Transcript
It's great to be here today. Today I'm going to dive deeper into one of the biggest architectural shifts that we have in the enterprise, where AI is no longer just the destination. It's actually the digital surface. I'm going to walk you through the four digital surfaces where you're adopting AI in your organization, the risks with each of them, and the security imperatives. First, let's talk about apps and agents. Now, every organization today is building AI for applications to transform their business, to build newer and richer experiences to their end customers. We talk about agents. Agents are now doing actions. They're filling out forms, updating CRMs, executing complex workflows. It's important to sit back and think about, how did this app architecture evolve? Lee talked about applications moving from a three-tier model to microservices. If you think of AI for applications, it's not just taking an application, taking a model, and putting it together. You're bringing an entire infrastructure stack, AI models, tools, plugins, data sets. Each of these components, they talk to each other. But they also talk to the outside world. And as architecture expands, you're seeing newer types of risk that we had not seen before. Prompt injection is an attack, where attackers are making the model deviate from how they're supposed to operate to exfiltrate your data. Supply chain attacks to ensure that models are not vulnerable. That's why last year at RSC, we announced Prisma Airs, the most complete platform for AI applications. It had four key components. We talked about scanning models. Now, if you think about what we do at Palo Alto Networks, we scan about 80 million files daily for threats. We've extended that best-in-class technology to scan models for vulnerabilities. Think about AI red teaming. Our AI red teaming is built on a multi-agent architecture to mimic how an attacker would think. You plan, you build, you attack, you adapt, you readapt. If you think of posture, it's not just the posture of the application. It's network posture, application posture, model, data, all comprehensively done. And as Nikesh said, just not tell you what the risks are, but find a way to fix those right away. And last but not the least, our signature feature on runtime security. Now, it's important to know that if you think of AI applications, it's not just new AI threats. You will protect the application from all the threats that existed in the past and these newer types of threats that we are seeing. Whether it's model DOS attacks, whether it's tool manipulation, whether it's prompt injection, et cetera. Now, let's be able to talk about agents. Look, we're having a lot of agents being, right now, experimented in the enterprise by coding agents here. But there are predictions that talk about a billion plus agents being deployed in the enterprise in the next couple of years. And you think of agent, let's step back and think, how did that architecture evolve? Now, if you look at agent, we had newer components to the architecture. Think about it. Agents, by default, will have memory, short-term memory and long-term memory. Because they need to recall the task quickly, but also personalize it over the long haul for you. Agents are doers. So they're going to have access to a bunch of tools. Now, as the architecture expands, so does the attack surface. You now have newer types of risks. Attackers are looking to poison memory to alter the behavior of the agent. And the tools that they're using, they can be having excessive permissions, or you can do tool manipulation. Now, agents are easy to deploy and develop today, thanks to all these pro-code, low-code, no-code platforms. And when these agents are in production, they're accessing unauthenticated MCP servers. They talk with newer protocols, MCP and A2A. Lee talked about skills and plugins. They invoke skills and tools at scale. So that can get really complicated. If these agents are deployed at scale in the enterprise, your risk will not just multiply. They will mutate. And when you have agent-to-agent communication happening, they uncover new runtime risks that you just don't see on an individual level. Now, we need to have an architecture where we move away from having these ungoverned agents and this agentic traffic, not as a side use case. Nikesh talked about the need for an agent gateway. This needs to be core of how the enterprise thinks about securing agents. And that's why we are announcing today our AI Agent Gateway, centralizing all of the security and control plane traffic. A single place where you can have all the agent registries. A single place we can apply all the runtime policies. We can have identity integrated in all the agentic activities and the workflows, have agent visibility end-to-end, agent governance. And this is also the best place for continuously assessing the risks of agents and their artifacts. So today, we're excited to introduce Prisma AI 3.0. This is the industry's most complete, most comprehensive platform for securing your AI apps and your agents. Now, what we've done is we've extended what we had for AI applications. So when we had model scanning, we've extended that to scan artifacts of agents, MCP servers, tools, to have model scanning and artifact scanning combined. Our red teaming is now extended to red team AI agents, so we can find the vulnerabilities before they're used in production. In terms of posture management, we support about 12 different platforms today, cloud and SaaS platforms, where we have the posture management across all of them. We've extended runtime security. I told you about the attacks, the memory poisoning, the tool overuse, tool hijacking. All those are part of runtime protections. And then we announced today the AI agent gateway, the most critical part of securing your AI agents, a central place where all your agent traffic is going through. The right place for you to apply the runtime controls, but also all the identity controls in terms of identity access and management. It's also a place where you can get complete agent observability on exactly what's going on step by step. So super excited about this. To show you more, let me walk you through a demo. Now, if you think about this, it first starts with discovery. This gives you a view of AI applications, agents, tools, plugins, databases. It's not just an inventory of AI. It's actually how AI is flowing through your system. Let's take a look at agents. So we have 38 agents running in this enterprise. And I see an alert. So let's click more and see what's going on. We big down the agents into enterprise agents, the SaaS agents, agents on your endpoint, agents in the browser. I see a given enterprise agent has an alert. So let's go deeper and see what the problem is. Here, it's giving you the right recommendation. We're seeing that this agent hasn't had scanning done for its artifacts. And it gives you two options. Do you want to do it manually, or do you want to do it a new way using agentic workflow? Let's pick the agentic workflow. Now, as it does the AI artifact scanning, it's going to give you guided recommendations on what it found and what you want to do next. As you can see here, we found that a search API is susceptible to prompt ingestion attacks. So now, Nikesh said, find it, but fix it. So let's run the auto-remediation to fix it. Here, we are going to the source code of the agent artifact, understanding what changes we need to make to that artifact, then making sure it's ready to be integrated for runtime policies and the gateway integration, all done autonomously. Once you finish red teaming, once you finish scanning, your code is secure. And now, you can start red teaming. Now, I mentioned our red teaming is built on a multi-agent architecture. So we have the profiler agent that understands the business context of what the agent is, what's the architecture, then passes that context to the attacker agent. So it can execute all kinds of tests, just like how an attacker would do. Once it does the red teaming, it gives you actionable insights. Let's take a look. Now, in this case, we've run over 4,500 different types of attacks across safety and compliance and security, and it gives you a security score. It also gives you recommendations on what you need to do next. Most important, apply the runtime policies derived from what you saw in your red teaming. So let's go ahead and auto-configure runtime policies. Once the runtime policies are applied, you secure the agent from a runtime perspective. But we have one more recommendation. So let's take a look at that. It's tied to identity. If you see here, we have an unauthenticated MCP server, and we hadn't applied the right levels of identities for the agent. So when we access the MCP server, we want to make sure that we're using the right level identity and authentication. So let's apply the identity controls. Once that's done, as you can see, all the agentic traffic is now flowing to the gateway. The gateway is the conduit to apply the right level of policies, to have governance, to have end-to-end observability. And we have all the statistics associated with that. If you go back at our main screen, you see that all the alerts are now remediated. Prisma Airs is now looking for additional threats that they see in line in real time. So that was Prisma Airs 3.0, the most complete, the most comprehensive platform to secure your AI apps and your agents. Let's talk about agentic endpoints next. Now, one in three employees today in organizations are using unsanctioned AI agents, agents like white coding agents, agents which are personal assistants, to automate their daily workflow. Lee talked about white coding agents. Majority of developers today are using white coding agents. At Palo Alto Networks, every single developer uses them. We're seeing amazing levels of productivity. But remember, these agents, they require higher privileges. They need to read and write files to your local file system. They need to access tools on your local file system. They need to connect to the internet. They need to connect to different cloud services. At the same time, they also need to access internal systems like Jira, like Confluence, and others. So as you give these higher privileges, come higher risks. Now, developers are able to download MCP servers, skills, plugins on their managed workstations. That increases the supply chain risks. I just read a study last week which said one in three MCP servers are susceptible to complete system takeover. At the same time, you have identity risks. AI agent builders are using personal access tokens or hard-coded APIs to bypass the enterprise identity and authentication. We also have new runtime controls. These white coding agents will connect to third-party repositories, GitHub, in the public. And now you have indirect prompt ingestion attacks that can happen that can exfiltrate your most important asset, your code. So if you have to address these things, you need a very unique solution that addresses for the agent they can point. Lee talked about, last month, we're announcing our intent to acquire COI. While the acquisition is not closed yet, and COI and follow-up networks continue to operate as independent companies, when we integrate COI's technology with Prisma Airs, we'll be able to have agentic endpoint security for the organization on five key pillars. First, discovery. We want to be able to discover everything on the agent endpoint, the agent, the tools, the skills, the plugins, the local MCP servers. If it runs on your employees' managed workstation, it will no longer be a secret. Second, we want to have scan technologies. So we're able to scan software to find and fix vulnerabilities, like your agent artifacts, before we use them. Third, govern. We only want sanctioned agentic endpoints running on your employees' managed workstation. And they also need to operate the right policy guards. Fourth, manage. Ensure that we have the right level of identity, access, and control privileges for these agents as they become new identities in your enterprise. And last but not the least, all things around runtime security. We will be able to scan your agentic traffic with your agentic endpoints locally within your managed workstation, and also as it contacts the SaaS platforms and third-party MCP servers, giving you the most complete solution for agentic endpoint. But let's just take a look at it in a demo. So look, many people think that Shadow AI is only a cloud and SaaS problem. But Shadow AI is actually living on your employees' managed workstations. We give complete visibility of what's happening on the managed workstation. The agents, the models, the skills, and tools, and plugins, the local MCP servers that they have on the laptop. Now, visibility is great. So what? The most important thing is that, what do I do with it? Now we give you granular risks for both supply chain as well as runtime risks. So no organization wants unsanctioned AI agents or personal assistants to run on the employees' managed workstation. They're not just the applications themselves. These applications will connect to unauthenticated MCP servers, third-party agentic systems, and create invisible tunnels that can exfiltrate your data. With the application access technology we will have, we'll be able to have a single click to remediate all of these unsanctioned agents. And we don't just unsanctioned the agents by removing the agent. We remove the agent artifacts from the employee workstation itself. Now, last, runtime. We are scanning the agentic traffic both local to the endpoint, as well as as the endpoint goes to SaaS platforms or third-party tools. And as we scan, we look for prompt hijacking or tool manipulation attacks, and stop it right there. So as you can see, with the combination of Qois technologies integrated with Prisma Airs, we have a complete solution for your agentic endpoint. Now let's talk about the most important digital workspace, the browser. Now, let's think about how each of us started our workday today. We probably opened our laptop, fired up our browser, opened a tab, and got going with our work. The browser is no longer just your internet, your gateway to the internet. It's actually become your de facto workspace. And majority of the work we do today is happening in the browser. That's where we access our critical applications. That's where we do our Gen AI projects. That's the place we do critical collaboration. And our agentic browsers is bringing in higher levels of productivity for employees. It's navigating websites, it's filling forms, it's updating CRMs, it's executing complex workflows. Now, agentic browsers don't just display information on your webpage. They're actually doing things. Researching a lead, booking a flight ticket, and so on. So, if you think about your static tab on your browser, with agentic browser, that static tab is becoming a 24 by seven AI assistant doing tasks on your behalf. Now, Lee mentioned the risks associated with this. Now, as these agents in the browser will have access to your passwords, access to your browser history, your cache, your sensitive data, as all of these things happen, your risks increase. So let me talk you to our solution. Now, over two and a half years ago, we acquired Talon, the most secure enterprise browser at that time. What we've done since then is that we've integrated core of our security services right in the browser to make sure that as attackers get more sophisticated, we're able to stop advanced phishing, malware, agent extensions, or other data and fix stations right in the browser. And today we're super excited to announce the next phase of Prisma Browser. The Prisma Browser that's ready for the agentic era. We allow you to bring the LLM or agent of your choice. OpenAI, Gemini, Anthropic, right? But as you enjoy the autonomous behavior, we want to provide the right level of security and governance to protect you from all the threats that we see in runtime. Tool manipulation, make sure it's in the right guardrails, you have the right governance across all of these things. Bringing in the power of autonomy with security. But it's easier shown than talked about. Let me show you about it. So, now this is Prisma Browser. It just looks like Chrome. In fact, both Chrome and Prisma Browser are both built on Chromium, right? So it's exactly the same, but it's secure. It's built for the enterprise. Now in this demonstration, we can choose the agent of our choice. I'm gonna choose Google's Gemini in this case. And I'm gonna ask the AI assistant to do a task. Read a document that we got from the quarterly report and update the customer record. A simple task, but requires you to go across multiple applications. Once you execute, the agent is now opening the document, reading it, analyzing it, then navigating to Salesforce, figuring out the customer record, all of these things done autonomously. Now, for certain set of users, that could be a contractor or different department or certain types of actions that are sensitive, you may require human-in-the-loop verification. In this case, I'm trying to update a Salesforce record. This organization requires human-in-the-loop verification. So it's prompting you to enter your credentials. Once it's done, the Salesforce record is updated and you're off to the races. Autonomy with security. Let's take another example. We're gonna ask the AI assistant to read a document which is in the customer CRM, analyze the document, summarize it, and send it to a sales team as a summary. Something that's done on a very common basis. Now, attackers are getting more and more sophisticated. We're finding that they're hiding prompting, indirect prompting injection attacks in websites, in documents, even as invisible text. The good thing is that Prisma Browser catches it, sends it to Prisma AI for analysis and blocks this indirect prompt injection attack, right there. Bringing you the power, again, of autonomy with the right levels of security. So we talked about the four key digital services you're using in your organization for AI. For enterprise apps and agents, we got secured from supply chain risks, identity risks, runtime risks. For agents, we have to make sure that all of this traffic goes to an agentic gateway, because that's the right place to apply all the controls for identity and governance. With Koi integrated with Prisma AIrs, we'll get the complete solution for securing your agentic endpoints, starting with white coding agents and others in future. And Prisma Airs allows you to unleash productivity of agentic browsers by bringing in security and governance controls for the enterprise. So I know that AI apps and security and agents is top of mind for everybody. There's another huge change happening in the organizations today. It's called the cryptographic reset. And this change is bringing the foundations of integrity and trust of your organization at risk. And there are a couple of massive shifts happening. First, the arrival of quantum computing. Second, the reduction in life cycles of public-facing TLS certificates. And third, internet-scale distrust events. So these old ideas of set it and forget it will not work. If you think about it, it's undermined the basics of encryption, digital signatures, key exchanges, all things that we've relied on decades to secure all forms of data and communication. So I'm gonna walk you through our approach to ensure that both integrity and trust of the digital organization is always first. Let's talk about quantum first. Now, quantum is a, I look at quantum computing as, it's not a question of if. It's a question of when. And we all know that large-scale cryptographic migrations, they're notoriously complex, they're difficult, and they're extremely time-consuming. For many organizations, this can take from a few months to up to a few years. We have folks in Gartner and McKinsey saying that by the end of this decade, there will be a quantum computer that is viable enough to break standard encryption, which underpins all of our digital exchanges. Now, you can approach this, again, as a point problem, a point product, a point solution that bolted on. What we've done is that we've extended our network security platform to ensure that you have the best path to quantum readiness. And we have three key components of this solution. First, discovery. We give complete cryptographic visibility and inventory across your enterprise, your applications, your infrastructure, and your endpoints. We don't just give you visibility. We give you guided recommendations and remediations on the path to quantum safety. Second, protect. All of Palo Alto Network's firewalls, hardware firewalls, software firewalls, Prisma Access, the browser, are already quantum-compliant, allowing you to do quantum decryption at scale, bringing the crypt to agility as the standards continue to evolve. And third, we help you accelerate. All of us have legacy endpoints and legacy applications in an enterprise that's very hard to just rip and replace. Now you can convert any legacy application to be quantum-compliant, but ensuring you can pass that traffic through a Palo Alto Network's next-generation firewall. We're working with standards bodies, with CISA, with NIST, to ensure that the technologies that you deploy today are future-proof for tomorrow. Now let's talk about the second half of the equation, digital trust. Now last Sunday, the 15th of March, was a very important day for digital trust. The CA Browser Forum reduced the life cycle of public TLS certificates from 398 days to 200. Unpacked with 47 days by 2029. And don't get me wrong, the shorter certificates is a good thing for security. It makes sure that the window of exposure, if your keys are compromised, is small. But it also means that you can do these things manually. Imagine your VPN gateway. You renewed your certificate once every 400 days, and now you're doing it once every month. And if you did this manually and had any mistake, gateway is down, your employees are locked out. Automated Certificate Lifecycle Management is the only way to enforce digital trust in your organization. And just like in quantum, the network is the ultimate source of visibility and control. Now, we got Certificate Lifecycle Management as part of the CyberArk acquisition with the Venafi technology. We've taken internet search discovery, third-party integrations, and added network native discovery to give you the most complete and comprehensive view of all the certificates in your enterprise. Managed, unmanaged, risky, unused certificates. We don't just give you visibility, we also give you the right risks, there are mediation capabilities, and through our automation with a variety of third-party systems, help you accelerate that journey. Let's take a look at that in the demo. Now, as you can see here, all your certificates, all your algorithms in one view. The used certificates, the risky ones, the unmanaged ones, you can see the entire organization's digital trust in a single view. But it also gives you the highest risk that you see. Let's take a look here at the first one. There's an outage in the payment gateway. Your certificate on the firewall, load balancer, and application needs to be renewed. So, let's run an agentic workflow to remediate that. Now, as you can see here, we're doing it across all the three big components. We're using the best practices and doing it in an automated manner. And once you do this, you've fully automated, the payment gateway's up, and everything is working fine. Now, I talked to a customer two weeks ago that said that when they have to update a certificate for an application, a single one, they have a Zoom call with the PKI admin, the firewall admin, the load balancer admin, the app admin, and that process can take within four to eight hours for one certificate. So, that's the power of how you can automate certificate lifecycle management with this platform. Let's see quantum now. Similar view. We have a complete visibility of your crypto inventory. We tell you the risks, we give you the right recommendations so you can take the appropriate action. As you've seen both with Next Generation Trust and quantum, we future-proofed our platform with all these new capabilities so you can continue to future-proof your business. Now, we covered a lot in the last hour or so. We talked about the biggest architectural shift in the enterprise with AI. You saw the incredible piece of innovation that we're driving at Palo Alto Networks. Whether securing your AI applications, securing agents on your endpoint, the browser or enterprise agents, or navigating this cryptographic reset, we've got your back. We're proud to be your cybersecurity partner of choice to ensure your tomorrow is secured. Thank you so much. Palo Alto Networks is one of the top security companies in the world, and Equinix is the interconnection hub. It's a two-way partnership. We don't just open support tickets. We co-develop the product together. When we speak, they listen, and they give us features early. We kind of blaze new trails together. It's really been a mutually beneficial relationship. Palo Alto Networks will be there with MLB as we guide a path for the future. Thank you.
