What happens when nearly half of organizations admit they have no AI-specific security controls, yet AI-driven data leaks are accelerating at the same time?
In this episode of Tech Talks Daily, I spoke with Aayush Choudhry, CEO and co-founder of Scrut Automation, about what he sees as a blind spot in the cybersecurity industry. While much of the market continues to design tools for Fortune 500 enterprises with deep pockets and large security teams, Aayush argues that the real existential risk sits with the 99 percent of businesses that cannot survive a serious breach.
Aayush brings a founder's perspective shaped by firsthand pain. Before launching Scrut, he and his co-founder experienced the grind of managing compliance and security as a cloud-native startup trying to sell into enterprises. They were outsiders to GRC and security at the time, forced to learn from first principles. That experience became the foundation for Scrut Automation, a modern GRC platform built specifically for small and mid-sized companies that cannot afford six-month implementations, armies of consultants, or half-million-dollar tooling budgets.
We explore why treating compliance and security as separate functions increases risk for smaller organizations. In the mid-market, the same small team is often responsible for both. When compliance is handled as a box-ticking exercise and security as a separate technical discipline, gaps emerge. Scrut's approach converges governance, risk, and security signals into a unified layer that translates hundreds of technical alerts into context-aware risks that actually matter to the business.
Our conversation also tackles AI complacency. Using the classic confidentiality, integrity, and availability framework, Aayush outlines what minimum viable AI security hygiene looks like in practice. That includes ensuring AI agents are not over-privileged compared to the humans they represent, placing guardrails around sensitive data fed into models, and extending supply chain security thinking to agentic integrations. For resource-constrained teams, these are not theoretical concerns. They are daily realities.
Perhaps most compelling is his view that AI can act as a force multiplier for small teams. By embedding accumulated expertise into agents trained on anonymized patterns and edge cases, Scrut aims to democratize security know-how that would otherwise require multiple full-time analysts. The goal is simple but ambitious: make enterprise-grade security outcomes accessible without enterprise-grade headcount.
If you are leading a small or mid-sized business and wondering how to balance growth, compliance, and AI risk without breaking the bank, this conversation offers a candid look from the trenches.
Useful Links
[00:00:04] Welcome back to another episode of the Tech Talks Daily Podcast. Quick question for you all. What happens when security tools are built for billion dollar enterprises, but the real risk sits with the other 99%? This is something that I hear about all the time. I go to the tech conferences, I see the big pictures at those Fortune 500 companies.
[00:00:28] But the real threat, the real vulnerability is in an underserved 99% of businesses. So my guest today is the CEO and co-founder of a company called Scrut Automation. And we're going to tackle that very problem. We'll talk about why small and mid-sized companies are facing existential threats from a single breach.
[00:00:53] And how AI, but in better news, how AI is starting to lower the playing field. And why treating security and compliance as separate problems is quietly increasing the risk. There is a better option here. That's what we're going to talk about today. So if you're building or running a cloud native business without a Fortune 500 budget, have no fear. We got you back today. So hopefully this conversation will hit close to home and offer you some valuable takeaways.
[00:01:22] But enough for me. Let me introduce you to today's guest. So a massive warm welcome to the show. Can you tell everyone listening a little about who you are and what you do? Hi, everyone. I am Ayush Khosh Chaudhry. I am one of the co-founders and also the CEO of Scrut Automation. We are a new age GRC automation platform that works with small and mid-sized tech companies
[00:01:46] and helping them carry out a lot of actions around their cyber-focused governance who's going to compliant autonomously with a lot less manual effort. We've been around for about four years in the market, raised three tons of capital, worked with about 3,000 customers across the world. One of the reasons I invite you on the podcast today is every day I try to go into a different area in technology and understand some of the myths, misconceptions, and also get people thinking differently about everything that they're seeing and hearing.
[00:02:17] I go to a lot of tech conferences, especially in the US throughout the year, and many security vendors, they're still designing their platforms around Fortune 500 use cases. So I've got to ask, from your vantage point here, why do you think the industry continues to overlook those small and medium-sized businesses? And what are the consequences you're seeing play out as a result? Because the market is so much bigger than just these 500 companies, isn't it? That's a great question, Neil.
[00:02:45] And the answer to this question lies a lot from our own experience. So prior to Scrut Automation, my co-founder, Jayashanag, we were building an enterprise SaaS company. Of course, it's always very interesting to sell to enterprises, sticky revenue, large contracts. But in the process of building that company, as a tech-first SMB ourselves, we had to go through a lot of pain in managing our own compliance and demonstrating security and risk management as part of our enterprise conversations.
[00:03:13] And for us to even access certain markets, be ambitious about the quality of revenue. And we knew nothing about it. We were complete outsiders to GRC and security then. We were up from first principles. And so we've always had the luxury of seeing the problem firsthand. And that pain and the epiphany that we had when we navigated the problem as an SMB ourselves previous to Scrut, that was the genesis of Scrut. We took the learnings from there and we built Scrut. And we've been around for four years.
[00:03:42] And part of the reason why a lot of companies don't want to solve for SMB and mid-market companies is because the bottom of the pyramid is messy. Solving for the long tail is messy. There is always some degree of information gap. The baselines are heterogeneous. Sometimes there's inherent mortality. They're not always very sticky. But I think that's from our point of view, given that we have very deep firsthand insight into the problem that they face, we found gold there.
[00:04:12] And we grew from zero to 3000 plus customers in a span of three years because we really had felt the pain firsthand. And I think based on our learning, really, the couple of ways to make a platform successful for SMBs or sticky for SMBs is that they don't care so much about pedigree. They don't care so much about brand. They don't care so much about social proof. They care about their problem being solved in a manner which creates the least amount of overhead. They don't want to work with a system integrator for six months to realize value.
[00:04:41] They don't want to have three full-time people just making a tool successful, linking their entire KPIs to making a tool successful. They want something that delivers value right out of the box. They want something that is very lightweight, reasonably platformized so that they don't have to deal with the overheads of having to work with multiple vendors. But it's also hard to implement because then there is to what level of complexity do you take this? Where do you stop? What is the optimum point? And that is where the bulk of the judgment lies.
[00:05:07] It's a hard problem to solve, but one that, you know, given our firsthand experience with it, we feel very passionate. And before you join me on the podcast today, I was doing a little research on you. One of the things that I was reading is you've often talked about the convergence of security and compliance as a somewhat of an urgent need for smaller companies. And a question I've got to ask you is how do these two functions ever become so disconnected in the first place?
[00:05:35] And what does convergence look like in practice? What are you seeing here? I think the stage at which there is a lot of complexity in identifying risks, managing stakeholders, there's a significant amount of stakeholders sprawl. There are the reporting becomes a lot more complicated. That's and they have to be like very detailed audit trails for everything. Collecting information becomes a several a multi month process.
[00:06:04] Whereas at that level of sprawl, which is very typical of enterprises, you would still see teams being being different and somewhat disconnected. When you talk about a so think about a 200, 250 people, FinTech company or a health tech company that's operating a team of that they don't have very large security budgets like their large enterprise counterparts. They don't have the luxury of having 20 people, 30 people in a security and compliance set up solving all these problems.
[00:06:31] They have a team of maybe four to five people headed by a VP of security or a head of IT looking at compliance and security and risk in a very aggregated manner. But this is a group that does face existential challenges, existential risks, because if there is a breach, a large enterprise can just get away with paying ransom. They can also buy very expensive insurance. But mid market companies, small companies can't do that. It's super existential for them. But then the teams are small. They're operating on somewhat shoestring kind of budgets, very frugal kind of budgets.
[00:07:00] So that's why the fundamental difference between the teams being aggregated and heavily disaggregated as we move to the enterprise exists. We have been very obsessively solving for the former, where teams are heavily aggregated, where the security and compliance overhead is enormous, and they're operating on budgets which are nothing compared to their enterprise counterparts. And we're recording our conversation today in early 2026, where once again, the world is going crazy for
[00:07:26] agentic AI, AI agents, talk of enterprises launching thousands of agents into the wild. And yet one of the things that's often astounded me, especially looking at big IDs data, that shows that nearly half of organizations out there have no AI-specific security control. So again, from your perspective, what does minimum viable AI security look like for a cloud-native company that does have limited resources? What are you seeing here?
[00:07:56] If I use what is typically referred to in security parlance as the CIA triad, which is a confidentiality, integrity, and availability triad. From our point of view, the biggest risk, if you will, lies around confidentiality and integrity. And if I were to decompose that a little bit and talk about the minimum viable hygiene controls that companies, and especially small and mid-sized companies, should care about,
[00:08:23] is A, when it comes to giving privilege or a certain kind of access to agents, are the agents any more overprivileged, any more privileged than the users that they represent? I could spin up a bunch of agents to do certain tasks, which would require me to access information across the organization and carry out action based on that. Now, I as a user in the company, I as an employee in the company have certain privileges, certain levels of access. Am I, is the agents I'm spinning up inheriting the same level of access or are they overprivileged?
[00:08:52] Am I, can I use the agents to get crash information that I'm otherwise not privilogyed to? Right. So making sure that the governance or identity and governance access and whatever is applied to humans is also applied to non-human agentic identities. That's one important component. There are multiple ways to do it depending on the stage and complexity of the organization. And the second problem is that when we talk about usage of agents or elements in general
[00:09:21] by employees across the organization, how do you maintain governance on what is going into those models? Are my employees feeding in PII into the models? Are my employees actually creating, are they putting in cardholder information if I'm a fintech company? I may have that information in my databases. Am I putting in PHI into the model? Am I putting in information in the model that I'm not supposed to? Because that's extremely sensitive in nature. And then I'm in actual violation of GDPR or CCP without even knowing it. So how do you redact?
[00:09:51] How do you place guardrails around that? Because people are spinning up PII tools on their own using their Google or AD logins left, right and center. But how do you extend that governance? How do you have guardrails where people can't just plug in information that they're not supposed to into a model or an agent? And I think the third component is just like your software supply chain attacks, the integrations that you have, the third party tools that you use,
[00:10:20] can they become paths for potential malicious actors to get into your environment? Can they use that to gain unauthorized access into your environment? So extending supply chain security to agentic kind of integrations is another important data that we see. Again, all of these have multiple layers, depends on the stage and complexity and the nature of confidential information that you have, how geographically split your teams are.
[00:10:48] But thematically, at least we see these three as the most important emerging things. And we will have people listening all around the world and in various different industries and different size enterprises. Many will have an assumption that, hey, this all sounds great, but achieving enterprise-grade security actually requires enterprise-level budgets. that they don't have. But tell me more about how AI should be able to help level that playing field for smaller teams,
[00:11:15] the kind of teams that can't afford traditional tooling, that they previously felt that they were locked out of that world, because it is lowering the barrier now, isn't it? So there are two components of where the enterprise security budget typically goes into, right? So there is a tool budget and then there's a budget for personnel. When you're paying for tools that are expensive, sure, because they have more bells and whistles, very granular multi-entity R-VAC, very modular reporting.
[00:11:44] Then there's a cost of implementing and integrating. That does have certain overage in an enterprise context. So the tools that are meant for SMB and mid-market companies need to be inherently simpler, because these kind of companies cannot spend that. And that is a very strong optimization problem, which I would say is the crux of getting... It's a primary driver behind a company being successfully able to democratize a category which is otherwise meant for enterprise into the masses, the small and mid-sized companies.
[00:12:14] So that's an optimization problem that it's pretty asymptotic. It's always a moving goalpost. You have to keep up. But it's something that over time we've gotten good at. And also we started with a very strong day one hypothesis, given we felt the problem first hand. The second area where enterprises tend to end up spending a lot of money is basically hiring expertise. How do I have people in my team who carry a vast body of expertise, experience and context of my organization to make these tools successful? You could generate thousands and thousands of alerts.
[00:12:42] But if you don't have people who know how to prioritize them, make sense of them, carry out the next steps, carry out remediation action, identify risks from them, then they kind of fall flat. Those are just signals without any follow-up. But what agents have now been able to do and what we've been also able to do through our platform is democratize that expertise. Because we work with 3000 plus customers across situations. We have a body of completely anonymized, obfuscated data that doesn't talk about specifics of any particular tenant,
[00:13:12] but that talks about edge cases and situations that they went through. And what should the ideal response to such a situation be? We have a reinforcement learning team in India that's continuously adding that to our body of expertise and that expertise is delivered through agents. So imagine not having to hire two to three full-time FTEs in your team security analysts because now agents can do it in a manner which is at a fraction of our cost and doing it 24-7. So that's another area where we feel like the need to have enterprise-like budgets
[00:13:39] and spend a ton of money on hiring FTEs in your team can be completely removed and the outcome can be democratized. So I'm curious, when you look at the mid-market companies using Scrut Automation today, what kind of real-world threats or incidents are keeping founders up at night? You must get to hear so many different stories. But are there any trends in the kind of things that they're coming to you and asking for help with? The answer to that, and there's a fair degree of heterogeneity involved there. So there are signals and there are risks.
[00:14:06] So what we do with our customers is we offer 200% integrations right out of the box, which means customers can connect to various sources of information. They could integrate with any SIM tool of their choice. They could integrate with an XDR tool of their choice. They could integrate with an MDM tool. They can integrate with the entire cloud-infraged surface findings in line with the best of benchmarks out there like the CIS of LS800. And once all these signals are surfaced, ultimately for you to make it actionable, you need to identify what your risks are.
[00:14:34] And that is where our layer of intelligence comes. That's where our value comes in. And so if you're a fintech company, and the way this heterogeneity manifests is, if you're a fintech company, for example, that's holding cardholder data, you have an environment which is very complex and needs to comply with PCI DSS. The kind of signals you would worry about in your cloud infra, your compute container databases, would be different from a company which is, let's say, a consumer software company that's not holding a very critical PII.
[00:15:02] But then privacy could be an important concern where I have so much consumer data. What am I doing with it? Can anybody, if there's an analytics team that's running certain analysis on that data, are they using that data in an anonymized form? Do they have the right level of access there? Did data with too much access and very little obfuscation go to the analytics team, right? So the flavors actually vary across various companies. But the common underlying theme is that no matter what signals you choose to source,
[00:15:32] and there could be hundreds of signals, ultimately, it all needs to distill into risks that matter the most for you, given your context and given environment. And that is where a very converged security plus GRC approach that we take comes in handy. And the problem, or another problem, is many SMBs will see compliance as just a box-ticking exercise. Of course, it's so much more than that.
[00:15:58] So how do you help them shift from a compliance-led mindset to a genuine culture of security without overwhelming already stretched teams? Because it does seem that over the years, they do get used to just ticking those boxes. We're compliant. We can move on. This is the most that we can afford to do. But that different mindset, changing the culture, it's quite a big shift, isn't it? How do you get that message across without overwhelming them? So there's a progression that a lot of companies follow.
[00:16:28] So I would say when half the companies that come to us essentially come in with compliance being an immediate pain, because they're losing deals because of it. They're not able to improve the quality of revenue that they can access in the absence of compliance. Even if they have been compliant with the software and ISO before, they've scaled to a state where there is resource sprawl, the asset footprint is very fluid, and they can't do it on spreadsheets and Google Drive folders anymore. And that's the easier problem that needs to be solved today. And when we solve that problem,
[00:16:56] when they're no longer losing deals because of compliance, when they're able to answer their enterprise information security questionnaires very cleanly and fluidly, when the baseline controls are very well established, all the integrations are working perfectly fine, that is when the conversation around graduating to risk management becomes a very organic, natural extension. Okay, now I have all these things. Now, because the controls that they set up on a GRC platform by cars essentially serve as the OKRs for security.
[00:17:26] Now, once the OKRs are set, what do you do with them? What are the next two, three steps that you follow, right? After you have all the information available to you. And that is when the very natural transition to, let's say at the three-month mark or the six-month mark, that's when the very natural transition to continuous risk management happens. And also when they get compliant for the first time, things become a lot easier because there's compounding context that's available. It becomes a lot less, it requires a lot less effort in subsequent years, the subsequent cycles. So that's when they can really focus on risk management
[00:17:55] because of the bandwidth that's now freed up. Usually that's a progression that most of our customers follow. And of course, when it comes to cybersecurity, it's always been a game of cat and mouse almost between the good guys and the bad guys. But now we're entering an era where AI is the one that's going to step forward and both protect and expose data faster than humans can react. So how do you see that duality reshaping risk management strategies over the next few years? Any big changes?
[00:18:25] I think proactivity is important because attackers don't have to navigate bureaucracy. Attackers don't have to take board approvals. They just do things. But on the defensive side of things, when you talk about companies, they have to get security budgets approved. They have to run procurement cycles to gather tools that would act as defenses here. So I think the first step is a general sensitization across the board around the speed of catching up and keeping up with the times.
[00:18:55] Because old legacy methods might not work. And it's important that companies are constantly asking this question. Are we up to date? Are we in line with the best of us? Are we keeping up with the attackers? When that is in place, I think it is, there are, so for example, if you take an area like phishing, it's easier now for attackers to simulate phishing campaigns that look increasingly more real and increasingly more sophisticated. And so on the defensive side of things,
[00:19:25] when there are, it's important to, every time there is an incident that happens, every time there is an instance where the attackers got the better of us, it's important that that gets added to the body of the knowledge the organization has. So the organization, at least the next time is better prepared. It doesn't happen again. So it's important to continuously maintain the learning loop so that, so that the defensive side of things also gets strengthened based on learning. That happens with humans all the time, because when humans spend two years in an industry versus 10 years in an industry,
[00:19:55] they get better. There's more intuition. They get smarter. And that intuition really needs to get replicated even in an agentic context. And I'm now going to play the role of your personal genie or wish master. Okay, if I could grant you one wish, if you could change one thing about how cybersecurity or how the entire cybersecurity industry approaches small and medium-sized businesses, what would it be? And what kind of innovation do you think is still missing from the market? Let's see what we can manifest and make happen here.
[00:20:25] I think for me, the problem statement that we access about the most, and this is something I mentioned earlier, was how do we democratize expertise? Because expertise or the lack thereof, and information asymmetry should not become a blocker for small and mid-sized companies to access A-grade security and risk management outcomes. And for us, democratizing that expertise, making it available 24-7 at a fraction of the cost of human FTAs
[00:20:54] is something which is of paramount importance. And I think that is going to be a key unlock as companies try to sell to this group of companies because they want results very quickly. They're very impatient. They also don't like to spend money indiscriminately. They want ROI on their efforts. So I think that is going to be key. And for anyone listening, we've probably woke up their curiosity and maybe even made them think a little bit bigger on what they could be doing.
[00:21:20] Where's the best place to find out more information about Scrut automation, connect with you or your team, keep up to speed with some of the announcements, blog posts, all that good stuff. Where should they go? So our website, we try to be very comprehensive about what we've done with our customers on our website and its various sections. We also have a podcast series called Risk Crustlers where we don't necessarily talk about Scrut, but we like to gather insights from the trenches.
[00:21:49] We talk to security and risk practitioners in a manner which is, again, given our SMBA and mid-market audience, we want to keep it very real, very focused, very devoid of platitudes, if you will. We'll have absolute conversation from the trenches. So I would heavily request our users, the viewers to also check that out. The founders and the leadership in the company are always, we're very active on LinkedIn. So if you'd love to talk about risk management, security, or just generally compliance,
[00:22:19] you're always available. Just shoot us a DM. Awesome. And so many big takeaways from our conversation today. And I think when, at the very beginning, when you mentioned that security industry is making the critical mistake in building tools for fortune 500 teams, while ignoring the 99% of businesses that face ruin from a single breach. And for those reasons alone, I'm going to put links to everything you mentioned there. I'll also do a little embed for the podcast. I urge people to check that out,
[00:22:47] connect with you and your team on LinkedIn as well. And I'd love to hear some feedback from people outside of those 400, 500 companies and some feedback from them on how they're getting through some of the challenges today. And equally, any of your customers love to hear from them too, but lots for people to think about, but just thank you for coming on and sharing your story today. Really appreciate your time. Thank you. Thanks for having me here.
[00:23:12] I think today's episode is a sharp reminder that most businesses cannot afford complacency, especially when it comes to security and especially as AI driven risks continue to accelerate. But my guest shared what minimum viable security really looks like for smaller teams and highlighting why convergence matters and what he's seeing firsthand in the mid market that the industry seems to keep overlooking.
[00:23:43] But over to you, I'd love to hear your perspective on this. If you are part of the 99% and I suspect most of you are just by looking at that stat alone, do security tools actually fit with your reality? Or do you still feel like they're built for somebody else with a much, much bigger budget than you can afford? Let me know. Pop over to techtalksnetwork.com. You can leave me an audio message, send me an email and connect with me on socials. But that's it for today.
[00:24:13] So thank you for listening as always. And I'll speak with you all again tomorrow. Don't be late. Speak with you then. Bye for now.