How 1Password CIO Jacob DePriest thinks about approving internal AI tools

You gotta be quicker than that—especially when it comes to evaluating and approving new internal AI tools.

The times are a-changing for cybersecurity professionals, according to 1Password CIO and CISO Jacob DePriest. Cybersecurity professionals have always been tasked with balancing speed and risk, he said. But now AI is increasing the risk of not being fast enough.

“Threat actors are using AI to do automated attacks,” DePriest said during an interview at RSAC. “If we as security professionals don’t adopt and integrate that into our capabilities to defend, then we’re starting to get out of balance with the threat actors.”

It’s a valid assessment of the industry’s current state, according to Akshay Bhargava, VP of product management for AI software and platform at Cisco. For the first time, he said, the risk of not adopting a piece of technology is higher than the risks associated with the technology itself.

“If you don’t adopt AI, you run the risk of falling behind, competitively, in terms of your potential, in terms of your learning curve, and on so many dimensions,” Bhargava said.

Fast lane. DePriest is one of the many security professionals currently figuring out the best approach to AI governance that will also enable his employees. While 1Password has a large variety of AI tools available due to the partnerships it builds with vendors, DePriest is in the process of setting up a new, expedited review process for tools the company would like to add to its collection.

“What we’re putting in place is the ability for a team to come in and say, ‘Hey, I think this might work for us. Can we try it?’ and then us being able to approve on a limited-basis some experiments, so they can go try it really quickly before we kick off a full security, legal, privacy review,” DePriest said.

A new generation of builders. AI is also enabling all employees to become citizen developers, or builders without a coding background, within their companies, said Bhargava.

“If you use things like OpenClaw or some of these other capabilities, even in your personal life, it’s very easy to be a builder,” Bhargava said. “I have an 11-year-old, and he’s a builder, too. It’s not just employees.”

Because of this, training and “enablement” has become another large focus for DePriest. 1Password employees who want to be AI builders are required to go through an onboarding process to better understand the tools and appropriate security protocols. New builders, he said, likewise go through a period when they can experiment with internally built agents before they actually build their own.

“We talk about the risks. We talk about how to do it, we talk about access,” DePriest said, adding that technical controls around internally built agents is another critical area for the company. For example, an employee who wants an agent to read their Google Calendar every day and summarizes action items might only need to grant it “read-only” permission settings.

“Let’s scope down the access to something reasonable,” DePriest said. “And if somebody needs to elevate that access, it’s clear what’s happening, why it’s happening, and we walk them through that.”

The fast life. IT pros entering the fast lane of AI reviews and approvals should know that having an AI policy is not enough, according to Matias Madou, CTO and co-founder of Secure Code Warrior. He said IT pros also need to make sure they have guardrails in place to keep shadow AI at bay.

“If you’re going to approve things fast, make sure that there’s a mechanism in place that monitors what [builders are] really using,” Madou said.

IT pros and builders should stay on top of AI trends and news to better inform company decisions, DePriest added.

“I spend a few hours a weekend, every weekend, messing around with this stuff, learning, keeping up with it, trying to understand where it’s going,” DePriest said. “Not because I feel like I have to for my job. I want to. It’s important to my career.”