99. AI Onboarding Is a Security Problem, Not a Feature (with Ged Ossman)

In this episode…

Ged Ossman, founder and CEO of Interf, joins Jon McLachlan to argue that the real bottleneck in enterprise AI is not the technology but onboarding: agents get deployed blindly, and more than 60% of AI implementations never reach meaningful ROI because enterprises are not ready to feed them the data and context they need. Ossman lays out an "agent onboarding protocol" that borrows from operating-system ideas like data contracts and pre-authorized permissions, so a vendor agent must declare in machine-readable form exactly what data and interactions it needs before it ever runs. His pitch to security and compliance leaders: make each vendor's AI risk and dependencies visible up front, run a readiness assessment before deploying capital, and treat AI adoption as a risk problem first and a technology problem second.

Key takeaways:

  • Ged Ossman frames AI onboarding as a security and governance problem, not a product feature: agents are deployed blindly today, and the missing layer is a structured way for vendor agents and enterprise agents to negotiate access safely.

  • The proposed "agent onboarding protocol" borrows from operating-system design, using deterministic data contracts and pre-authorized permissions (like Android app certificates) so an agent declares required data and interactions in advance rather than requesting access ad hoc at runtime.

  • Ossman argues most failed AI deployments are a readiness failure, not a vendor failure: more than 60% of AI implementations see no meaningful ROI, usually because the enterprise's data and context were never in place for the agent to work.

  • He urges enterprises to run a "readiness assessment" (a pre-flight check of data, context dependencies, and risk) before deploying budget, instead of discovering gaps mid-flight after a contract is signed.

  • Ossman is building an open "agent onboarding protocol" and a public registry of vendor dependencies, intended to be donated to the Linux Foundation like Anthropic's Model Context Protocol, so security teams can assess AI risk in machine-readable form before adoption.

  • He warns about developers giving AI coding tools root access in the CLI and getting compromised, and calls for sandboxed environments that make AI experimentation safe rather than blocking it outright.

  • Ossman's guiding formula is that trust equals transparency divided by self-interest, which is why he wants a vendor-risk source whose incentives sit with enterprises rather than with the vendors who pay for placement.

Before we jump in, a quick note of who's behind this podcast. Imagine this, you're about to close this massive deal. You've been grinding for it, you're pumped, and then your customer's legal team decides to make things interesting.

What happens if you get hacked? How do you protect your data? And then your brain just goes blink.

That's the nightmare founders deal with all the time. That's actually what YSecurity solves, the sponsor of today's show. There are 40 plus security engineers who've actually done security at Apple, Uber, Microsoft, Robinhood, Brex, and so many more.

And get this, you don't hire them, you rent them. By the hour, no massive salaries, no expensive consultants, just real experts embedded in your company helping you get SOC 2, ISO, HIPAA, whatever it is that you need to close that big deal. Set a monthly cap, know exactly what you're spending, and close the deal.

io slash startups and book your free strategy call. Your first eight hours are free. Forty engineers, one full working day, totally free.

io slash startups. Hello everyone and welcome to another episode of the Security Podcast of Silicon Valley. I'm your host, Jon McLachlan, and I'm joined today with a very special guest, Ged Ossman, the founder and CEO at Interf.

Welcome to the show. Thanks, John. Glad to be here.

Excited. So you've been at it for two years over there at Interf. I'm super curious, would you like to share with our listeners a little bit about what you do?

Sure. So at Interf today, we are teaching agents to self-onboard in enterprise environments. Today they are like deployed blindly and we kind of have this inefficient AI implementations today between vendors and enterprises.

And our idea was that we see this future where vendors agents will communicate with enterprise agents and they will figure it out better than humans how best to integrate all systems and make it compliant, secure. So instead of like humans figure it out with each other, I see a way where all these things will be automated and driven by agents. So in short, at Interf, we are building this systems infrastructure to make it possible.

Amazing. I love, love automation. I love things that just work when you open the box.

And agents are definitely in that category. I'm super curious, like what inspired your entrepreneurial journey? Well, great question.

I would say I started my first company when I turned 18. So I dropped out from university and started my first company in IT maintenance platform to help IT people solve the problems remotely. I would say I'm an entrepreneur since childhood.

But my latest venture like Interf, I would say I started from, I would define myself as a frustration-led founder. I experienced hyper growth scale, where in my previous venture, we scaled from 100 in place to 300 in just two years. And I saw how departments scale, how department leaders figured out the ways how to scale their functions and support the business.

And I was like, my God, this is so inefficient today. What value can AI unlock in enterprise, specifically in business operations? So for me, that was like a huge, I would say, driver and just frustration from how hard it is to scale operations as you start to have this complexity in place.

In your previous gig, you saw the company grow and you saw it grow quickly and you saw it expanding. And you mentioned from 100 to 300. How short of a time?

It's not like one day. For us, it was like two years. I've been like at my previous company, Copper, I've been the founding team.

So I know like stages from, you know, like zero to one and from one to 10. And I would say that this stage one to 10 is indeed like hard. My expectation was like zero to one is the hardest part.

But actually seeing how many, like what it takes to scale from one to 10 and make it efficient, there is a lot of like skills and expertise needed. Not just like on individual contributor role, but building processes, like functions, establishing and making it work in a different job. And I'm excited about how we can transform it and make it like efficient finally.

We've all been dreaming about that, you know? Yeah, yeah. Yeah, no, you're speaking my language.

I love the automation. I love like using AI to make things that we're already doing just like more efficient. So help us see that vision.

When you think about an AI onboarding process, you mentioned in the beginning, there's enterprise AI, maybe things that had gone or had been built in house. And then there's vendors and vendor AI, vendor agents, maybe. How do you kind of see that working?

Cool. Yeah. So first, I would like rather say on a high level, what I like personally believe the future where we're going from CIO perspective, chief information officers.

Vision. Yeah. I've been working like last decade with asset managers, and I always see like this idea where you have assets under management and you deploy capital and you get ROI.

So it's very straightforward. This idea, like after like scaling company myself, I saw how much values still get locked and it's not even surfaced. Like leaders just don't know how to uncover that value and how to unlock that value.

And for me, it was like visual picture that we have this iceberg. We always see the problems, the initiatives on top, but everything below surface is hidden. And unfortunately, the way how organizations run today are not designed to uncover that value.

It's always coming from top. You see like there is a company goals, like there's more board meetings than there is an executive committee who plan the year. And then like leaders transfer that company goals to the internal teams.

And let's say like if there is a person, someone who see this like execution domain and see the opportunity for improvement and try, for example, use AI to capture that value. There is no real way how this initiative will be executed in enterprise because you need to build this business case. You need to create this presentation, show it to your manager.

And usually if this initiative touch security and compliance and requires developers time, you need to build this business case, pitch it, align stakeholders, other departments. For some reason they like should allocate resources to make this happen. So there is a lot of friction in this process.

And usually when I'm like, let's say working in departments, usually I'm kind of isolated from the company wide picture. Usually I'm responsible for specific parts and I'm not necessarily like, you know, have resources in development to build dashboards or internal tools. So I see a lot of friction in the way how even the value from internal improvements being captured today, it's way inefficient.

It's always like mostly like a zero-sum game, you know, where you have like maximum like five big initiatives and everything else is more like, it's not our priority. We cannot say yes to them because we already committed to execute the first five, which is fair. But I see the world, I call like agentic business operations where AI will be driven like with this self-improving engines that let's say daily runs diagnostics, identify inefficiencies, bottlenecks, ways to improve, ways to create value in this specific domain, bring it, make it visible for executive and executives become more like asset managers.

You see like AI surface the problems, AI build the business case for them, how to improve and achieve the goals. So this is just preview the three build business case, click approve. So there's like a lot of governance like element in this place.

I believe still humans are in charge, but this concept that we're all becoming investors and AI is like surfacing the deals and even execute. So you know, it's not just like AI surface opportunities, but it can be like AI brings like visibility into opportunities, like inter initiatives, executives with one click approve it like a robo-advisory in financial services, like a portfolio management world. And AI just figured out the optimal way how to execute this and AI just install other AI.

So this idea that this systems kind of like with agentic business operations will reimagine how companies work today. For me, it was like great one time opportunity, you know, in a lifetime. So I was like super excited just to go in and yeah, pursue this.

And I think like actually it's even more than this because usually we have this like a siloed data across departments, like in a various system of records. I see like two years ago, there was already clear that once you connect this siloed context into like single picture, I call like digital twin of like business operations, AI can like see the whole business. And this is just not possible for a single individual, like for us as a humans, we are the bottleneck and I see clear way how AI can monitor company-wide operations, measure health and provide this data-driven insights.

All executives were like dreaming for years for decision-making. I see clear way that's possible. And you mentioned something really interesting from a security perspective.

You saw in this future, you see agents identifying business operation opportunities and then as soon as you click the go button, automatically installing other agents to help with the efficiency. And that's a really interesting concept to me because driving all of this, okay, so there's a couple of security pieces here, there's driving all of this, there's the data, there's the context, there's here's how the business today is operating. And when you're responsible for the security of an organization, that data is very precious.

You think of it as like here, this is something that deserves a certain type of reference and you actually build entire security programs around like protecting that data. And so when an agent gets its hands on it, it's a big deal. And now there's another step here too, which is really interesting from a security perspective because it's like, okay, our infrastructure, you click that go button, pulls in an outside agent, installs it into our infrastructure.

And maybe at first glance from a security mind, that sounds a little scary, but I'm sure that you're thinking about these things and that's the whole point, right, of Interf. It's the interface of what's acceptable to pull in and then what's also acceptable of how to use that data. Exactly.

That's very true. And honestly, I'm not like here trying to bring new concepts. I believe like in the engineering world, there is many solutions to address similar problems.

I would say the idea, like the computer scientists and like corporations solve similar problems when they were developing operating systems. If you think about it, there is like, I do think that everyone knows this blue screens of death in Windows operating systems, right? When you install the drivers and suddenly your operating system is like not loading.

You're looking at a blue screen and has like hacks on it. Okay. Exactly.

And the way like some like approaches that I was personally involved like decades ago was the way how processes can interact with each other through shared memory. So this like idea that if we have like one application and another application, they do not communicate with each other in kind of non-deterministic way. People started to realize, well, there is can be like bad intense software that is dangerous.

And in order to create this environment where we will not have this like problems in runtime, what if we like let developers bring a standard for them to specify in a deterministic way what data, what like interactions they expect to do with other application and the way. Yeah. So the protocol, but also data contracts or in Android, like certificates where you define as an app developer, you define all external dependencies that you may request in advance and you get permission to.

And then when your application actually runs in a runtime, it already pre-authorized to execute this to get access to this like shared context to get access to this permissions. And I believe this like deterministic environment is number one, like I wouldn't say the bottleneck, but it's a stage one where we should come to make security and like governance questions even like managing the control way. So our approach is making things deterministic in a form of like rules that define interactions.

This is a protocol we call the agent onboarding protocol that defines the sites, enterprise sites, agent sites, but also define rules, how this sites will communicate with each other in a compliant, like governed way. And also in a runtime exchange, like with this like shared, like deterministic entities that they need to basically self-onboard or onboard effectively. I love it.

I love it. It's almost like a bill of materials, but for your runtime, like here's like a bill of materials is just a list of everything that you have. And it sounds like this agent onboarding protocol would enumerate all of the capabilities and the data that it would be using with those capabilities.

Yeah. The idea is quite straightforward. If like vendor agent need something from enterprise, it should be specified in the machine readable form in a like way where like compliance security teams can quickly assess the risk, can quickly understand their current state of like systems.

Can they even like use that solution or the internal systems are not set up for use the solution in a secure way or even to make it work, I would say. Usually we have this problem with like data quality where the security is not even a concern. It's just like the data is not there to make this like specific agent deployment work and bring RAI for this organization.

So I'm a huge believer that in kind of like straightforward deterministic way to define prerequisites, define requirements. And I think this is what currently the industry is lacking because everyone thinks AI is a magic box. Like, you know, this agent, it's magically do many things.

It can do like whatever. And everyone kind of believe in it. But I'm, I think it should be like this agent can perform certain capabilities.

To do that, it needs like A, B, C from enterprise. And it's hard to enterprise figure it out how to get this in a compliant way. Not like for agent, vendors try to over promise things and just like say, of course it's compliant.

Yeah. I just think like we can do much better in terms of like the infrastructure, even existing approaches we had in software engineering, we can bring it to the business operations world and build this infrastructure for business operations. It's agentic change management, right?

Yeah. And I love that. I love seeing a better future, like it's easier to onboard the important pieces.

It's a machine and it has outputs and it will enhance the business, right? And my bet, honestly, that it's for like historically, it's never been like a technology problem. As I said, in a sort of like operating system, we like already solved this, how processes interact with kernel, with each other.

Shared memory, networks, files. Engineers figure it out. Then for the industry, for like market adoption, for software development, we created this like frameworks, new programming languages that introduce more level of abstraction, but also mitigate a lot of like security concerns that like before it was never addressed.

And still, I believe the core value that AI can bring is this idea for better translating things between teams. And this is very important, I think, in general for organizations, because like they have like security teams, they have engineering teams, and they may not speak the same language. So even to align things internally, let's not even say how like one enterprise can adopt, like let's say a leading AI solution developed by a vendor.

This is always like, I don't know, I think enterprises are behind by a few years, what vendors currently exploring and building. And there is like years of like lack of adoption. But the core problem is not like even like slow adoption.

It was always about like communicating, aligning stakeholders internally of how we can adopt this solution in a way that not introduce new risk. That's why like, I wouldn't think about like security governance, I would like think there is a risk that any new like solution introduced to our organization, like a threat, figured out how internally we're going to address that risk. And that process, this is like, I think, the hardest part.

And the cool thing about AI, it can easily translate same objective to different users, drive like proactively this resolution, dependencies resolutions, I would say. And collecting this, I would say decision traces, now the popular word context graphs, but I personally don't like context graph. For me, it's just like decision traces, like governance model.

But the thing is, once we collect this decision traces, we can give it to agents and they can like suddenly get all this context from different stakeholders in enterprise. And I believe they can like make things like remove friction at scale and making this adoption finally solve the adoption problem, not just because there is a new technology, like that suddenly AI is magic, but just because we can translate things internally in a much scalable way that was never possible before. I'm more like enthusiast of like structural solutions versus like there is a cool technology and like I'm super bullish about technology.

My take is always like, let's be like realistic and like still assess risk first, but yes, let's also keep like optimism in place just to figure it out how we build better systems that all like existing like functions in enterprise operate with the same risk exposure as before and not introduce new level of risk. Or make it less risky. We can make it.

We make it less risky as we move forward. Even less risky. And more, and more efficient.

And I actually believe we are going to that direction. Instead of like saying that AI potentially introduced new level of like, you know, credentials exposure on new levels of risk. I think we like in the five years horizon, we actually make the all infrastructure together with security compliance champions.

We can make this infrastructure for genetic business operations that mitigate risk and drive value creation. So I would say like internally, I'm super optimistic about AI in driving value creation and risk mitigation in enterprise. But I can also agree that there is going to be external threats where like AI agents attack your systems and try to, this is, this is concerning for me.

The external threats. This is happening. Yeah.

It's happening. Right. So yeah.

So, so do red teams and so do adversaries. Everyone is, it's just a tool. You pick it up.

You start using it. Yeah. So this is like still like, I believe, yeah, important area to address this external threat.

But internally, I believe we should solve this things just with the approaches that already there. We don't need to invent them. Everyone should just build proper infrastructure for proper stakeholders with aligned incentives.

And just doing that going to be very impactful for the whole industry. No, I love that. And, and actually like one of the things that, that I oftentimes remind people of is the innovation that's not easy to adopt.

It's not actually innovation. It, you know, it might be a fun hobby. It might be a cool new technology, but it's not innovation because in order, you know, for me, for something to meet that bar of innovation, I really think of it as something that has the potential at least to change the world.

And if something cannot be adopted because it's too hard to integrate or because it doesn't really make sense with who you're trying to sell it to, or it doesn't meet the very rigorous high bar of the security and privacy expectations that large enterprises are going to bring to the table that control the world's like largest companies, it's not going to have a very good shot at changing those companies. And in turn, it won't have a very good shot at changing the world. So, you know, to some extent, at least like some non-zero extent, innovation has to be easy to adopt.

It has to be part of that formula, has to have a way to get in there. It needs a path forward, needs an interface. With AI, I think we finally have this proper adoption where if you're building infrastructure, you can actually make impact within like a short-term horizon if you know the ways how to communicate with security teams, how to communicate with compliance teams, how just to build the proper industry solutions.

If you just do that, I see there is a lot of potential for companies and in general like for entrepreneurs versus, for example, with crypto where there is many ambition companies who build the new infrastructure. But everyone kind of knows that there is still like a market to adopt all this. And we solved this situation where you have the leading infrastructure build that really solves the huge problem.

But people just don't understand what a smart contract is. And you try to hard like educate the market, but it's still like not clear. I believe if you ask someone like, what is a real smart contract, do you use it like everywhere?

People are like, I'm not sure, I'm not sure I need this or I'm not sure what is like the use case for me. And for me, the AI, like enterprise AI, like space, building infrastructure solution for the like addressing industry problem of like vendors, enterprises, this is the different game. And I'm more like bullish on it.

So yeah, definitely. So it's always about like understanding risk first, understanding risk that customers like market face today and figure it out what's the most effective way to solve that risk. And technology here is honestly, is always like second.

It never should be like the first thing. And I still believe same here we have with like enterprise AI, instead of like, I understand like vendors trying to like build all solutions, get attention, so they always like oversell, get this attention. Well, look what's possible today with AI.

But I would prefer we always think kind of like in a different way. We believe AI make this thing possible that can create this like metrics, this area in enterprise to make this possible. This is risk that our solution introduced.

So please, please share it with the industry, make this risk visible for everyone who plan to adopt this vendor solution. Let security teams, compliance teams figured out internally how they prefer to address this risk and make this, I would say mitigating market risk efficient. This is like basically I think the right way of adopting AI.

It's always about risk. Maybe I'm biased, but this is way how I think about basically engineering any solution. It's understanding risk, understanding like and removing it plus understanding business domain and with AI, I think like we have this friction in AI implementations because it's just not visible for the industry what risk is.

You hear about like, I mean, install this cloud bot. Everyone like talk about Twitter now. And then you see in other report, guess what?

Now again, we see the another wave of exposed credentials. Yesterday, I get four emails from like my network with hacks, with malware, with malware. Basically fish fishing for you to like click links and install like.

They were developers who tried cloud bots. I cannot say this for sure, but I see this like kind of things related where like on the one hand we see like this is super cool thing to try. As an engineer, I understand this, but I also understand like I want to create maybe this like engineering sandbox environments that makes experimentation friendly.

So organizations incentivize people to experiment with AI, but in a secure environment, not like you install something in your CLI, give it root access. And then like you hack next day and you didn't think about it. We still lack this tooling for engineers, for enterprises to make this adoption to address key risks that's still there and still not resolved.

We need to do this. We got to fix this. We're building it, right?

You're building it. And I'm so grateful that there are people, incredibly smart people dedicated to thinking through these hard, open problems that we're now facing as a community, as a security community, as a community of developers, of folks in Silicon Valley, just on the cutting edge. If I'm listening to this and I want to step on the gas pedal of all of my AI initiatives and take advantage of all of this, what are my next steps?

Do I reach out to you on LinkedIn for a demo or? Sure. Well, currently we prefer to get more, more hands into real market challenges and understanding what's the risk today the industry is facing.

So it's not about me thinking about like just how to solve certain problems. I still believe things moving so fast. AI is evolving so fast and enterprises had to adjust so fast.

That's just by keeping the same product over and over again and try to sell it. It's not the most efficient way to build this industry infrastructure today. That's why today I'm actually working on open source infrastructure on making open protocol and more partner with enterprises and vendors to see what's their challenges today with AI deployments.

What risk are they facing today? Why do AI implementations get derailed? Is it like today we work with a few design partners on the enterprise side, but as well on the vendor side.

So in other words, you're also looking for vendors. Yeah, I ask the industry. So I never try to sell things.

I try to ask, what are your challenges today? So for enterprises, we see understanding of their readiness. So if you're like today, a CIO or chief data officer of analytics in enterprise, and you figured out like you have this big agent deployment, my advice would be first is to understand, are you ready for this specific agent implementation?

And to do this, there is like activity, I hate to say, but in consulting world called readiness assessment. So you basically, before deploying capital into something, you just do this proactive activity of understanding what it takes for this initiative to succeed, what it takes from us to connect, to provide to vendor for this AI initiative to succeed. Answering, are we ready for this?

And then like connecting with vendor and doing implementation. So how we can help enterprises today is basically before they deploy capital into AI, become like a partner with Interf so we can like do this pre-flight check before and identify all risk and even like a runtime dependencies to make solution work in advance, understanding their readiness first, and then like deploying budget with AI. So my point is like, I would just say to enterprises, to leaders, be more like, do this pre-flight checks first before just blindly going to basically figure it out gaps mid-flight.

It's just when we see, you know, like that, like more than 60% AI implementations just don't get any meaningful ROI. And the problem is who gonna answer what went wrong? Enterprises will never like say like it failed because we were like not ready.

And they will just say, this is like vendors, they over-promised us because in the contract, they said like they bring meaningful ROI within like six months, but there is no ROI. But vendors, I know the other side, I know that this forward deployed engineers I'm speaking with, and they'd sell like, Hey man, we just came to this, like, we get like, we showed up, they didn't have any of the data. We need all this context.

No one knew where it was. Like nothing was there. Like, of course the agent didn't do what it is supposed to do.

We go, we raise tickets, we start like exploring, we start like basically the job of assessing the risk with their compliance and security teams, figured out how to address that risk, educating them, like that this is actually an industry standard. And this risk is okay for you to take. And this is what's happening today.

And for me, the fix, like the structural fix, how to make this thing effective is for enterprises, not hoping vendors will solve all their problem, but first like doing this pre-flight checks, answering, are they ready yet? And today we help answer this questions more like doing services because we don't want to like sell infrastructure, like promises of this agent self-onboarding where the market is obviously now is not ready. We're not there yet.

That's why, uh, with enterprises, So the call for vendors is like vendors, like here, you need to give to our enterprise friends on the, on the other side of these deals, like the tools that they, that they need in order to be ready for all of this innovation. Exactly. And I would say like, what like I'm working on now is just making vendors requirements more visible to the everyone.

So we're building this open registry of vendors dependencies. But in terms of like security folks, I would say we make AI risk for specific solutions in the machine readable form before this implementations even start. So enterprises can assess that risk in a more organized way, not hoping that like forward deployed engineers will come and help figure it out because it's just not effective.

After, after the contract is signed and everything is all done and there's expectations on the table that this ding dong is going to do all this magical stuff. Right. I get that.

Yeah. So we bring in visibility. Very prudent approach.

I bet CIOs just love you. Honestly, I'm here like not trying to invent things. I just take like common sense and ask like, who is our customers?

Like, and I believe our customers should always be enterprises and not vendors because we see this vendor intelligence platform like Gartner, like G2, but over time we see they, their incentives are not directly aligned with enterprises. No, who pays Gartner? Vendors pay Gartner.

Yeah, exactly. They make all their money on vendors. I believe like in this formula where trust is a transparency divided by self-interest.

So if you don't have like a, if you have conflicted incentives, it's just like make the whole, like the whole adoption, like of your like solution kind of in a way that doesn't look right. And maybe self, maybe self-interest could be aligned with the customer's interest. Exactly.

That's why like for us, I take CIOs ideal incentives, what, what their incentives and I just serve them. And for vendors, we are like more working on making their risk, making their dependencies more visible for enterprises. So enterprises can prepare and answer, are they ready before this, did they start even like adopting this vendor?

And I believe that everyone is already doing this, like the right forms and security questionnaires. It's like, I would say stage one, but there is still a lot of requirements that are hidden specifically around context dependencies, meaning that like I have the AI agent that like, for example, do scenario modeling for workplace strategy, for my agent to work, I need like this 10 answers, like 10 context entities we need to connect. And usually today this stuff is hidden and the enterprises start to figure it out how to find that answers only when vendors for redeployed engineers sell it, like during onboarding process.

And I still believe this is like major, a major, like a bottleneck today. And just bringing that visibility in a like machine readable way is the first step, how we can solve this industry problem. So, yeah, I, I, I would say I'm right now working on like making solution, like making protocol open to everyone, to adopt, to vendors, to enterprise, to provide us feedback.

We don't want to like sell solutions. I want to hear what vendors for redeployed engineers experiencing like bottlenecks today and what they want to tell enterprises in advance to make their job easier. I want to hear enterprise leaders tell what on their side, what's their challenges today in AI implementations and build this like protocol that address this, I would say industry bottlenecks.

And then like start after like getting this expertise and after understanding what market really needs, building like enterprise additions with the design partners and expanding towards that. So I would say today we are not like selling. We are actively working together to create.

Yeah. Yeah. So that's what we do today.

What I'm working on. Do you want to, would you like to plug the open source GitHub repo? If I'm interested and I, and I hear all of this and I'm.

I am working right now on releasing the protocol. Notice that, yeah, you know, like model context protocol by Entropic. Now it's like the most popular.

I noticed that the trend that it's published not by Entropic from their repository, but it's actually like independent organization that being donated to Linux foundation today. And I believe this is like the standards I'm taking as reference. So if I'm releasing the protocol or industry solution, I already have in mind that it's not like a proprietary protocol, you know, like that we will just figure it out how to commercialize.

I think about, okay, when we can donate it, when we can donate it to Linux foundation and our job is to make the adoption the fastest way possible. But in the future, I see like we donate this protocol to Linux foundation and build more like enterprise platform that implements this protocol with enterprise features, the partners demand. So kind of that, but yeah, working on a protocol releasing mid February, please.

Please. Yeah, happy to share with the community and get security feedback. Does it address security concerns today?

Maybe some areas we need to add so vendors can identify security risk in the specific sections so security leaders can quickly identify. So yeah, it's designed to be open source and driven by community. Amazing.

I love it. And I thank you so much for latching onto and thinking through a very incredibly difficult, challenging problem space. You know, I hear stories like this and it gives me great hope for the future that we can build a more secure and easier to adopt future for all of the great innovation that's coming out of this new, exciting, maybe a little bit scary, agentic space.

So yeah, all the gratitude in the world. Thanks for having me. And yeah, I would say overall we are making enterprise, building enterprise solutions great again.

I think this is the best time. And I actually believe that developers should be excited about building solutions for enterprise. There is so much value.

Enterprises with AI can unlock so much value and exciting things coming. And I hope we build proper systems to like solve adoption in the short term. But super excited about this.

Many of the CIOs feel like the adoption is coming, whether or not we know what's underneath the hood. And so we might as well adopt a standard, get on top of this, understand the risks at the same time that our organizations are pushing us to adopt all of this stuff. I know like directives and board initiatives are not the sort of thing that we can dodge as leaders.

We have to execute. And so we want to execute efficiently, but we also need to execute like in a way that's responsible for the business. And so like all the gratitude in the world, again, Ged Ossman, the founder and CEO of Interf.

Thank you. Thank you. I'm looking forward to seeing all of it released and be part of the solution, not the problem, and thank you to all of our listeners for tuning into another episode of the Security Podcast of Silicon Valley, Jon McLachlan, your host.

And this is a YSecurity production. One last thing before you go, think about who you were 20 minutes ago. Maybe security has been that thing that's on your roadmap, that thing that you'll get to right after the next sprint, the thing that you'll get to after the raise or after something, but here's the truth, SOC2 and ISO, these things are not just checkbox, they're keys.

It unlocks enterprise deals. It opens up regulated industries. It's the difference between selling to a 10-person startup and closing Fortune 500s.

That's where YSecurity comes in. We don't just advise, we build. SOC2, ISO, done right the first time, 40-plus engineers from Apple, Uber, Microsoft, Robinhood, Brex, this is not guesswork for us.

This is all we do. And maybe you're not the one who needs this, but you know a founder who does. The one trying to break into bigger markets.

The one doing the zero-to-one thing. Send them our way. We have an awesome referral program.

We pay for introductions that turn into partnerships. io slash startups. The first eight hours are free.

40 engineers, one full working day entirely on us. YSecurity has your back. See you in the next episode.

This episode covered SOC 2.

YSecurity helps teams get audit-ready without slowing the roadmap, from first scoping call to clean opinion.

Talk to YSecurity