CIO Influence Interview with Duncan Greatwood, CEO at Xage Security

Duncan Greatwood, CEO at Xage Security busts a few myths around zero trust protection and security in this CIO Influence interview:

____________

Hi Duncan, tell us about Xage Security’s latest zero trust AI platform?

Thank you for having me. Xage Security prides itself on securing some of the world’s most critical systems across large enterprises and government agencies like Kinder Morgan and the US Air Force. We recently launched Zero Trust for AI, the newest addition to our unified Zero Trust platform, so organizations can securely unleash AI with confidence.

The platform gives organizations jailbreak-proof, fine-grained control over AI data access, tool use, and complex multi-agent interactions.

We block data leakage and rogue-agentic-AI risks by leveraging the Model Context Protocol (MCP), and provide secure MCP and Agent2Agent (A2A) protections with hardened, identity- and entitlement-aware Zero Trust for AI. Rather than relying solely on nondeterministic and jailbreak-vulnerable prompt and output filters, Xage’s Zero Trust for AI directly manages the actual data requests and AI interactions, ensuring deterministic and jailbreak-proof control. Additionally, entitlements are managed on a least-privileged basis, so, for instance, if a user delegates entitlements to an AI agent to carry out a task, only the minimal entitlements are delegated, to further contain the risk of an AI agent going rogue.

Also Read: CIO Influence Interview with Liav Caspi, Co-Founder & CTO at Legit Security

Xage delivers unified Zero Trust protection across converged AI environments, from edge to core to cloud. Its resilience-by-design ensures always-on, tamperproof, quantum-safe protection, even in air-gapped deployments. This allows organizations to confidently design and deploy AI workflows, such as connecting chatbots like Copilot or Claude to sensitive data, knowing that Xage handles the security risks.

For businesses looking to shift from traditional defense models: what top tips would you share?

For businesses looking to shift from traditional defense models, the key is to recognize that AI doesn’t eliminate classic security challenges — it magnifies them. Every interaction with an LLM or AI agent introduces new risk pathways, and because these systems operate at machine speed, a single unmanaged access can scale into massive data exposure within seconds.

To counter this, organizations should move away from static defenses and instead embrace dynamic, identity-driven security. This means implementing real-time, granular controls that authenticate and authorize every user, agent, model, and resource interaction. Least privilege access, which is the principle of giving users, applications, or systems the minimum level of access rights or permissions necessary to perform their required tasks, should be strictly enforced so that AI agents and workflows only receive the permissions they absolutely need, minimizing the chance of overreach or exploitation.

Finally, adaptive, contextual security must be prioritized to ensure that protections evolve in step with the speed, scale, and chaining capabilities of AI systems — allowing businesses to innovate confidently without opening the door to new attack vectors.

What about today’s state of security and threats would you like to highlight more about?

Organizations need to both protect their own use of AI, and to protect themselves from AIs used by hackers – including in AI-on-AI attacks. We’re at a point where AI-enabled threats are evolving faster than ever, which makes the case for Zero Trust even stronger. By assuming that every action, user, and system could pose a risk, organizations close gaps before they can be exploited. Attackers attempting AI-on-AI attacks will try to exploit AI complexity and nuance, but Zero Trust controls eliminate these gray areas, enforcing black-and-white rules of authentication and authorization with each interaction. That means that hacking attempts are blocked and any potential damage is quickly contained.

Instead of fearing AI, organizations should lean into its ability to deliver efficiency and innovation, while anchoring their defenses in Zero Trust. With this framework in place, businesses and governments can safely unlock the transformative power of AI, knowing they have a proven model to keep pace with adaptive, shape-shifting threats.

Seeing how modern threats / online threats are becoming so sophisticated, what skills and tactics do modern data, security, CISO staff need more of?

Modern threats are evolving quickly, and security leaders need to pair technical expertise with thoughtful design. It’s not just about creating guardrails (which can be vulnerable to being jailbroken), but about adopting and embracing a unified  Zero Trust framework.

Done well, adopting a Zero Trust approach not only significantly improves risk posture and reduces blast radius, but it also results in more productivity for these teams by reducing management of complex firewall and point solutions, while also improving the accuracy of detection solutions.

A few myths around zero trust protection and security you’d like to bust?

Myth: “Zero Trust” is just a buzz word.

Reality: While it’s true that the term Zero Trust is sometimes overused, that’s actually a sign of its success. The concept has become so foundational to modern cybersecurity that vendors want to align themselves with it — even when their products don’t fully meet its principles. But at its core, Zero Trust isn’t marketing jargon; it’s a well-established security framework built on the idea of “never trust, always verify.” It represents a paradigm shift from perimeter-based defenses to a continuous, identity-driven model of verification, least privilege, and granular enforcement. Organizations that take Zero Trust seriously are fundamentally redesigning how they protect data, identities, and systems in a world where threats can come from anywhere — including inside their own networks.

Myth: “Zero Trust” just means replacing my VPN with Zero Trust via the cloud for remote access

Reality: Zero Trust is far broader and deeper than just securing remote access. Replacing a VPN with a cloud-based Zero Trust Network Access (ZTNA) solution might be a first step, but it’s not the full picture. True Zero Trust extends across the entire digital ecosystem — from users and devices to applications, workloads, and data. It requires continuous authentication, fine-grained authorization, and segmentation that limits lateral movement across environments. This holistic approach ensures that every connection and every transaction is verified, regardless of where it originates or who requests it. In other words, Zero Trust isn’t a tool — it’s an operating model for secure, resilient enterprise infrastructure.

Myth: “Zero Trust” is not practical for critical infrastructure.

Reality: Not only is Zero Trust practical for critical infrastructure, it’s becoming essential. As operational technology (OT) and information technology (IT) increasingly converge, traditional perimeter-based defenses can no longer protect complex, interconnected systems. Industrial environments, utilities, and energy systems now face sophisticated cyber threats that exploit both IT and OT weaknesses. Zero Trust helps mitigate those risks by isolating assets, enforcing least privilege access for operators and devices, and verifying every command or data flow. The result is a more resilient infrastructure — one that can sustain operations even in the face of compromise. With technologies like Xage’s fabric-based Zero Trust architecture, organizations can apply these principles without disrupting uptime or safety.

Myth: “Zero Trust” can’t work in the age of AI

Reality: In fact, the rise of AI makes Zero Trust more critical than ever. AI introduces both powerful new defensive tools and unpredictable new risks — from AI-driven phishing and deepfake impersonations to autonomous malware and insider manipulation. Zero Trust provides the stable foundation needed to contain and control these emerging threats. Its continuous verification and micro-segmentation ensure that even if an AI-enabled attack succeeds in breaching one area, it can’t easily spread or escalate privileges. At the same time, Zero Trust architectures are now incorporating AI and machine learning themselves — using intelligent analytics to detect anomalies, adapt policies in real time, and strengthen overall defense. In the AI era, Zero Trust isn’t obsolete; it’s evolving in lockstep with the threat landscape.

Catch more CIO Insights: The CIO as AI Ethics Architect: Building Trust In The Algorithmic Enterprise

[To share your insights with us, please write to psen@itechseries.com ]