The Security Podcast of Silicon Valley

Episodes

About

Blog

Subscribe

The Security Podcast of Silicon Valley

The Security Podcast of Silicon Valley

Episodes

About

Blog

Subscribe

The Security Podcast of Silicon Valley

Episodes

About

Blog

Subscribe

70. The AI Governance Expert: 3 Things Every Business Needs to Trust AI

Hello, everyone, and welcome to another episode of the security podcast of Silicon Valley. I'm one of the hosts, John McLaughlin. I'm joined today with the other host, Sasha Sienkiewicz. Hi, guys.

And today we have an amazing guest, Abhi Sharma, the CEO and founder of Reliance AI. Welcome to the show. Thanks for having me. Oh, thanks for being part of it.

Looking at your LinkedIn, you spent some time with Carnegie Mellon. You spent some time with Cisco as a performance engineer. Then you went off and you built a company, Foghorn Systems, and now you're on to Reliance AI. Spectacular.

Maybe for our audience members, would you like to share what Reliance does? Absolutely. Happy to. So Reliance, in a nutshell, is the most comprehensive trust and data governance platform.

What that means in simple terms is we automate and unify three things. Global privacy compliance, data security posture management, and AI governance operations. So a very bottoms-up AI-first approach for building a platform for all those three things. That's awesome.

So what inspired you to actually start this journey? You have to be a little bit crazy to be a founder. Certainly. Something hooked you.

Certainly. And I did it twice, so I must really love pain. Oh, yeah. This is your second time around.

Yeah. Well, so the story in a nutshell, and I'll keep it brief, but happy to dive in if you guys care to know. But my previous startup got acquired like any other founder. I was in this deep soul-searching mode of what I wanted to do next.

You know, I had the opportunity to probably choose two paths, like go down being a venture capital. And I was like, and I had some opportunities to do that. And when I was like, oh, I'll do that when I'm old. I still very much love building.

You know, after sort of in that period between Reliance and my last startup, I was really thinking deeply about what I wanted to do next. And I wanted to apply what I was good at as an engineer, which is compilers, observability, machine learning, and apply it to a different domain, if you will. Because I think that a lot of interesting stuff happens at the intersection of domains. I'm a huge fan of the idea of polymaths.

Like, you know, the problem statement I was really interested in on a very personal level is like, what are the Leonardo da Vinci's of the world? There used to be a lot of them between the 1100 and 1700s, and like there's not many, many of those people anymore. So that was kind of really the emotional impetus. And then what happened was, I know a lot of people in the AI community personally.

And so it was very clear to me in 2020 that we would live in a world where we would draw a line between before AI and after AI. And I thought to myself that if that hypothesis is true, then AI or AI agents will be embedded in all business operations. AI will quote unquote run the world, which means we need to empower humans to trust in governance. And you can't quite do that with top-down overflows or stupid manual applications, which is how the whole world of trust in governance runs today.

So that was really the motivation behind kind of finding a problem that had an impact at the infrastructure and governance there for 100 years out and fit in the build side of what I was particularly good at. And it seemed like every solution in the market in this space was some version of partial visibility or a shitty top-down workflow. And I figured I could do something about it. And that was really the genesis.

And then I met my co-founder, which kind of had a nice lean in hand between us. She was a privacy lawyer coming from the world of compliance. And I was sort of this engineer. And I figured out we could have an interesting mixture of those two ideas to build a cocktail of something fun and interesting.

And that's Reliance, really. It sounds like a match made in heaven, you and your co-founder. So when you think about trust, what does that mean for AI exactly? And how does Reliance help build that trust or establish that?

Yeah, great question. So the way I look at trust is, you know, in simple words, and it's been one of those words which is overused but under-quantified, at least in the industry. And the way I look at it is, in order to quantify trust, it's basically a multiplication across three things, which is transparency, security, and the third thing is business value. So in order for you to actually trust a brand, trust a product, trust a piece of software, you kind of need those three things.

You need transparency, you need data security, or you can call it control, and then you need some kind of business value. And all of those things have to be present in order for you to have a long-term relationship with that business product to whatever. And the funny part is, trust is not an addition of those three things. Trust is a multiplication of those three things, which means that if any portion of those three things I just mentioned is zero, trust is equal to zero.

I'm an engineer, so I like to talk about it in mathematical terms, but hopefully that still makes sense. Now, what it means in the world of AI is all of those three things, business value, data security of control, and transparency, are at kind of odds with each other. So if you stay with me with this equation of trust, which is a multiplication of three things, we all are in agreement that with AI, you can actually really blow up the business value you can provide, whatever it is that you're doing in the world. And that business value could be faster service, better product.

But then that same thing, which is the incorporation of AI, is in tension with the other two things. And the other two things are basically data security and control and transparency, because AI is inherently a non-deterministic system. So in order to have elevated trust in the world of non-deterministic AI systems, you kind of have to balance all of those three variables in the equation. And so Reliance's role is really to help you with the transparency and the data security or control portion of it.

So as a business, we can offer trust as a service, which indirectly has a second-order effect of those brands and customers that we serve have direct trust with their consumers that we're serving. So that's what trust means to me in simplified terms in an AI-oriented world, and that's where we are playing a role. We'll provide the infrastructure so you can trust and govern it. You mentioned two very interesting components, which is data security, data privacy, and then AI exploding the business value, which entails that the AI now has access to all of this data.

And now we have lots of different questions of how does the data flow, who has access to the AI, who has access to the AI agents. Is that something that you guys help companies to visualize and maybe see how the data flows and control? Absolutely. And in fact, that is one of the most unique things we do at Reliance, which is a very visual representation of the end-to-end flow of data.

And to quantify that, Sasha, in the industry today, whether you look at it from a data governance perspective or whether you look at it from a data security posture perspective, there is very little visualization of flow of data across the system. And whatever that exists is very column to column between databases. But what happens with AI in the context of you asked the question, how the data travels between microservices, EGL pipelines, third-party API calls, contextualizes a lot of how it is being used. And that is completely missed if you just look at a database and say, well, I have Sasha's personal information here.

Okay, great. Well, why? What do I do with it? How do I provide a service?

So the usage context becomes very important. And so that's one of the unique challenges I started. And we've always been true to that mission, which is we want to show end-to-end contextual visibility of data flows across your entire landscape of business transactions. Because then not only can you accelerate innovation in the AI adoption, but you can do it with a lot of trust and safety.

And that's one of the most unique things of what we do at Reliance. Yeah, it's a type of data lineage or data supply chain, if you may. What's the biggest pain point that you see when you connect with your potential prospects? Often data security and security controls are seen as overhead.

The number one challenge is some version of over-indexed manual workflows. Whether it's mapping the data, whether it's setting up policies for access control or ACLs on the data, whether it's making sure you're under or over provision, whether you're trying to do it for compliance reasons or regulatory reasons or customer commitments. There is a heavy hand on that suite of workflows, which involves a lot of manual back and forth and conversations. That's the biggest pain and challenge I see.

And in the second bucket of challenges, when people have adopted some tooling for it, whether you do it from a security standpoint or a data governance standpoint, there is some automation on those manual challenges. But what gets missed is two things. They are still deeply hurting because of partial visibility, because existing tools can tell you you have 50 databases instances and you have this data in there, but you kind of don't know why and who and what's the purpose. And you can't solve it if you just do data address analysis, which is the industry known today.

So that's what is the big pain. And the second piece is like there's a lot of policy enforcement engines from all kinds of dimensions, whether you reason about it from a network and socket layer or whether you reason about it from an application layer. The problem is they're only as good as the amount of policies you write. And I think the AI era has really kind of like thrown water over all of that stuff, because at the end of the day, yes, you can enforce a lot of good stuff if the policies are written down.

And I think when security firms or even organizations use the term policy, we like to call obligations because it's the regulations, it's the compliance frameworks, it's the contractual commitments you make to your customers and your internal policies. And there is no way a human being is going to write all of those down, let it know the version control of updating over time. And those are the two big buckets of challenges to just recap manual workflows or partial visibility and manual input of policy, which is like it's impossible to keep up. And that's the general trend I see in pretty much across our customer base.

Into that mix, we can throw in a lot of vanilla policies that are just floating around. And often companies don't even read into the details before they ask your counterpart to sign it. What's your ICP, ideal customer profile? So the ICP for Reliance at the moment is really what I would call the mid-market or late enterprise or non-cheap product.

And when I say mid-market, I mean sort of large mid-market enterprises or early traditional large-scale enterprises, but with a touch of, let's say, modern operations. And when I say modern operations, what I mean by that is as cloud-first, as cloud-native as possible. That's where we're able to serve our customers quickly and actually show value of Reliance. Because one of the things we really pride ourselves on is if Sasha was interested in Reliance and we started an implementation at 10 a.

m. Pacific time, before he jumps off the call at 11 a. m. , you have value from Reliance.

It's not all the value, but a big chunk in front of his eyes. And that is just easier to do when most of your important infrastructure is in one of the cloud providers, whichever any one of the three hyperscalers, because we can pre-build a bunch of connectors and applications and analysis. This doesn't mean we don't serve people that have a lot of on-prem systems, but it's just kind of harder and takes more time. Like if Sasha has five data centers in Sacramento and I need to deploy an outpost there, it just takes them a lot longer than being cloud-native.

So that's how we're positioned in our ICP. Very market segment and market vertical agnostic, though. You touched on my follow-up question, which is, do your customers care about data residency? Yeah.

Data residency, especially the more enterprising that customer is or more regulated, especially with fintech and healthcare, a data residency is huge. And it kind of shows up in two aspects with our customers. Number one, if they have operations in EMEA, they don't want the data to leave EMEA, if you will, and come to the U. S.

And then the second aspect in terms of more data centers is they are very keen on making sure the data plane is in their control, which is Reliance helps you to classify and give you these data flows, but they want the data plane to live in their environment, while the control plane could be the Reliance SaaS app for their tenant. And that comes up all the time consistently. And I think my personal projection is it's going to get even more focused or even more necessary for customers, because they're going to realize that our proprietary information, whatever business you do, is like really the gold asset we have as AI gets commoditized in terms of like your foundational model.

So the focus and desire to control their data in their own environment is even going to be higher, even for modern mid-market or SMB companies than we've ever seen before. And that often is driven by the requirements from their customers who might be the enterprise entities that you just mentioned. So it's sort of a top-down policy approach where the larger entity accepts the policy of data controls. The same controls will push down the line.

The funny thing for me, just because you highlighted a really good point, Sasha, is like in enterprise agreements and the MSAs and DPS, so the contracts when two parties do business, for the longest time, there used to be a little line in those agreements. We will use your de-identified data to improve our software. And it is the most hotly negotiated item now, especially with our enterprises. It's like, nah, you're not doing any of that with my data, especially with this AI era.

So now that used to always be there in every agreement. And now everybody in terms of larger enterprises want that out of legal contracts. So it's a very interesting manifestation of the point that you've made that I see all the time. To that point, I often see DPS have so much language, very protective language, just to make sure that we cover as much as possible.

And that in itself tends to be a little bit overprotective at times and tends to increase the friction when you sign those deals. Absolutely. Absolutely. And then this goes back to the point we talked about earlier.

When you generally don't have that end-to-end data flow visibility, well, what are your security and legal teams going to do? CYA. And so make it as protective as possible. And that kind of restricts even neutral benefit that can be derived, even if it's a vendor and a controller or a processor controller relationship.

And I think that's not great. Like, if you could cure cancer because of that sharing of data, then why not? We all want that. But then this kind of gets in the way of because of lack of visibility, to be honest with you.

Luckily, homomorphic encryption is right around the corner, and we all will be saved very soon. I'm not holding my breath. And Abhi, you've been doing the zero-to-one thing, like you were at your previous startup for more than four years. You've been at Reliance for more than four years for sure now.

Have you ever felt like giving up? No, I would say that, yeah, yeah. No, never giving up. I think I kind of was always the black shape of my family.

Giving up was never an option, just kind of based on how I grew up and my background. I've definitely felt not good enough, never enough, but never giving up. That part hasn't been around. I mean, I guess there's no such thing as failure unless you stop trying.

Fair enough, yeah. I'd agree with that. What's been your proudest moment as an entrepreneur? I think two things.

One is a bit more about people because I think eventually, when you go through the entrepreneur journey, it all ends up boiling down to that. When I started Reliance, in my second month of operation, so right after we got funded and we were like, okay, we're ready to actually start working on this thing, I had like 10 people join me instantly. And all of these people are, you know, engineers or folks who worked with me for the past six, seven years. And I feel like that was my proudest moment because like, you know, we just got funding and 10 people showed up and we, yes, everybody assembled their own tables and they started working on their computers.

And I think that at some point you have to do something right as a founder for people to just continue to work with you again, whether you're successful or not. And I think in that moment, just watching everybody, it felt really proud because, you know, all of these guys come from MIT and Google and Facebook and meta, and they can kind of, you know, get a million dollar job, whatever they wanted, but they chose to work here, which, which was very special. And I feel grateful for that. And there's a second moment is, there's also related to people and culture, but like every founder, when they get started, has a specific dream of what culture looks like.

And especially for me as a second, I, you kind of realize, Oh, I screwed up these 10 things. I'm not going to screw them up again. You still make some mistakes, but we have this idea of unimaginable hospitality in our culture. And it has really seeped into the DNA of our employees and our operations.

And that makes me feel super proud because like, I can hear sometimes, you know, I'm off on a call and my sales team and my CS team and my support team is like, Oh, we don't need to figure out how to support this with unreasonable hospitality. And just hearing that just, you know, cheers me up because I was like, okay, finally we, we are all getting it. And this employee is like two months old into the company, but they've gotten that. So I'd say those two things were special.

I really love that unreasonable hospitality. Did you come up with that phrase or? No, I did not. It's borrowed from the world of fine dining.

So there's a particular, there's actually a book by that name called unreasonable hospitality. And I highly recommend to you guys, Sasha and Dan, and to anybody to like go and to your listeners to read that book. It's super special, but it comes from the world of fine dining. And there's a general manager, at a restaurant, 11 Madison park, which was the world's best restaurant for many years in a row in New York.

And it's really a great culture book at the end of the day, full of stories about how to go above and beyond to deliver magical experiences to your customers. And I think a lot of the ideas that are very applicable to technology and SAS businesses. So that's where it came from, from, from that. That was the inspiration for me personally.

Did that book set in motion people that you hired? You mentioned the moment you got funding, you brought in 10 people was subset of the people that you brought in focused on the customer success or the experience that customers have with the product and with the team. I think everybody was focused on experience. A lot of the people that work with me, and I have always been a little bit that way.

And when you start a company, you mostly a tech startup, you need engineers. That's the first thing you need. And those were mostly technical folks. And I think one thing I liked or the way I described them back then was I didn't quite have the term of reasonable hospitality, but products focused engineers is what, what we said, which is they really cared a whole lot about customer outcomes and then went to design the product.

And so I'm just like going and thinking, thinking above the API layer versus just staying below the API layer. And I think all of them were like that, which was special because I had this very platform oriented way of building, which meant that we had to build the product for 18, 20 months without having to sell it to anybody. And it takes a little bit of leap of faith to kind of put in that much time and energy without seeing the feedback from the outside world just yet. Wow.

18 to 20 months. Wow. I'm sure your first sales call was just spectacular and you showed it off and you got to show off everyone's hard work and the blood, sweat and tears that were just poured into the product. That feedback loop was, was filled with appreciation on the customer side.

Yes. We very much saw that. And I still remember, without sharing names, I'll share an anecdote, which felt special. So this goes back to the questions Sasha asked before about interim lineage and context.

And so in my first deployment, we kind of had the same thing, empty instance. We have everybody on the call from the customer side. First deployment. I mean, you've tested a lot, but as a founder, you're still for the first deployment.

It was like, I hope to God everything goes fine. And, and it did go really, really well. I know that one of the head of ITs of that customer was on the call and they saw a data flow from Zendesk to a system that they did not know. And they were like, boy, that should not be happening.

And this was the person who was very proud that they knew about where the data was flowing. And they were like, oh, I didn't know that. And he jumped off the call because like, I need to get this address right now. And of course, like it was a little bit of a scary moment for the customer, but it was like magical for us because like, okay, we provided you that visibility, which you didn't think you had.

So it was, it was, I still remember it clearly in my mind and as to what that first deployment was. What do you think drives the interest in tools and solutions that help to identify the data flows, the lineage and further cement the protection around the data itself? Is it mainly driven by businesses trying to do the right thing? Or is it driven by some of the regulatory changes that we see started in Europe and then slightly started to sip into the U.

S. market as well? Yeah, I think there are definitely a lot of businesses where there is definitely the underlying current of, and we see that with a lot of our customers on doing the right thing is front and center. But yeah, in practical reality doesn't always lead to the actions because like doing the right thing sometimes sounds like, okay, brush your teeth every day, floss every day, don't drink too much alcohol, you know, don't stay up at night.

And like, we know that preaching abstinence doesn't always work. So I think there is the underlying current of doing the right thing. And then the acceleration of really being focused on adopting solutions like us comes from regulatory pressures. Second comes from customer ask.

And you talked about this, Sasha's like, when I have seen many times our customers take screenshots from Reliance and give it to their sales team because they can accelerate a deal they are part of. Because those customers, their customers are asking for visibility and make sure my data is a tenant isolated. Like, how can you prove that to me? Well, I got to show you a data flow diagram.

And then the third thing is the acceleration and blessing the adoption of AI quickly in the organization. Because everybody wants to do that. And I have seen a lot of our customers many times be blocked in being able to launch some of the AI initiatives because like, they're not sure if data from EU residents was used and they didn't ever ask for consent. So these things like really kind of get in the way.

I think we're still early on the third dimension, but I think that will probably drive a lot of the adoption cycles, Sasha, because it will be like, well, we got to move fast because CEOs are going to be like, AI everywhere. So like, even in order to move fast, you've got to trust and be detected. So I know that there's a lot of security leaders that are listening to this. And, you know, you've always got that ticket around that's like, oh, we have to draw an updated data flow diagram.

If someone wants to try it out, what's that look like? How easy is it to get started? And for now, it's as simple as you go on our website, book a demo, somebody will get back to you in 10 minutes. We do a little bit of a text scoping exercise to make sure that we know what systems they want to connect and what the desired outcome is.

But otherwise, it's a small proof of value, which the longest we have done is two weeks. The shortest we have done is what day. And you can basically get a sense for the value you would provide across all these dimensions very, very quickly. But no more than a week of proof of value.

We do tend to scope the systems a little bit. And the reason for that is because we kind of do this end-to-end contextual lineage from multiple perspective, which is we start all the way from source code to data in motion to data addressed. And then we stitch the lineage without an agent in the picture. So for that way, that's why we need to kind of scope because I can't have John point to a code repo, which is about microservices ABC, while look at logs, metrics, traces of microservice PQR, and then connect to a completely random instance of Snowflake, because it will all work, but it won't show you the full lineage journey.

And so that's where we just need to have that conversation. But it's pretty much a short one week PLE. So to get going, it's just a phone call, and then you just need some access to some GitHub repos and maybe some logs, maybe third-party APIs. That sounds nice and easy.

That's the attempt. That's the design. I kind of faced some of these challenges myself at my previous startup, and we didn't really have a good GDPR solution, but we got acquired. So we didn't quite have to solve for it.

But you mentioned Cisco. I was really actually at AppDynamics, which was acquired by Cisco. And AppDynamics, I was one of those engineers who wrote the early kind of the observability stack there. And I think we've kind of managed to piggyback on some of the investments our customers have made in their systems and to kind of offer that quick time to value instead of having to do a lot of configuration and deployment to really get that visibility they're seeking.

Sasha and I, we go to events all the time here in San Francisco. We're courting from the Bay Area. Lots of AI events happening. Someone once asked the question, do you believe that agents will start to replace like humans?

Super curious to hear maybe what your take is on that big picture visionary question. Yeah, I think my personal opinion is I don't think we're anywhere close to agents necessarily replacing human, even with like probably another decade out of progress. And I think my eye kind of mostly is I'm in the tech optimistic camp, which is, yes, we will maybe eliminate some roles or it might replace humans in certain, let's say, good work tasks. But humans are creative enough to always find higher order tasks and productive things too, which is what will actually end up happening.

So I think that we will get more augmentation with AI rather than quote unquote replacement. And who knows, maybe if you remember back in the day, we had telephone operators whose job was to just connect one line to another line and that job went away. Maybe that job comes back again. And right now you're just connecting context between different AI agents to get that because you will always have human in the loop for some relative higher order business outcomes.

And maybe that's what the world looks like. But it's the telephone operator, but a far more sophisticated one that's just nudging and prodding the agents on certain direction. And to be honest, I don't think we're at a point where self-awareness or real creative output has been done with agents yet or even with LLM models. Like, yes, it's reasons really well, but it reasons out of what it has learned from the internet instead of post-principle thinking.

So unless there is a new transformer style architecture that evolves on second order thinking, I think we will be just fine. I'm sure we'll be just fine. Like no matter which way the technology goes, it will build it so that it serves us as humanity. Yeah.

It'll be an interesting next couple of years though, for sure. If we look into the future and you see like success, what does success look like for you personally, for Reliance? Give us a hint of what that looks like. Yeah, I love that question.

So, you know, not all of my employees always love me for saying this, but I think in 100-year interments personally, because I want to, yeah, some of them might not be alive, but I want to make sure that, so success for me is the way I look at this in the business we are in, which is I'm very much pro-humanity. I'm very much tech forward, tech optimist. And I want to make sure that we can do far more productive work in society by leveraging all of the advancements in technology. And if we can play a role at the infrastructure and governance layer to have a safe and secure adoption of that, that is the business we are in.

Like we say, yeah, we'll run the world, our agents will help run the world, and we want to make sure everybody can trust and govern them. So if you take that long-term horizon, the way we think about as Reliance becomes one of those infrastructure layer where, you know, just like Stripe is the infrastructure for payments, we become the infrastructure for trust and governance because it's going to be very much needed. And then the second thing for me that I personally care about, apart from having a grand vision, a great business outcome, we are definitely looking to build a generational business in this category, which lasts multiple decades and multiple centuries, even after I'm dead.

And that's how we're laying the foundation, or that's how we're building, that's how we make the investments. And then the third thing that I personally care about in terms of success is, obviously, we are in a for-profit business, so I want us to obviously have a lot of great revenue. I want to build generational wealth for all of our team members at Reliance, but I also deeply care about the experience that we offer. I tell my team all the time that, hey, if Reliance goes public and we make a lot of money for all of you guys, that's success.

But I will personally be still dissatisfied if our customers don't talk about us as like, man, that team really knew how to build great experiences, or that design was great, or that product experience was beautiful. Going back to the polymath point, like I study architecture too, and I can get the time. And I was like, where are all the beautiful buildings we built back in the day? Like, what's wrong with us?

So I care about building beautiful things for the sake of it, and I hope we can do that as part of our success journey. I love that. Let's go back in time just for a moment. We could go back in time.

I'll let you decide how far back in time you'd like to go. But let's go back in time, and you have an opportunity to meet your younger self. Would you meet your younger self? Like, that's the first question.

And then if you would, what would you share? Yeah, I would definitely meet my younger self. And I think I'll probably go back to early teens or 20s, and the only thing I'd say as where I am right now is just to drive harder and take more risks. Take more risks?

Take more risks. Yeah, I grew up fairly poor, growing up in India, and I think when you're kind of in a slightly boxed-in economic situation, there's a lot of omissioning that happens around your life, which is like you always have to get approval for something or permission for something, or your constraints decide what you can or cannot do. And I'll probably go back to my, maybe say, early formative teens and tell myself to just do it and not wait for permission. I love that.

Don't wait for permission. Well, Abhi Sharma, everybody, the CEO and founder of Reliance AI, thank you so much for joining us on this episode of the Security Podcast of Silicon Valley. Been an absolute pleasure. Thank you for having me.

It was lovely chatting with you both, and thanks for the insightful questions. Thank you, Abhi. I'm John McLaughlin. I was joined today with the other host, Sasha Sinkovich.

This has been a Y Security production, and thank you to all of our listeners for tuning in. Thank you. Thank you.

‹ 71. How Startups Can Fight AI Deepfake Fraud (with Ben Colman)

69. Cryptography and Web3 Expert: Security vs. Speed Is a False Choice ›