AI security isn't just complex — it's fragile in a specific, definable way. In this episode, I sit down with Ron Bennatan, VP of Strategy, AI and Database Security at Varonis and founder of Guardium, JSonar, and AllTrue.ai, to unpack why.
We cover the exponential pace of change breaking existing security models, why AI agents are becoming the dominant enterprise access pattern, why least privilege doesn't cleanly translate to autonomous systems, and why detective controls built for humans lose their teeth when the principal has no accountability. Ron brings 30 years of data security experience to one of the most important conversations in the industry right now.
Interested in sponsoring an issue of Resilient Cyber?
This includes reaching over 31,000 subscribers, ranging from Developers, Engineers, Architects, CISO’s/Security Leaders and Business Executives
Reach out below!
Ron’s background: 30 years in data security, founder of Guardium (IBM), JSonar (Imperva), and AllTrue.ai (Varonis), with a consistent focus on data as the core security problem across every chapter of his career
Why Varonis: Guardium and Varonis historically split the data world into structured vs. unstructured, a divide Ron always believed was artificial — joining Varonis finally unified the thesis he’d held for decades
Why “fragile” fits: AI security is fragile because the models are black boxes most practitioners don’t truly understand, and the pace of change is exponential — what happened in the last three months exceeds the prior 30 years combined
The AllTrue.ai thesis: Most enterprises don’t fail at AI security due to lack of tooling — they fail because of complexity and friction across heterogeneous AI vendors, fragmented lifecycles, and disconnected governance and security functions
Data as the persistent attack surface: Regardless of how the stack above it changes, the data layer is the most durable signal in enterprise security — and the one layer that never goes away as AI reshapes everything above it
Agents as the dominant access pattern: Ron estimates agent-driven data access could reach a 1:100 ratio vs. human-driven access in the near term, making agentic access patterns the only ones that materially matter from a security prioritization standpoint
Intent and chain-of-thought analysis: The real security value comes from combining data-layer visibility with understanding what an agent is actually trying to do — correlating intent with access is something the industry never had to do with human users
Least privilege doesn’t cleanly translate: You can’t apply a deterministic permissioning model to a non-deterministic decision process — guardrails need to be dynamic and context-driven, and “least autonomy” is a more honest frame than “least privilege” for agentic systems
Detective controls are losing effectiveness: Agents have no accountability — no salary, no fear of consequences — so the behavioral deterrence that underpins monitoring-based controls doesn’t apply; combined with machine-speed access, the detect-and-alert model can’t keep up
The shift to prevention and assurance: The industry must move beyond monitoring toward intercepting agent actions before they complete, using intent analysis to hold misaligned actions in a queue — Ron’s destination isn’t just prevention, it’s assurance
