73. How Free AI Tools Become Expensive Mistakes (with Michael Moore, VP & Head of Legal at Glean)
Hello, everyone, and welcome to another episode of the security podcast of Silicon Valley. I'm one of the hosts, John McLaughlin. I'm joined with our other host, Sasha Sienkiewicz. And today we have the great honor of a very special guest who's actually been on the show before, I might add, Michael Moore, who is the head of legal over at Glean.
Welcome to the show. Thank you, John. And thank you, Sasha. It's a pleasure to be here and speaking with you both again.
The last time you were on the show, where were you? Where were you working? At the time when we spoke, I was chief privacy officer over at Glacework, a cybersecurity company. Now I'm VP and head of legal at Glean, an enterprise search and agentic AI company.
Michael, you mentioned you started as an engineer. You had or you have technical background. Yes. At what point in time did you start thinking about tapping into the legal side of business ventures?
That's a great question, Sasha. So from my own just personal journey, I would say as an engineer, I was very involved in building and developing new products. I've always been a builder in whatever area I've worked in, be it technology or law. And as I was building products as an engineer, I spent a lot of time thinking about, well, how do we protect the products?
How do we protect the code via copyright? How do we protect engineering designs via patents? How do we protect our marketing and brands via trademarks and so on? And that actually really brought up an interest in me in how do I blend the creativity of engineering with the protection of that creativity through legal?
And that set me down a path where I'm mixing engineering, technological, legal, security, and privacy aspects together. So it's a very interesting intellectual blend of technologies that are in many ways related. They're all facets of the same problem we're trying to solve. So whether you are a coder writing software, whether you are an engineer building chips or mechanical designs or something else, whether you are a creator creating copyrighted works of art or otherwise, all of these are different aspects of human creativity.
Same with musicians also, another aspect of creativity. And the creativity involved needs to be protected and rewarded. So from that aspect, I find it very interesting to be able to support creators, be they engineers or musicians or architects or artists, to help expand the market for their creativity and protect their creativity. It puts you in a very interesting position because you can speak both legal and engineering languages.
Do you find that skill to be very useful when you are able to speak the engineering jargon and the legal jargon depends on the teams that you are engaged with? That's a very good question, Sasha. I think each of these disciplines develop its own jargon. So, for example, lawyers are well known for speaking legalese.
Engineers also have their own set of jargon, which gets a technical jargon, which can be off-putting to folks who are not of technical background. One of the things I try to do is bring everybody to a common language that we all understand simply so we can communicate effectively between us. And I think one of the keys to being a good tech lawyer is being able to understand the tech and the business and the market and the concerns of users and any concerns of vendors, suppliers, and bring them all to a common platform we can all understand and communicate. Good communication and clarity really helps unblock many of the issues that slow down deals.
Exactly. Communication is the key, whether it's live, business, work, communication is the key. And having that ability to speak to both parties that are very important is extremely useful and unique. I think another aspect that is very true also, which is related, is I've been both on the buy side and the sell side of enterprise software.
I've done a lot of buy side procurement work, vendor work. I've done a lot of enterprise sales side also. And when you understand the concerns of the buyer and their interest in protecting the privacy and security of their data, their interest in protecting the confidentiality of their business, you really do develop an understanding as to why that matters to them. So when you're selling a product to an enterprise, you need to be able to put yourself clearly in the buyer's shoes and understand what is important to the buyer.
How can I make my product better for the buyer? How can I make my deal and transaction process better for the buyer? How do I reduce friction wherever possible and get to a point where it's easy and clean and smooth for us all to transact together? Just unblocking the process.
I'm super curious. Why did you choose Glean when you were looking for your next adventure? That's a great question. For a number of reasons.
One of them is I knew some of the team members over here who are just awesome. They're folks I've worked with previously at a prior company and people I just really enjoyed working with and found to be incredibly creative and talented. So when you know really good people are at a company, it makes it more appealing to go and join that company. I also picked Glean because the platform is awesome.
I've personally used it. The utility in terms of productivity improvements and enablement for the user are just outstanding. The product market fit is spot on. And the key thing is it puts AI in the hands of employees.
I've seen other companies in the past where AI was sort of this sacred thing and guarded by a very limited number of people who wanted to keep control on it. It was almost like this was the new special toy and some companies didn't want regular users, regular staff to have access to this toy. In Glean, we have a very different approach. Our approach is to make the tool available to all the users and just make the jobs of everyday users so much more fun, productive, and enjoyable.
Prior to being at Glean, I spent some time at a very large multinational company. Very good company, huge in terms of scope and number of employees. But it was very, very siloed. And trying to find anything was almost impossible.
And in particular, when you have hard separations between subsidiaries or between departments, the sort of resulting lack of information sharing made just the task of doing your daily job difficult and overly complicated. When you're spending 20 or 30 percent of your time just trying to find the information you need to do your job, that tends to reduce productivity. And also, for many employees, it tends to reduce their engagement for motivation. If they have to do sort of drudge work just to find the basic information they need to do to do the job and be productive, that is a demotivator.
It's been quite some time that you joined Glean. What's been the proudest day so far? We recently held Glean Go, which is our first-ever user conference, which was a huge success. It was up in San Francisco about a week or so ago.
A huge success, sellout. We had some amazing speakers, a huge number of participants, both customers and prospects and partners. I will say our marketing team is just awesome. I worked very closely with them on the event content, on the PR and planning, and the whole thing around my clockwork.
So I was very closely engaged with the marketing team in terms of how do we prep for this, how do we get the content ready, how do we organize and run the event. And I also worked very closely with all the engineers to protect the fantastic innovations they launched at the Glean Go event. John, you may know me as having done a lot of patent work and IP-related work in the past, which I still continue to do. We had a huge payload of innovation.
I worked very closely with all of the engineers to protect that ahead of launch. And it was personally very rewarding to me to see engineers, both seasoned and also early career engineers, get recognition for their amazing innovation through filing patents and other means to protect the IP. So it's a way of acknowledging and recognizing the very hard work that they've done to bring such an amazing product to market in quick time and help protect their innovation. What is your opinion from the AI vendor point of view?
Is there a minimum bar that every AI product should be hidden or should have in order to go through that procurement process quite easily? Any AI product that we are selling, I look at it from the perspective of if I were the buyer, what would I be asking for? What kind of solutions would I expect? What kind of communication would I expect?
So personally, I expect very strong controller permissions around the user or customer data put into the AI tool. The key thing is protecting the personal information of data subjects, of individuals, protecting confidential information, protecting trade secret information. I would also expect very clear guardrails against training using that user's data without their knowledge or consent. There's a lot of cheap or free AI tools out there in the market.
And whenever the tool is free, that is, whenever there's no dollar cost, your data and your personal information is usually the payment because nothing is really free. And I think that is particularly true on the consumer side of AI where often the consumer's personal information, their habits, their preferences, even their appearance, or sometimes their thoughts and emotions, depending on what they put into the tool, are used to train the product. That's something I personally dislike. I'm a parent of children.
As a parent, I think that's a scary concept when the data of the individual users is being used to train the product. And I think we need to educate users, particularly younger users, to protect their personal information, protect their online activities, and avoid that being used as training material without their knowledge or consent. And that's in the consumer space. But I know some businesses are trying to use consumer-grade tools for business applications.
And that's something I think is not a wise approach, particularly speaking from the point of view of intellectual property protection and privacy but confidentiality protection. If you're using enterprise data, you should be using enterprise tools. And there have been many stories out there about what have happened when business employees have used consumer tools. But there was one – there was a scare in the past.
You may remember in 2023, there was a Samsung chat GPT code leak that was widely publicized. That's an example of where individual employees bypassed company controls to go use consumer tools to put their company confidential information in and with resulting negative PR for the company and probably negative consequences for the employees. So one of the things I pushed for Dlean is that we provide a secure platform that is intended for business use with all the security and privacy structure and permission controls in place to satisfy the most discerning and security-aware business users.
If we look ahead five years from now, like what do you think will be the most prominent challenge that we face in relation to this new AI space? I'll give you a perspective from the view of legal teams specifically. What I will say is that legal teams will need to learn and embrace AI. And some legal teams out there are hesitant to do so, sometimes in regulated industries, sometimes they're in markets that do not prefer to use the newest tools.
It just really depends on what their background is. But regardless of that, legal teams will need to learn and embrace AI. And in particular, customers of law firms will expect their outside counsel to learn and embrace trusted AI to boost productivity and boost individual user efficiency. And there's a reason for that.
So outside counsel law firms are generally built by the hour. And those hourly rates are expensive. And they're generally only going up. I've never seen them go down.
So customers, like for example, AI is in-house counsel, would be a customer of outside law firms. So customers will demand that their outside law firms use more efficient tools, similar to those that Lynn offers, and make sure that the outside law firms ensure that the billable hours are used as effectively and as efficiently as possible. Any professional services role. So think of any roles that traditionally have been hourly based that involve information or knowledge processing could greatly benefit from a tool that makes access to information easier, that makes the integrity of the information clearer by citing to source documents in every case.
I do think that approach is important, particularly from a legal perspective. Being sure that the content that your system or LLM is creating is grounded in fact and truth, and being able to validate the source document very quickly and easily will help improve confidence and acceptance by users, particularly users who really need to be sure that what they're creating or stating is true. So let's pretend for a moment I'm a CEO of a big company or maybe I'm a founder. I see all of this stuff happening in the AI space.
I know that I need to take advantage of this to stay competitive, to ensure that the people that work in the company are also staying engaged and staying focused on the meaningful tasks that bring them the most joy and the delight. How can I, as a leader in this imaginary space, best support a legal team through those challenges that you were talking about? For CEOs and founders, if you're picking a tool, make sure you're picking a tool that has security and privacy built in from the get-go, has very strong access control and permissions for any LLM content generated that is tied very clearly to the source documents, and that can be validated by a human very easily.
And frankly, it's something that your employees enjoy using. There's lots of tools out there that are kind of clunky and maybe somewhat effective, but if people don't adopt or use them, it doesn't quite get the results you need. I mean, my own perspective, having used the Lean tool, it's very easy to use. The UI is great.
It's slick. It's fast. And I personally found it to be an immense productivity and satisfaction booster. So if you're trying to evangelize AI across your company and trying to be an AI-first company in this market, which seems to be a buzzword or a hot topic, start by making the tool easy to use, easy to enjoy, easy to access, and things that then become a natural part of everybody's daily activity.
Security and compliance teams historically have been working closely with legal teams. How can security and compliance teams support legal teams in this transition into the AI-first company? I do think legal and security should and must partner closely to prevent issues from occurring. That's a combination of technical controls and internal process controls, but also to detect incidents when they occur very quickly and to mitigate those before they can spread, particularly in a ransomware-type scenario.
You want to prevent it from happening, but if it does happen, you want to detect at the instant it happens and mitigate it very, very quickly before it spreads. And sometimes if it does spread, then you need to be able to respond in very tight partnership with the security team when an issue occurs. And I think particularly with some of the regulations in place requiring companies to report security incidents in the U. S.
or in Europe, there needs to be a very, very tight coupling of the security org and the legal org. I mean, you should always have your CISO on speed dial. The CISO should always have their lawyer on speed dial. And just in case something happens, you want to have that very good rapport built up and a very tight connection.
So if the stuff hits the fan, you're ready to go. You know each other. You have a plan. You have a playbook.
And you're ready to roll. If you could meet the younger self, would you? And if you would, would you give yourself an advice? So I'm an introvert by nature.
Many of us who are of technical or engineering backgrounds often are. So I am an introvert by the way I'm built. But when I was earlier in my career, I wasn't as active in networking or getting out and speaking and publishing and just wasn't as comfortable getting in front of people. And at a certain point in my career, I made a decision, look, I've got to do this.
I've got to get out in front of people and speak and be comfortable speaking and putting my voice and opinions out there. And I just made a conscious decision to do so. What I would say and what I often tell early career return is, is start that early. The sooner you can get out and speak and be noticed, publish and be recognized, get a viewpoint out there, sort of build a name for yourself and make connections, the better.
Because in this tech business, I do think your connections are everything. And the business is very much about who you know and how you're perceived by them. So getting out and building that brand reputation early is really important. Being able to network and connect with people regularly is very important too.
Yeah, I often hear people saying that, hey, I'm afraid of making this mistake. And my response is usually, if you don't want to make mistakes, don't do anything. That's the easiest way not to make any mistakes. Yeah, don't get out of bed in the morning.
Exactly. The safest ship is still in the harbor, not going anywhere. That's exactly it. But look, we're all in the business of doing business of pushing tech forward, pushing the world forward.
You have to take risks. I mean, there's some well-known personalities who are well famous for taking risks and driving science and progress forward. And you have to be willing to take some level of risk to do that. And I think it's key that when you're in business, if you want to grow your business rapidly, you have to develop the appropriate gauge or calibration of what risk is appropriate for the stage of company that you're at and what are the things you don't give up on.
So I would say in the business we run, security and privacy is absolutely key. That is a fundamental requirement to the business. You must preserve that at all times. So you have to understand what are the key necessary elements for your business that you absolutely must not compromise on.
And what are other aspects that you're willing to be more flexible on, like pricing or terms or things like that. So there's many different aspects to consider. But ultimately, you must, as a fundamental element, preserve your customer trust, protect your customer data, make sure they can trust you as a provider of services of their company, and make it easy and fun to interact with, both from a contracting perspective but also from an end user perspective. If you can do all of those, you're probably on the right path.
Yeah, this is spot on. Trust is everything. People's relationships are built in trust. Intercompany relationships are built in trust, especially when we talk about business to business or enterprise to enterprise type of relationships.
And user experience is something that often is not considered as the top priority but often should be. It should, absolutely. User experience can make or break a product, make or break a company. So I think you must always build a delightful and engaging experience for your users because if you want them to adopt it and have their teammates adopt it, the tool has got to be something they love using.
You want them to start their day every day in your tool. Thank you for all of the insights and the shares and the authenticity that you've shared with Sasha and myself. It's always a joy to have conversations together. Every time I speak with you both, I learn a lot more, and I find it a great discussion and very enjoyable.
So thank you. It's great having you on the show, Michael. And thank you also to all of our listeners for tuning in to another episode of the Security Podcast of Silicon Valley. I'm John McLaughlin, one of the hosts.
I'm joined with Sasha Sienkiewicz, the other host, and Michael Moore, the head of legal at Glean. Thank you. Thank you.