Transcript
And for today's executive exchange, I am joined by Amar Akshat, the SVP and chief architect at Paysafe. Welcome. Thank you. Amar, before we jump into our topic of securing AI, would you mind telling us a little bit more about you, your role, and what your team does behind the scenes at Paysafe? Sure. So, hi, guys. I'm Amar. I'm the chief architect and an SVP at Paysafe. I've been Paysafe with about a year. My role is to basically architect the organization's central scale flywheel. So, me and my team are a trusted group of autonomous people who have great and deep expertise into the systems at Paysafe, the frameworks, the microservices, et cetera. And it is at forefront of our job to make sure that these are scalable, they are trustworthy, and our customers are always put at the forefront of all of our decision-making. I love that. So, generative AI is something everyone's really excited about, but a lot of companies can be reluctant to open up the floodgates without the right governance and policy that you were just talking about. So, you mentioned a little bit, but could you double-click into how, at Paysafe, you're thinking about generative AI? How are you embracing AI, but also creating it in a safe way for employees to be creative, but also be really safe in your highly regulated industry? So, you're right. When the whole landscape of AI started evolving in the world, the first and initial reaction of all the regulated markets and financial institutions was to just block it, right? Because there was fear of shadow AI happening, there was fear of data leaking into the models. People did not understand what training meant, for example, right? You would hear this phrase, oh, I don't want you to be trained on our customers' data, right? And there was a lot of security concerns around how data leaves our trust boundaries, right? But then, one thing we realized quite early on at Paysafe is that if you block things, you are just blocking visibility. Because the landscape of AI is evolving so fast that people will use AI on a day-to-day basis, and with you just blocking it, you're just encouraging them not to be visible around using it. I love how you're taking AI, which is so exciting and new, and bringing it into a financial services industry, but putting this strategy into place, right, to make it less scary for the company and also empower employees. That's really powerful. Indeed, it is. We've also adopted and embraced all the generative code, generative technologies, and the amount of productivity boost which we see at Paysafe is incredible. That's so powerful because, again, you want to encourage your employees to embrace this new technology to make them faster, smarter, stronger, but also keeping security in that zero-trust culture. Okay, so as you know, the rise of AI agents fundamentally kind of changes who or what is interacting with your systems, but can you explain this concept of know your agent and, again, how you've embraced it and how it's so important with your security and fraud prevention? Identity at the heart of today's concept is about humans and system accounts, and the trust boundaries are around those entities. The agentic infrastructure and agentic AI challenges that fundamentally. There is no long trust boundary at all. If you trust an employee, you trust the employee through the span of their career at your company. If you trust the system account, you trust through the span of their existence in the company. You may be re-attesting them every three months or so, but for those three months, you're trusting them blindly. That is the trust boundary which identities hold today. Agents challenge that fundamentally. We at Paysafe are exploring this opportunity of creating a know your agent framework, which is where we expect that our merchants who do business with us, their agents will come and register, and then any other system which is trying to interact with those agents will be able to verify those agents via the models I talked to you about using our registry. That is where know your agent or KYA comes into the picture. I love it. I think what's really powerful, we talk about how Okta secures AI, and we've really gone through this transformation of non-human identities and agentic AI. This is the world that we live in today. When do you think a human needs to be in the loop as we get into these conversations and how agents are becoming more autonomous? The human in the loop question is basically about how much your trust and risk appetite is and how much does the compliance allow? These agents have a policy envelope, and they also have a ledger of human actions they can take. The whole point is that a particular short-lived agentic credential, which has been attested by a human, so the mandate has to come from the human. Whenever dollar movement happens, whenever data movement happens, the risk appetite of the company usually is quite low there. That is where we want confirmation mandates coming from user in the most flexible way possible. It is almost something as, hey agent, find tickets for me and my family to go to Melbourne in the week of 2nd of December and stay near this area. The agent will take your intent, creates the intent mandate, then goes and does its finding with other agents, gets the cart, gets your cart mandate, and when the whole thing is ready for approval, it comes to you for an approval mandate. And the approval can be as simple as clicking yes, and with a face ID, the attestation happens, you use the passkey, and it goes through. So we can make human in the loop operation as simple as possible, keep the user experience seamless, but still use the attested model of trust all the way from intent to cart to execution. So going back to your question, every time a dollar value is involved, data movement is involved, we put human in the loop. Now one huge concern we hear about with AI agents is the lack of accountability and transparency. So how are you thinking of AI agents in maintaining that security and accountability, and kind of that general maybe lack of trust that currently exists as we embrace this newer technology? So the compliance vocabulary today doesn't involve agents. It's all about humans. So remaining under the same compliance framework, you cannot do agentic executions without having a human root of trust, because the compliance vocabulary is still evolving around AI agents. So at that point, provenance is very important. Where did this agent even come from? Who spawned this? Whose action initiated this? The policy envelope. There is an envelope. These are the only things you're allowed to do by policy. You cannot exceed this policy. When things go wrong, you cannot go to the compliance people and say, I'm sorry, my model behaved wrong. Model is a mathematical entity. It cannot behave wrong if inputs are same. So you need to have that in your part of your CICD, where you run your tests against these golden data sets. You run regression testing on all the model changes, and then note those things as part of your agentic metadata. So when the agent executes these actions, we know what model it ran on, what was the training material, what was the confidence score of our golden data set, et cetera. So you can prove where the model came from. The accountability is established to the infrastructure teams. And then when the model executes, there has to be clear kill switches. There has to be clear reproducibility and revocability. So largely, compliance is not a tick box here. It is in the code path of agent. Compliance and compliance policies have to be defined using a policy framework such as open policy, and then allow your agent to use them in the code's execution path, and then log those things, observe those things. That follows your accountability trail and chain. I love it. Well, this is a perfect segue into our last question, which, again, financial services, you're in a highly regulated industry. But how does maintaining compliance factor into how you're thinking about using AI? And then with the speed that AI is advancing today, are you guys seeing this regulatory lag at all? Yes, definitely. There is regulatory lag. The regulators are still focused on yesterday's problems with fintechs around trust, regulations, PSD2, limits, et cetera. So regulators are yet to start defining granular AI regulations. But from experience, and from being in the industry, you will know that it will follow the same curve of regulatory patterns. It will be about limits. It will be about ephemeral credentials. It will be about being able to audit the AI actions after they have happened. So in that framework, we are defining and we are working towards that. We are designing our systems to follow that curve. I think it's just incredible what we're going to see just ongoing. Well, Amar, thank you so much. It was so great getting your insights today. We're really excited. And thank you guys so much for joining today's Executive Exchange. Thank you. Thank you.
