Matthew Gladney
Matthew has worked in and around cloud security engineering since 2017, building security enablement tooling at Capital One, HashiCorp, DivvyCloud, Stacklet, and Rapid7. He is the primary author of two patents in cloud data and analysis systems, and has consulted on projects to make it easier for people to keep their environments well managed. He mostly spends his free time changing diapers and thinking through the opportunities for agentic workflows to scale security research.
Session
Neoclouds are here whether we planned for them or not. But the security assumptions we carry from the major players don't transfer cleanly. IAM ergonomics and audit trails that we could once take for granted aren't a sure thing. How are secrets stored, and if you hand an AI agent an access key, can you at least give it read-only access? (can you even tell which actions were the agent's?)
Amy Edmondson calls these "ambiguous threats" - warning signals that don't fit existing mental models and therefore can get rationalized away. Not because teams are negligent, but because the questions to ask and the signals to process are structurally ambiguous and we haven't formed the muscle memory.
The goal of this talk isn't to tell you which platforms are safe. It's to discuss a methodology for laying out facts so security teams can get themselves informed and shape a well formed opinionated security posture that can be communicated internally - and even collectively as an in industry - when the answer is "here's what we're gunna we need."
And, of course, we'll discuss how security agents can help scale these reviews.