Latest news with #JeremyEpling


Forbes
18 hours ago
- Business
- Forbes
Rethinking Compliance In The Age Of Intelligent Agents
Compliance has long been one of the least glamorous aspects of cybersecurity. Necessary, yes—but often repetitive, reactive and resource-draining. That's changing fast. AI is starting to reason over frameworks, detect inconsistencies and make recommendations about what your business should do next. Vanta AI Agent is a clear example of this evolution – aiming to turn governance into a dynamic, data-driven process. But it also raises new questions about transparency, accountability and whether trust itself can—or should—be automated. I recently spoke with Jeremy Epling, chief product officer at Vanta, about the motivation behind the agent. 'From day one, this whole notion of automated compliance and continuous GRC, continuous control monitoring has been at the heart of our founding mission,' he told me. Epling described the current landscape of compliance as burdened by unstructured files—policy documents, screenshots and spreadsheets—and emphasized that the AI Agent is designed to automate and unify those fragmented processes. For many companies, compliance has historically been a blocker—something that slows down audits, sales and vendor onboarding. Tony English, CISO at WorkJam, described that pain firsthand for me. 'Before Vanta, our compliance efforts were manual and largely time-consuming,' he said. 'It became a bottleneck for our small security team, slowing down sales cycles and diverting valuable time toward documentation and evidence gathering.' With the shift to continuous monitoring, platforms like Vanta—and increasingly, their AI agents—promise not only faster audits but smarter ones. English said WorkJam now spends about an hour a week on compliance tasks instead of seven or eight. 'Compliance has moved from a resource-draining task into a function that strengthens our overall security posture.' The significance here isn't about one vendor. It's about a broader industry trend: compliance moving from episodic to real-time, from reactive to proactive. And AI is the connective tissue making that shift possible. Of course, the more autonomy we grant AI, the more critical it becomes to know how it works. Is it explaining its reasoning? Is it using up-to-date evidence? Can it cite its sources? 'A major focus for us has been on AI quality,' Epling said. 'We have an internal team of former auditors and GRC experts that go through and run our human eval loop on golden data sets... and we lean into references and explanations. If we give a recommendation, we tell you where it came from.' That traceability matters. With security reviews and audits becoming more dynamic, AI has to be more than helpful—it has to be right. And when it's not, there must be clear signals and paths for correction. Platforms that support feedback loops, accuracy metrics and user control (such as setting concise vs. verbose answer preferences) are more likely to foster real trust. Despite impressive gains, AI agents aren't eliminating human expertise—they're redefining it. 'We've seen a huge shift,' English told me. 'Responsibilities are now more transparent, ownership is better distributed and our security and engineering teams operate from a shared view of strong compliance.' The AI Agent, in this case, isn't replacing the team—it's amplifying it. By detecting policy conflicts, pre-validating evidence and flagging overlooked risks, it frees up human bandwidth to focus on higher-order tasks. And that kind of augmented intelligence might be the most responsible application of AI in compliance today. But the temptation to over-trust is real. Over time, users will grow comfortable with the AI's outputs—especially if those outputs pass audits and reduce friction. At what point does convenience erode scrutiny? And who's watching the watcher? Epling acknowledged the concern and said his team is working toward more customer-facing transparency. Ideally, the customer should have visibility of how a solution or AI agent is performing against their success criteria. That kind of transparency keeps vendors accountable too. WorkJam sees Vanta's AI Agent as the next logical step—automating routine tasks, identifying inconsistencies early and creating space for security to be a proactive business function. That aligns with what many GRC leaders now want: not just to check the box, but to build a culture of trust that's as responsive as the threats it faces. As AI begins to write, monitor and enforce compliance, it's reshaping more than workflows. It's redefining the relationship between security teams and the systems they manage. The challenge ahead isn't simply deploying more advanced agents—it's making sure those agents remain transparent, accurate and accountable to human judgment. Because trust can be accelerated by automation—but it can't be outsourced entirely.


TechCrunch
02-06-2025
- Business
- TechCrunch
Vanta bug exposed customers' data to other customers
Compliance company Vanta has confirmed that a bug exposed the private data of some of its customers to other Vanta customers. The company told TechCrunch that the data exposure was a result of a product code change and not caused by an intrusion. Vanta, which helps corporate customers automate their security and compliance processes, said it identified an issue on May 26 and that remediation will complete June 4. The incident resulted in 'a subset of data from fewer than 20% of our third-party integrations being exposed to other Vanta customers,' according to the statement attributed to Vanta's chief product officer Jeremy Epling. Epling said fewer than 4% of Vanta customers were affected, and have all been notified. Vanta has more than 10,000 customers, according to its website, suggesting the data exposure likely affects hundreds of Vanta customers. One customer affected by the incident told TechCrunch that Vanta had notified them of the data exposure. The customer said Vanta told them that 'employee account data was erroneously pulled into your Vanta instance, as well as out of your Vanta instance into other customers' instances.' The customer told TechCrunch that Vanta's notice said this type of data 'generally includes' information like employee names, roles, and information about configurations of some tools, such as the use of multi-factor authentication. When asked by TechCrunch, Vanta spokesperson Erin Cheng would not say what types of customers' data were involved during the incident or comment on whether Vanta employee data was exposed. Founded in 2018, Vanta has raised more than $350 million to date, including $150 million in its most recent Series C funding round in July 2024.


Times
14-05-2025
- Business
- Times
AI is rewriting the rules of risk management
With cyber risks and compliance demands increasing, automation is quickly becoming the smartest way for businesses to stay secure, agile and ahead of the curve Organisations today face unprecedented challenges when it comes to managing risk. More applications, increased cloud migration and the proliferation of software-as-a-service solutions have dramatically expanded the threat landscape. Meanwhile, security teams are struggling with strict regulations, shrinking budgets and talent shortages. At the same time, chief information and security officers are keen to demonstrate the business value that the security function provides, rather than just being viewed as a cost centre. They want to convey cybersecurity's role in mitigating risk, achieving compliance standards and helping to win new business. It is against this backdrop that artificial intelligence (AI) presents a double-edged sword, often representing both a significant threat and a powerful solution. Cybercriminals are using AI to create more convincing phishing attempts and generate more complex attack codes. But AI-powered tools are also providing unprecedented capabilities in risk management and compliance. 'We're seeing more vulnerabilities and attack vectors than ever before,' explains Jeremy Epling, chief product officer at Vanta. 'AI is being used by attackers to create new threats, whether through sophisticated phishing attempts or AI-generated attacks. 'But AI also gives us a capability we never had before: dealing with unstructured data. So much of compliance and security revolves around documents and screenshots, and now we have an entirely new way to understand and provide value.' Vanta's most recent The State of Trust Report reveals a striking insight: 77 per cent of IT decision-makers believe automation can relieve the manual burden of compliance, saving them time and money. Yet only 60 per cent of business leaders agree. This gap likely stems from a fundamental misunderstanding of the manual burden faced by security teams, says Epling. 'It boils down to who feels the pain every day. Business leaders are looking at the numbers and the ROI and driving the business, but they're not living in these tools every day and building a deep appreciation for how many hours get sucked into these reviews,' he explains. 'Governance, risk and compliance has been underserved for a long time in terms of providing a high level of innovation and helping to drive efficiencies.' Businesses are spending more time than ever before on compliance. In the UK, companies already dedicate 12 working weeks per year to keeping operations compliant. Security teams in particular often dedicate far more time to compliance than to other value-adding activities, such as cyber strategy and threat mitigation. Here, intelligent automation offers multiple operational benefits. 'AI can help generate secure code, automate remediation processes and provide a single pane of glass for your entire security programme,' Epling says. For example, AI can automatically respond to complex security questionnaires and analyse vendor documents, identifying risks and providing actionable insights. It can also ensure consistency around security policies, as AI can detect irregularities across multiple policy documents. Automated systems can also immediately identify documentation issues, which can help prevent last-minute audit complications. 'Instead of spending hours manually reviewing documents and copy-pasting responses, AI can take a first pass on these tasks,' says Epling. Perhaps most importantly, intelligent automation enables security teams to be seen as strategic business enablers rather than cost centres. 'When you achieve compliance standards, you can unlock new markets and win additional business,' Epling says. He continues: 'Automation helps us clearly show time savings and improvements in efficiency. For example, when teams use Vanta's automated workflows, we can quantify how much faster they're completing tasks compared to before. That makes it easy for security leaders to go back to their management and explain the tool's value.' But it's not just security teams that benefit from automation tools, he explains; these systems can also help engineering and IT teams to work more efficiently. 'Since they're not in the security trenches every day, giving them focused, actionable remediation guidance, along with context about why it matters, helps them prioritise effectively,' Epling says. And with Vanta's tools, such as automated questionnaires, customers are constantly providing feedback to help the firm improve its programmes. 'It's a way to turn security from a cost centre into a growth enabler,' says Epling. 'When you can show how your trust posture helps close deals faster or opens new opportunities, it becomes a clear business-value driver. And it bridges the gap between security teams and leadership, so they're finally speaking the same language.' For organisations considering intelligent automation, Epling offers some practical guidance. The first step is to start small – focus on specific areas such as supplier risk or questionnaire management. Then trial AI tools with existing documents and policies, and make sure the AI solutions provide clear citations and explanations. Epling also advises organisations to consider comprehensive platforms that offer a holistic view of governance, risk and compliance. 'For startups and small businesses, there are tools designed to help you get your first certification,' says Epling. 'You don't need prior knowledge – the right platform will guide you step by step.' As cyber threats become more sophisticated and the compliance burdens increase, intelligent automation isn't just a 'nice-to-have' – it's becoming a necessity. Such automation marks a transformative approach to risk management. By embracing AI-powered tools, organisations can not only mitigate risks more effectively but also turn compliance into a strategic business advantage. 'The goal is to spend less time on paperwork and more time on deep, impactful security work that truly protects your organisation,' says Epling. As cyber threats continue to evolve, the message is clear: intelligent automation isn't just a technological upgrade, it's a critical component of your security strategy. To learn more, please visit