VP & Chief Technology Evangelist · Zscaler

Brian Deitch

Where AI meets Zero Trust.

Every enterprise just got a new kind of user. It doesn’t badge in, it doesn’t take lunch, and it talks to a thousand systems a second. Securing it isn’t a new problem. It’s the oldest problem in the book, moving at a new speed.

ZTEUSERSBRANCHDATA CENTER3RD PARTYINTERNETSAASENTERPRISE AICLOUD
The Zero Trust Exchange secures Entity A to Entity B based on Identity + Policy + Intent + Data · click for the next board

The Moment We’re In

AI didn’t sneak into the enterprise. It kicked the door in.

Prompts are flowing from browsers, desktop apps, IDEs, and APIs. Agents are spinning up in AWS, Azure, and GCP faster than any spreadsheet can track them. MCP, the protocol agents use to talk to tools, is becoming a first-class traffic type on your network whether you’ve heard of it or not.

Here’s the part most vendors won’t say out loud: you cannot govern a prompt after the fact. A DLP alert that fires an hour after your source code left in a chat window isn’t protection. It’s documentation. AI security has to happen inline, in the moment, in the traffic path. And that’s where this story gets interesting.

The Zero Trust Dividend

Why the traffic path wins.

For most of the industry, “AI security” means standing up new infrastructure and praying users route through it. But if you’re already inline, already terminating and inspecting encrypted traffic for the world’s largest enterprises, AI security isn’t a new deployment. It’s a policy update. The hard part was built years ago: being in the path, at cloud scale, with decryption. Now every new AI channel just… lands on it.

Lightboard diagram: every AI channel (browser, endpoint, SaaS, APIs, private apps, and agents) landing on the same zero trust exchange

The browser

Where most prompts are born. Extension, enterprise browser, or cloud browser: one policy across all three.

The endpoint

Where local AI tools and rogue extensions live.

SaaS and APIs

Including native compliance hooks into ChatGPT and Claude.

Private apps and workloads

Because internal AI is still AI.

The agents themselves

Discovered and assessed across every cloud. Shadow AI doesn’t hide from you when every road runs through the same exchange.

The Lightboard Moment

Agents are just identities.

An AI agent is a new kind of identity that needs least-privilege, brokered access to specific resources. Read that sentence again. It’s the zero trust model, word for word.

Brokering agent-to-agent and agent-to-tool traffic isn’t a new architecture. It’s the same pattern that’s connected users to apps for a decade, extended to a new species of user. Register the agent. Scope its permissions. Broker every connection. Log every transaction. If it misbehaves, cut it off mid-conversation. Vendors coming from firewalls or endpoints have to invent that model. Zero trust just extends it.

On the Field

Visibility shows the activity. Intent explains the purpose. Enforcement protects the outcome.

Anyone can inventory 2,900 AI apps. Counting is easy. The hard part is catching a risky intent across a multi-turn conversation and stopping it beforethe data lands, without breaking the workflow of someone doing legitimate work. That’s the line that separates AI security products from AI security dashboards. One watches the game. The other is on the field.

Lightboard diagram contrasting visibility (a dashboard watching traffic) with enforcement (inline policy stopping risky data before it lands)

Feature

Want this drawn out in marker?

No slides. No hand-waving. Just glass, a marker, and someone who actually knows what he’s talking about.

Index

What Brian talks about.

Agentic AI Governance

MCP, API, and toolchain security for the agent era.

AI Data Security

DSPM, asset discovery, and secure access to AI apps.

MCP & Agent Traffic

A first-class traffic type on your network, whether you’ve heard of it or not.

Zero Trust Architecture

Not a product. The architecture AI happened to land on.

SSE / SASE

Where the network ends and the platform begins.

SSL/TLS Inspection

You can’t secure what you can’t see.

Identity & Access

The new perimeter is a person. Or an agent.

Threat Intelligence

Honest assessments. Not vendor decks.

On Repeat

Things Brian says a lot.

01

AI security has to be inline, not adjacent.

If the control point is off to the side, it’s a dashboard. If it sits in the path of users, apps, data, APIs, agents, and models, it’s enforcement.

02

Agentic AI turns Zero Trust into a business requirement.

Agents aren’t chatbots. They act at machine speed, so every agent needs identity, least privilege, policy, inspection, and blast-radius reduction.

03

You cannot secure AI you cannot inventory.

Shadow AI is embedded SaaS AI, MCP servers, agents, models, and RAG pipelines. Maturity starts with discovery: what exists, who uses it, what data it touches.

04

Prompt injection is not a bug. It is a design reality.

It’s not SQL injection in a hoodie. LLMs blur instructions and data. Assume manipulation and layer the defense: isolation, inspection, tool restrictions, output validation, least privilege.

05

The real risk is excessive agency.

The nightmare isn’t a weird chatbot answer. It’s an agent with access to email, Salesforce, GitHub, and production data making bad decisions very quickly.

06

Data security is AI security.

Every AI conversation is a data movement event. Prompts, uploads, embeddings, and outputs all need DLP, classification, masking, and monitoring.

07

Red teaming AI cannot be a one-time launch checklist.

Models, prompts, tools, and permissions change constantly. Red teaming has to be continuous, automated, and mapped to real attack paths.

08

AI governance needs runtime enforcement, not just policy PDFs.

Boards love policy. Attackers love it too. Policy doesn’t block anything. Define allowed models, apps, and permissions, then enforce at runtime.

09

The AI supply chain matters.

Models, datasets, vector databases, plugins, MCP servers, frameworks: any one can become the attack path. Treat the pipeline like supply chain + data + identity + runtime security.

10

The winning architecture is Zero Trust for humans and non-humans.

The enterprise is about to have two workforces: humans and agents. Both need identity. Both need least privilege. Both need data controls, monitoring, and segmentation. And neither should be trusted just because it’s inside the environment.

0+

Years in security

0s

Talks delivered

0+

Podcast episodes hosted

Takes on the industry

Brian Deitch portrait

Profile

AI didn’t change the mission.

“AI raised the stakes and shortened the clock. The winners won’t be the ones who bought another dashboard. They’ll be the ones whose architecture was already standing where AI happened to land.”

At Zscaler, Brian helps organizations secure AI the way they should have secured everything else: Zero Trust as the architecture, not the buzzword. The conversation starts with honest assessments, not vendor decks.

CAREER ARC  AAL → APOL → WFC → BAC → FFIV → ZS

Field Dispatches

Latest writing.

Social Engineering

Social Engineering Does Not Need to Be Sophisticated. It Needs to Be Interesting.

Zero Trust

Zscaler Expands Zero Trust SASE with AI Agent Tools

Zero Trust

Zscaler Expands Zero-Trust SASE Platform with AI-Driven Management

Book

Need a speaker who actually knows?

AI security, Zero Trust, and agentic architecture, explained without putting the room into a medically induced coma.