VP & Chief Technology Evangelist · Zscaler
Brian Deitch
Where AI meets Zero Trust.
Every enterprise just got a new kind of user. It doesn’t badge in, it doesn’t take lunch, and it talks to a thousand systems a second. Securing it isn’t a new problem. It’s the oldest problem in the book, moving at a new speed.
The Moment We’re In
AI didn’t sneak into the enterprise. It kicked the door in.
Prompts are flowing from browsers, desktop apps, IDEs, and APIs. Agents are spinning up in AWS, Azure, and GCP faster than any spreadsheet can track them. MCP, the protocol agents use to talk to tools, is becoming a first-class traffic type on your network whether you’ve heard of it or not.
Here’s the part most vendors won’t say out loud: you cannot govern a prompt after the fact. A DLP alert that fires an hour after your source code left in a chat window isn’t protection. It’s documentation. AI security has to happen inline, in the moment, in the traffic path. And that’s where this story gets interesting.
The Zero Trust Dividend
Why the traffic path wins.
For most of the industry, “AI security” means standing up new infrastructure and praying users route through it. But if you’re already inline, already terminating and inspecting encrypted traffic for the world’s largest enterprises, AI security isn’t a new deployment. It’s a policy update. The hard part was built years ago: being in the path, at cloud scale, with decryption. Now every new AI channel just… lands on it.
The browser
Where most prompts are born. Extension, enterprise browser, or cloud browser: one policy across all three.
The endpoint
Where local AI tools and rogue extensions live.
SaaS and APIs
Including native compliance hooks into ChatGPT and Claude.
Private apps and workloads
Because internal AI is still AI.
The agents themselves
Discovered and assessed across every cloud. Shadow AI doesn’t hide from you when every road runs through the same exchange.
The Lightboard Moment
Agents are just identities.
An AI agent is a new kind of identity that needs least-privilege, brokered access to specific resources. Read that sentence again. It’s the zero trust model, word for word.
Brokering agent-to-agent and agent-to-tool traffic isn’t a new architecture. It’s the same pattern that’s connected users to apps for a decade, extended to a new species of user. Register the agent. Scope its permissions. Broker every connection. Log every transaction. If it misbehaves, cut it off mid-conversation. Vendors coming from firewalls or endpoints have to invent that model. Zero trust just extends it.
On the Field
Visibility shows the activity. Intent explains the purpose. Enforcement protects the outcome.
Anyone can inventory 2,900 AI apps. Counting is easy. The hard part is catching a risky intent across a multi-turn conversation and stopping it beforethe data lands, without breaking the workflow of someone doing legitimate work. That’s the line that separates AI security products from AI security dashboards. One watches the game. The other is on the field.
Feature
Want this drawn out in marker?
No slides. No hand-waving. Just glass, a marker, and someone who actually knows what he’s talking about.
Index
What Brian talks about.
Agentic AI Governance
MCP, API, and toolchain security for the agent era.
AI Data Security
DSPM, asset discovery, and secure access to AI apps.
MCP & Agent Traffic
A first-class traffic type on your network, whether you’ve heard of it or not.
Zero Trust Architecture
Not a product. The architecture AI happened to land on.
SSE / SASE
Where the network ends and the platform begins.
SSL/TLS Inspection
You can’t secure what you can’t see.
Identity & Access
The new perimeter is a person. Or an agent.
Threat Intelligence
Honest assessments. Not vendor decks.
On Repeat
Things Brian says a lot.
“AI security has to be inline, not adjacent.”
If the control point is off to the side, it’s a dashboard. If it sits in the path of users, apps, data, APIs, agents, and models, it’s enforcement.
“Agentic AI turns Zero Trust into a business requirement.”
Agents aren’t chatbots. They act at machine speed, so every agent needs identity, least privilege, policy, inspection, and blast-radius reduction.
“You cannot secure AI you cannot inventory.”
Shadow AI is embedded SaaS AI, MCP servers, agents, models, and RAG pipelines. Maturity starts with discovery: what exists, who uses it, what data it touches.
“Prompt injection is not a bug. It is a design reality.”
It’s not SQL injection in a hoodie. LLMs blur instructions and data. Assume manipulation and layer the defense: isolation, inspection, tool restrictions, output validation, least privilege.
“The real risk is excessive agency.”
The nightmare isn’t a weird chatbot answer. It’s an agent with access to email, Salesforce, GitHub, and production data making bad decisions very quickly.
“Data security is AI security.”
Every AI conversation is a data movement event. Prompts, uploads, embeddings, and outputs all need DLP, classification, masking, and monitoring.
“Red teaming AI cannot be a one-time launch checklist.”
Models, prompts, tools, and permissions change constantly. Red teaming has to be continuous, automated, and mapped to real attack paths.
“AI governance needs runtime enforcement, not just policy PDFs.”
Boards love policy. Attackers love it too. Policy doesn’t block anything. Define allowed models, apps, and permissions, then enforce at runtime.
“The AI supply chain matters.”
Models, datasets, vector databases, plugins, MCP servers, frameworks: any one can become the attack path. Treat the pipeline like supply chain + data + identity + runtime security.
“The winning architecture is Zero Trust for humans and non-humans.”
The enterprise is about to have two workforces: humans and agents. Both need identity. Both need least privilege. Both need data controls, monitoring, and segmentation. And neither should be trusted just because it’s inside the environment.
0+
Years in security
0s
Talks delivered
0+
Podcast episodes hosted
∞
Takes on the industry

Profile
AI didn’t change the mission.
“AI raised the stakes and shortened the clock. The winners won’t be the ones who bought another dashboard. They’ll be the ones whose architecture was already standing where AI happened to land.”
At Zscaler, Brian helps organizations secure AI the way they should have secured everything else: Zero Trust as the architecture, not the buzzword. The conversation starts with honest assessments, not vendor decks.
CAREER ARC AAL → APOL → WFC → BAC → FFIV → ZS
Book
Need a speaker who actually knows?
AI security, Zero Trust, and agentic architecture, explained without putting the room into a medically induced coma.