basic, uh, technology figured out, but there's just a lot of other stuff that has to fall in the line before it becomes widespread. So maybe we're, we're looking at 10 years before enterprises are really, uh, grounded in agentic AI.

36:20We're assuming, so I just, you know, and I'm, I'm going to give you my prediction. Um, I, you know, my prediction is that, and if you look at the space I'm in, which the IT infrastructure services market, um, my prediction is that by about 2031. About half of all of the, kind of the traditional IT systems administration tasks, the line one, line two tasks, they will be provided by agentic AI.

36:51And then humans will be in either in the loop or over the loop, if you will. That, that's my prediction. So that's where the market begins to shift. I think it's going to take about five years for us to get the rails and trails in place. That's my guess. Yeah. And that's for IT services. Yeah, it is for IT services. Yeah. Or, for the broader business functions within an organization, it would then take longer. Or do you think once the IT services end, has it figured out, then it'll spread quickly?

37:27I think you need to have the foundation built before you can use that whole scale. I think what you're going to begin to see is pockets of disruption. So there's going to be a couple of use cases that are going to be just so successful that it's, um, you know, you're, you're going to disrupt that industry. You're going to disrupt the industry overnight. So I think that will happen. Um, I'm not a hundred percent sure what those in, you know, what those segments are going to be right now, but I do think that that will happen. Yeah. And that's something I've been asking people because I talk to a lot of startups and a lot of them, uh, there are, is a, there is a class of startups that are starting, uh, with agentic AI and building agentic first organizations.

38:13And I'm sure you've heard, uh, uh, uh, Sam Altman's, uh, bet on who, you know, uh, how soon before one guy with an agentic workforce builds a billion dollar company. Uh, and you know, maybe that will happen at someday, uh, someday. Do you think that there'll be a big challenge to legacy, uh, players in many, uh, verticals, uh, by these agentic native startups who are just going to be faster and, and cheaper, you know, less, uh, costly to run?

38:59Um, it's interesting, the problem, you know, like when I talk to these agentic startups, you know, they look, I mean, it's like when you see the demos, you're like, whoa, that is really cool. And you built it in like 10 minutes. That was amazing. You know what? It's really easy to build really cool things. It's really hard to run them at scale, securely, compliantly, resiliently, reliably, blah, blah, blah. So when you ask these, the startups, all right, so where's your infrastructure running?

39:29Does it, is it SOC one, SOC two, SOC three compliant? Are, you know, oh, you want to hook into my SAP system and into my CRM and into my email system and good luck. It's not happening, right? So I do think that there's, um, you know, yes, it looks good. Certainly looks good. And in a pilot may look good too, but by God, I'm not allowing it into my environment. So I do think there is a, you know, when they figure out, when, um, they figure out how to run reliably, securely, you know, scalably.

40:05Okay. They can disrupt until then the kind of the bigger vendors are going to continue, um, you know, to sort of, I think, win in the market. You know, there'll be those that can afford to build their own CRM systems. Absolutely. But until that, the sales forces, et cetera, of the world, they're still going to have a locked market and they're going to be bringing, you know, agentic capabilities within their software ecosystem. And they're going to be, uh, their customers are going to enjoy the value of those things. So it will be interesting to see what happens.

40:37I think it's more likely that the, um, the real innovation is going to be coming on the consumer side where the consumers are less concerned about, you know, integrating these technologies into their finance systems or into their, you know, like all that. So I think that you'll begin to see more lift in that market than you'll necessarily see in the B2B. So B2B, B2C, yes, B2B, unless if it doesn't touch data, then fine. Otherwise, I think it's going to be a little challenging.

41:10Yeah. Yeah. Uh, yeah. It's going to be fascinating to watch. I mean, presumably these, uh, agentic native startups can build all the infrastructure, uh, you know, uh, you know, it not at the same time, but as a fast follower to their POC, their proof of concept. And it'll be interesting to see how that happens on security. When you're looking at integrating an agentic system into IT services, for example, what are the security, uh, risks that you focus on?

41:53So, you know, as I think we always look at agentic from two different vantage points, you know, one is that, you know, obviously there, the threat landscape is increasing for a lot of different reasons. Not, you know, not limited to, um, you know, the fact that AI is now available to, um, you know, the threat actors. Uh, so they're becoming much more sophisticated and we're seeing, you know, like for instance, fishing is just amazing nowadays, you know, particularly countries like Japan, Korea, which are sort of isolated because of the language barriers.

42:27Now there's no barrier to entry. And so, you know, we're seeing a lot more risk in those particular environments. And so what that means is you have to have AI, you know, kind of addressing the AI threat. So when we think about agentic AI, it is very useful within a security operations context and being able to identify triage and then help in the resolution of the particular issue. So we're seeing it, you know, from, from that vantage point when it comes to kind of, you know, the threats.

42:58And, um, when we think about the risk of agentic AI, you know, it is, it's typical, right? As I was saying, it's vulnerabilities that can be exploited, but I'm, I've been in security long enough to know that when you, if you were to look at cyber incidents and I want to be, And I know this is heresy for somebody in the cyber industry, but a lot of cyber, what we think are cyber security issues, sometimes they're not.

43:28They're just like somebody did something really dumb and we classify it as a cyber security issue, may or may not be. But when you break it down, the reason why things fail within an organization is because somebody did something really dumb. They misconfigured something, they did something really done, and then it got exploited. Another reason is because the network was, you know, configured badly or it failed or whatever the case may be. So you could go kind of go down that list.

43:58The only in a small percentage of cases will you have a sophisticated threat actor, you know, get into your environment because of sophisticated means. So what does that mean? It means that when you're thinking about agentic AI, you've got to think about what are the new risks associated with the implementation of technology, as I was describing in the early, you know, when we were talking earlier, where there is the potential for misconfiguration, for failure to upgrade, for performing an upgrade that wasn't good, for deletion of,

44:40you have to think about it, you have to think about it from a very logical perspective. And so I tend to think about cyber as a set of risks that include but are not limited to cyber security related risks. And what we try to do is reduce the risk to the things that are going to be most likely to happen and which are going to create the biggest impact. And so, again, that is a – I know I'm getting into kind of like the cyber, you know, risk expert theology here.

45:18But suffice to say, it is what we focus on is oftentimes like the really dumb, really ugly, did the agent get registered? Did it get provisioned correctly? Was the workflow right? You know, all that kind of stuff that becomes kind of the meat and potatoes of what you need to look at. Yeah. Do you have – I mean, it seems like a natural case for agentic AI. Do you have agents that sort of crawl through a system looking for vulnerabilities as sort of virtual white hat attackers?

45:56Is that what they're called, you know?

45:59Yeah. Yes, exactly. So we have – it's a digital – our digital trust capability is exactly that. So it's a – it, you know, first of all, it looks for agents like some – you know, most companies have a lot of agents, but they don't even know they have them. So it looks for agents. It tests – this is actually really cool. What we do is we take agents and, as an example, we'll work with Microsoft. Microsoft has a digital twin technology. So what we do is we will do testing of the agent in a digital twin environment because the question – digital – you know, one thing is important about agentic AI is it actually learns and it changes its behavior based on how it's learning.

46:43So when you set a policy for how you want to monitor and enforce the policy, you can't establish the policy for what it is today. You want to establish the policy for how you think it's going to grow and evolve and then constrain it beyond evolving from particular vantage points. So when we're thinking about testing within a digital twin environment, we're thinking about testing the agent under certain circumstances to see how it's going to evolve so that we can create a policy that's monitored.

47:19And then we monitor the agent within that context using guardian agents because, you know, that's cool. So the guardian agents are the ones that are, you know, performing the testing, policy evolution, policy implementation, and then the monitoring and the enforcement on the back end. Yeah. You know, basically what you're saying, it's not on this, but generally that fire and forget agents are not in the cards now.

47:54You're going to have to run herd on the agents. In this case where you have agents that are checking the security of software systems, it seems like you could have an agent that just runs all the time or a series of agents that are monitoring and checking configurations and, you know, what data is flowing where and that sort of thing.

48:26Uh, or does, do even those agents need a human minder? They do need a human minder. And it actually is, um, it's a, this is a, it's a tricky one because when you train the agents, like, you know, what is good software? You could get back into the, and I've seen this in real practice. It is amazing when you look at good software and bad software, how similar they are. Good software looks bad and bad software looks good. And so when you're training an agent to identify kind of what vulnerabilities on are, oftentimes they're using kind of the, the standards that we use.

49:05So they'll look at the CVEs and then they'll make a determination based on the CVEs and so perhaps some other, you know, kind of characteristics. But you can't, um, it is very, very hard to teach an agent to understand like good software versus bad because as I said, we've got terrible coding practices. And so it's like, that's, uh, that becomes very difficult for them. So in answer to the question, yes, you definitely need human minders because, um, the human minders, it's important to kind of get the context, continually understand the context of what it is that they're looking at.

49:42And, you know, kind of reviewing the outputs so that you can make sure that they haven't learned bad, um, bad coding practices from theoretically good coding, uh, coders. Yeah, yeah, yeah, uh, this is all happening so fast. Uh, and I get asked by young people a lot, what should they study now? Uh, is there a cohort of cybersecurity or agentic security personnel who are available for companies to hire?

50:26To manage all this stuff? Or is this going to have to, uh, this expertise capability, is it going to have to be, uh, done through training within organizations? I mean, you know, when I listen to this stuff, I'm not an engineer, obviously, or a coder. Uh, I, it, I just can't imagine. There are enough people that understand this stuff and, and frankly, want to do it, uh, to hire, uh, you know, to sift through, uh, code bases and watch how agents are operating.

51:10It's, it's, it's not like creating software. It's not, uh, as creative as that. So, yeah, how are you going to man the, the bulwarks? It's really, it's interesting you say that this, because that's another conversation. And you're right. It's, this is literally like happening under our feet and we're all trying to catch up. Um, so a lot of, you know, uh, what I'm going to say is, you know, a prediction.

51:42I do think that people that have liberal arts, you know, educations that are really good at, you know, analysis and just kind of the fruble construction, like how to ask a question. Those are the people that are going to actually win in this marketplace. So, you know, like I was an English major, I'm like, I'm just beyond happy that I'm an English major because I really do think I was taught to, you know, consider the problem set in a very different way than some of my peers.

52:12It's just fantastic. Um, I, I do think over time you're going to see a different grouping, a different kind of individual, very creative individual, you know, that is going to become kind of the masters of these, uh, of these, uh, these agents specifically in security though. I mean, it's an interesting issue in so much as we're not seeing the jobs go away. And in fact, I'd say, I'd argue that agentic AI is making up for some of the gap that we've had persistently in this marketplace.

52:49So it's allowing us to get a little bit more breathing room, but because the number of threats is increasing, just because the number of like line one events that you have to chase is decreasing, you still have a lot of stuff. What's interesting though, is because a lot of the rote skills stuff is being automated, you don't need as many of the entry level folks. You need more sophisticated folks. So that is a really, that's become the challenges. How do you get some of the folks that would have spent a year or two in a sock doing line one, line one and a half job?

53:26How do you get them from there to line three to level three, like overnight? So that becomes the real challenge for us now. Yeah. And how do you do that? I mean, it's funny. My wife is in education research and she has been saying to me for a while that, you know, there's like a huge, uh, talent, uh, shortfall in cybersecurity. Uh, but, uh, and, and, and we, she's also been asking me, well, what happens?

54:01All these entry level jobs go away. How do people get to the senior leader level or the more senior leader in order to do these jobs? If you don't have people coming up through the ranks. So, uh, yeah. How, how do you see, uh, that evolving? You know, I, I, you know, I've been thinking about this concept of a master crafts, craftsman, if you will, you know, a lot, uh, because I think fundamentally we have to actually restore almost like kind of that guild mentality where, um, you know, a university education becomes a practicum as opposed to, you know, you're learning in books.

54:41And not, you know, not saying that you, you know, that's not important, but like in security, I need people to come out of college as a line to a level two, level three engineer in order for them to do that. They have to have hands on keyboards in college, day one, performing the job. And so I do think that we are really going to have to think of these apprenticeship programs as being critically important. So the educate, it's not just about the education, it's about the application of the skillset, you know, in, in, in, in an area, which is kind of co-funded, right?

55:19So between the university and between the business and between, you know, perhaps the public sector, there is an investment in kind of the skills build, which is, I think it ended up will be good, but they got to start somewhere and they got to get out of school with the ability to be hired. But right now I look at these resumes and a lot of these kids, they've got great resumes, but I don't need them. I need somebody who's been in the field for five to 10 years. That's a, that's a different problem.

55:50Yeah. Yeah. Yeah. Uh, okay. Well, I'm, I'm, we're coming up to an hour. Uh, is there anything I haven't asked that you, you want to say to listeners? No, I do. You know, Craig, thank you so much for, for the time. And, uh, I really appreciate it. Go read books. Yeah. Yeah, that's a frightening, frightening, uh, trend that people don't read books anymore. I always tell my kids, believe me, you read one book, you'll learn much more than you can from a million tick tocks, you know?

56:30Yeah. Read the newspaper, read books, but yeah, no, that's a lost art. We're going to have to get back there though. So, but you know, it's a, I think as scary as it is, and it's, it's an exciting time. I think, you know, we're going to all be looking back at this time and saying, wow, I can't believe I lived through this. It's, you know, it is. It's incredible. Yeah. So.