2026-06-01 –, Room 1
Neoclouds are here whether we planned for them or not - and the security assumptions we carry over from the hyperscalers don't transfer cleanly. The IAM ergonomics and audit trails we'd taken for granted aren't a given. How are secrets stored? If you hand an AI agent an access key, can you scope it to read-only - and can you even tell afterward which actions were the agent's?
These are what Amy Edmondson calls "ambiguous threats": warning signals that don't fit our existing mental models and so get rationalized away by competent people, working in good faith, applying reasonable assumptions - not because teams are reckless, but because the mental model required to interpret the platform signals doesn't exist yet - and the mental bandwidth required to build that model from scratch doesn't exist either.
This talk isn't about which platforms are safe. It's about methodology for laying out the facts so a security team can form a clear, opinionated posture - one it can defend internally, and that we can start to standardize as an industry instead of re-deriving for every new provider.
To make that practical, I'll also share an open-source agent skill that runs the same evaluation against any platform's public surface, turning a week-long investigation into a 40-minute pass.
And it's an open invitation to the researchers who already probe AWS for a living: let's point that lens at the neoclouds.
Matthew has worked in and around cloud security engineering since 2017, building security enablement tooling at Capital One, HashiCorp, DivvyCloud, Stacklet, and Rapid7. He is the primary author of two patents in cloud data and analysis systems, and has consulted on projects to make it easier for people to keep their environments well managed. He mostly spends his free time changing diapers and thinking through the opportunities for agentic workflows to scale security research.