Aakash Gupta

AI Is the Biggest Cyber Threat — Only Okta’s AI Security Playbook can safe you

Jack Hirsch, Head of AI Products at Okta ($15B market cap), reveals the wildest AI cybersecurity threats. He shares why AI agents are the biggest security blindspot, and explains his controversial take on why traditional PM experience is bad founder preparation. Transcript: https://www.news.aakashg.com/p/jack-hirsch-podcast Timestamps: 00:00 Intro 02:02: Wildest AI Cybersecurity Threats 04:27 Moment AI Changed Security 06:32 How AI Agents Change Security Equation 11:14 Most Dangerous AI Threats 14:16 Okta's AI Threat Detection System 18:10 Ads 19:50 Okta's AI Security Playbook Revealed 22:15 T-Shaped Identity Strategy Breakdown 26:42 One Thing Every Company Must Do This Year 31:37 Ads 33:16: How to Handle AI Security Threats 40:09 Building AI-Secure Products at Okta 46:47 Fundamental AI Product Development Principles 01:06:29 Butter.ai Startup Story (2015) 01:19:18 Why Evernote Failed Despite Early Success 01:20:48 Hustling Into PM at Evernote 01:26:51 Personal Identity Protection Guide 1:30:36 Outro Thanks to our sponsors: 1. Amplitude: The market-leader in product analytics: https://amplitude.com/session-replay?utm_campaign=session-replay-launch-2025&utm_source=linkedin&utm_medium=organic-social&utm_content=productgrowthpodcast 2. The AI Evals Course for PMs: Get $1155 off with code ‘ag-evals’: https://maven.com/parlance-labs/evals?promoCode=ag-evlas 3. The AI PM Certificate: The #1 AI PM certificate: https://maven.com/product-faculty/ai-product-management-certification?promoCode=AAKASH550C7 4. Kameleoon: Leading AI experimentation platform: http://www.kameleoon.com/ ---- Key takeaways: 1. Identity is Everything: Over 80% of breaches stem from identity attacks, not device or network vulnerabilities. You cannot get security right without getting identity right - this is the new reality. 2. DPRK Infiltration Operations: North Korean agents are passing full interview processes, getting hired, having laptops shipped to device farms, and operating as inside threats within major organizations. 3. AI Agents = Security Blindspot: Companies deploy AI agents en masse without treating them as identities requiring access management. JP Morgan's CISO called this out as the biggest current threat vector. 4. Help Desk Social Engineering: Attackers use AI voice cloning and deepfakes to impersonate employees calling help desk for password resets, MFA bypasses, and account access - often successfully. 5. Session Security Over Time: Authentication degrades after login. Okta focuses on continuous session monitoring and risk signal sharing between security vendors rather than constant MFA prompts. 6. T-Shaped Identity Strategy: Deep identity security (phishing-resistant auth, lifecycle management, risk sharing) plus broad integration across all enterprise systems - not just SSO and MFA. 7. Cross-App Access Standard: New OAuth standard allows AI agents to inherit user permissions across enterprise apps without individual OAuth dances for thousands of employees. 8. Essential vs Discretionary AI: Essential AI (bot detection, fraud prevention) stays always-on. Discretionary AI (log summaries, access reviews) gives customers opt-out control for compliance. 9. AI Product Principles: Accelerate don't abdicate, solve real problems before prototyping, ignore AI hype cycle. Use AI as thought partner, not replacement for product judgment and domain expertise. 10. Personal Security Stack: Lock credit reports immediately, use password manager with unique passwords, enable passkeys everywhere, lock phone number with carrier PIN to prevent SIM swapping attacks. ---- Where to find Jack: LinkedIn: https://www.linkedin.com/in/jackhirsch/ Okta: https://www.okta.com Where to find Aakash: Twitter: twitter.com/aakashg0 LinkedIn: linkedin.com/in/aagupta/ Newsletter: news.aakashg.com #cybersecurity #ai #productmanagement About Product Growth: The world's largest podcast focused solely on product + growth, with over 187K listeners. Hosted by Aakash Gupta, who spent 16 years in PM, rising to VP of product, this 2x/week show covers product and growth topics in depth. Subscribe and turn on notifications to get more videos like this.

AGAakash GuptahostJHJack Hirschguest

Sep 22, 2025·1h 31m·Watch on YouTube ↗

📖 CHAPTERS

1. 1

   Why AI is escalating cyberattacks and making identity the #1 target

   Aakash sets the stage with Okta’s vantage point on modern threats and Jack’s core thesis: AI is accelerating attacks faster than most teams realize. The discussion quickly reframes security around identity as the dominant breach vector, surpassing devices and networks.

2. 2

   Wild AI-enabled intrusions: DPRK fake workers and helpdesk social engineering

   Jack shares some of the most alarming real-world attack patterns: North Korean (DPRK) operatives infiltrating companies by passing interviews and receiving corporate devices, plus sophisticated helpdesk/MFA reset scams. AI-driven voice/video impersonation makes these schemes far more convincing and scalable.

3. 3

   The moment AI changed security: “vibe-coded” phishing that looks real

   Jack describes a turning point when he used a vibe-coding tool and Okta SDKs to quickly build a convincing phishing kit. The ease of replicating legitimate UX and flows reveals how AI reduces attacker sophistication requirements while increasing attack quality.

4. 4

   Why traditional defense-in-depth is failing without identity-first security

   They explain why legacy security approaches struggle against AI-accelerated threats. Identity can’t be treated as a secondary IT concern; it must be the “first and last frontier” for preventing modern breaches and limiting blast radius.

5. 5

   AI agents as unmanaged identities: the new risk inside the enterprise

   Jack argues the most immediate danger isn’t only external attackers—it’s the uncontrolled deployment of AI agents within companies. Businesses roll out agents quickly, often granting broad access with little visibility, governance, or lifecycle management.

6. 6

   Underrated AI threats: LLMs can “slurp” APIs and find cross-silo vulnerabilities

   The conversation shifts to lesser-discussed threats: as context windows grow, LLMs can ingest large API surfaces and discover exploit paths across siloed teams. This makes vulnerability discovery and chaining dramatically easier even for less-skilled attackers.

7. 7

   Deepfakes and synthetic identity fraud: social engineering gets supercharged

   Jack highlights deepfakes as particularly dangerous because they exploit human trust directly. He shares a story of voice-cloning used to impersonate a family member and generalizes it to executive/helpdesk compromise inside enterprises.

8. 8

   Okta’s evolving threat detection: from bots/MFA bombing to “assume compromise”

   Jack outlines Okta’s two-layer approach: continuous bot/fraud defenses in auth flows and a newer mindset that credentials/tokens are already leaked. The goal shifts to maintaining session security over time without exhausting users with repeated MFA prompts.

9. 9

   Continuous session security via shared risk signals across the security ecosystem

   Okta’s approach relies on ecosystem signals and standards so vendors can share risk data (device/network/identity). This enables continuous re-verification and automated remediation (step-up auth, access restriction, session revocation) while keeping UX smooth.

10. 10

    Okta’s AI Security Playbook: governing agent access with Cross-App Access (OAuth/OpenID)

    Jack reveals Okta’s direction for enterprise AI enablement: a standard-based way for AI agents to request access via the identity provider. This replaces “OAuth dances” per app/user with centralized visibility, granular policy, and lifecycle management for agents.

11. 11

    T-shaped identity strategy: secure before auth, during auth, and throughout sessions

    Jack explains the “T-shaped” framework: breadth across the full identity lifecycle plus depth in integrations and controls. This spans pre-auth access governance, phishing-resistant authentication, and post-auth session maintenance with risk-driven response.

12. 12

    The one thing every company must do: get identity right (and stop chasing a single silver bullet)

    Jack’s universal advice: companies can’t “AI-proof” security without first fixing identity fundamentals. He warns against believing one platform will solve everything, advocating defense-in-depth with identity as the anchor.

13. 13

    A practical playbook for teams without security specialists (startups included)

    For smaller teams, Jack recommends starting with identity controls because startups lack VPN boundaries and device management. As contractors, partners, and tools proliferate, identity becomes the only scalable way to ensure least-privilege access and visibility.

14. 14

    Building AI-secure products: enterprise-ready standards and safer agent integration

    They pivot from securing companies to building secure B2B SaaS products. Jack emphasizes “enterprise-ready” basics (SSO, provisioning) and argues that agent access should be mediated by standards like Cross-App Access rather than ad-hoc OAuth sprawl.

15. 15

    Okta’s AI product development principles: accelerate, don’t abdicate; stay problem-first; resist hype

    Jack shares how Okta builds with AI while maintaining product rigor. He warns that AI-generated specs can hallucinate and cause costly strategic errors, and he argues for writing/context, disciplined problem definition, and careful selection of deterministic vs non-deterministic systems.

16. 16

    Founder lessons and career arc: Butter.ai, Evernote’s decline, and the hustle into PM

    The closing sections broaden into Jack’s background—building Butter.ai pre-LLM, lessons about timing and enterprise search difficulty, and reflections on Evernote’s challenges. He also tells the story of creatively breaking into product management and shares advice on when (and why) to found a company.

17. 17

    Personal identity protection checklist: freeze credit, use passkeys, lock your SIM

    Jack ends with concrete steps individuals can take to protect themselves when identity is compromised. He distinguishes physical identity fraud from digital account takeover and gives a short, high-leverage checklist.