How Kiteworks Is Preparing Enterprises For AI-Driven Risk In 2026

[00:00:06] What happens when AI speeds everything up, but the rules, training and controls around sensitive data are still moving at last decade's pace? Well, in today's episode, I'm joined by Tim Freestone from Kiteworks. We're going to talk about what their 2026 Data Security and Compliance Risk Forecast is signalling for enterprises and government leaders.

[00:00:32] We'll get into today why third-party exposure is becoming a board-level headache, understand why social engineering is slowly pulling ahead as the threat that keeps security teams up at night, and explore why compliance is getting harder as regulations pile up across many regions. And we'll also look at how identity is replacing the old perimeter model,

[00:00:57] what quantum readiness looks like when you have real data with a long shelf life, and why the skills gap keeps turning good security intentions into inconsistent execution. But enough scene setting for me. Let me introduce you to Tim right now. So thank you for joining me on the show today. Can you tell everyone listening a little about who you are and what you do? Yeah. No, thank you, Neil. I appreciate it.

[00:01:26] My name is Tim Freestone. I'm the chief strategy officer, a company named Kiteworks. We're headquartered in San Mateo, but global by service offices in the Netherlands, Germany, Singapore, Australia. So pretty broad coverage. The company itself is a cybersecurity company. We focus on applying zero trust layers that are zero trust security at the data layer,

[00:01:56] specifically with data in motion and in use. Well, thank you for taking the time to sit down with me today. There's so much I want to talk with you about. And when we're talking about data security and compliance, I think we should probably just kick straight into this. I mean, when you look at the 2026 data security and compliant risk forecast, what is the single shift that should most concern boards and C-suites?

[00:02:22] And why does it change how leaders need to think about cyber as a business risk rather than just a technical one? It feels like there's so many big changes in here and a few mindset changes are required to digest some of the findings. But tell me more about that. Yeah, I mean, it would probably be no shock to any listener or viewer that the big one is AI. You know, it broadens the scope of exposure for companies to be concerned with their data

[00:02:51] security posture, obviously. Some old gaps that companies, you know, haven't done the best at filling for a number of reasons, resources, technology, capabilities, things like that. Gaps like visibility into what data is doing at a data layer. You know, each individual sensitive piece of data across your organization has historically been incredibly difficult to govern and have visibility into.

[00:03:20] And when you layer AI on top of that, you know, your exposure is exponential to use a phrase of our time or a word of our time. Um, so those are, you know, those are the big ones when you wrap the challenges with AI and agentic, uh, use of data. And then you compound that with the historical challenges around, um, the knowledge of what data you have and where it's at and which is sensitive and which isn't, um, you know,

[00:03:49] that's, that's a recipe for not disaster, but certainly incredible challenges. Yeah. Yeah. And there are so many big mind-bending stats out there. I mean, one of the part of the data that, that, uh, really took me by surprise was it showed that third party involvement in breaches has now surged to nearly one in every three incidents. That's quite a big change there, but how should organizations be rethinking things like trust,

[00:04:15] visibility, and accountability across their partner ecosystems when sensitive content is constantly moving beyond their own perimeter? Yeah. Um, so it's a great question. You know, historically the way that companies have dealt with this is through what's called third party risk management solutions. Um, where, you know, you look across your, um, third party supply chain, whether it be information

[00:04:43] or, or actual physical products, and you go through an audit of their systems, uh, generally with a vendor to support you. And you get first, the first audit is, is this, does this, um, vendor or contractor or partner have the required minimum security standards that you require to do business with them? Yes or no. And it goes on from there and gets deeper and deeper in terms of compliance regulations.

[00:05:11] Um, and that tended to be sort of a point in time, uh, exercise with checkpoints along the way. Doesn't scale that well. It's not continuous. Uh, and as you can see from the data doesn't really work that well from, um, a risk management standpoint. Uh, so companies are looking at ways to, uh, better secure their data in these. Supply chains.

[00:05:37] Um, about 20 years ago, there was, uh, an approach called DRM digital rights management, where you apply encryption on every single piece of data. And then only the, the person with the rights to access that data can access that data. It gave a lot more control, but sometimes with a lot more control comes a lot more impediment to business. Uh, and that's what happened with, with DRM back in the day. And so companies just didn't deploy it because it, you know, it slowed business down.

[00:06:07] Um, but there's been a lot of evolution now on, in data layer security and digital rights management, um, to make it a lot more seamless so that you can, instead of doing things like third-party risk management, or in addition to doing things like third-party risk management, you can put data, data layers controls so that as your data moves throughout your information supply chain to get your company's business done, you have very direct, uh, control over

[00:06:33] that data, turning it on, turning it off, uh, bringing it back. Or in the case of incredibly sensitive data, there's next gen DRM solutions that don't even send the data to the third party. They rather stream, uh, an editable video of the data where it seems like you have access to this particular file, be a word doc or what have you, but the file never left your data center. It just, the end point was a video stream.

[00:07:01] So we're getting really sophisticated in terms of risk management in these supply chains. And then as soon as we got all sophisticated on that, uh, you know, AI came along and created that new, um, challenge and that new challenge that I just talked about in my last answer now applies to third parties. You've got to worry about what, uh, AI systems they're using, how they're consuming your data in their AI systems.

[00:07:26] So just as you think you get a handle on things, the world and God comes along and says not so fast. It really does. And I've been doing this for what, nearly 10 and a half years at the moment. And whenever talking about the biggest cybersecurity threat, the one thing that gets mentioned every single year is ransomware. That is the biggest threat. But of course, social engineering has now overtaken ransomware as the top threat. So a big change there too.

[00:07:54] But what does that tell us about the limits of traditional security controls and how do you protect data when the attack path is more human behavior than the infrastructure itself? Yeah, it's a really tough one. So the, um, you know, phishing and social engineering, I mean, at the end of the day, a lot, a lot of that leads to ransomware. So they, they're not necessarily independent. Um, uh, I do wish I had, you know, a better answer.

[00:08:24] There's a lot of technologies out there that, um, provide incredible solutions for anti-phishing. But, you know, with, with the quote unquote bad guys having access to the same sophisticated systems now AI enabled, um, that, uh, the good guys do, but the bad guys don't have to operate by any rules.

[00:08:48] Uh, they tend to be just a smidge ahead of everybody in terms of how to leverage that technology to get smarter than the average bear. Um, and so it is, it is difficult. I don't have the, the, the best answer though. And, and I will say the, the part of the answer that it's sort of fallen back to historically besides technology solutions is training.

[00:09:12] Um, the, the challenge historically with training has been, you know, you, you give your employees, you know, one and a half hours of an animated video that makes everybody cringe while they watch it on being aware of what social engineering looks like and fishing. And then there's little surveys throughout and quizzes and tests and a big test at the end. That's fine. But it, the, the knowledge tends to last about as long as this, the, the training does in

[00:09:41] reality. So what, what, um, uh, security practitioners are starting to do or, or implement solutions that do these micro learnings. So as you, you know, for instance, email is a good vector for all of this types of these types of phishing and, uh, social engineering. So there's a lot of email security products coming out that will do what's called human error prevention. And it will look at sort of what you're doing in your email and what you're receiving.

[00:10:11] And it will not only block things, uh, but it will tell you why it blocked it and the lesson to learn from it so that these little micro learnings, as you go through your business tend to, will, will tend to stick in your brain a little bit more than this once a year, once a quarter hour and a half animated video that no one likes to do. I think that's a big, um, shift and a big advantage that's only happened in the last couple of years. And I would probably say that was a long way to answer your question.

[00:10:40] Uh, micro learnings in human error prevention, I think are probably the best step forward we've had in a long time. Yeah, I completely agree with you. When it comes to compliance, it's moved on a lot from those just hit next, next, next for 30 minutes and then you're done for another year. And I think a lot of that is because we're seeing this too, the EU AI act and evolving GDPR requirements and new disclosure rules are all landing within a similar timeframe.

[00:11:08] So from a strategy perspective, why does this make a unified data centric compliance model so essential? And what happens when organizations that continue to treat compliance in silos, because it's very much the old way of doing things in the new way of doing things, isn't it? Yeah, it is. And, and at the end of the day, all regulations have one road that they lead to or they end at, which is the data layer.

[00:11:35] And you, again, you know, historically the, the data it's, it's everywhere, right? It's, it's in your environments. It's in third party environments. Um, it's massive, it's scale, it's, it's not understood and it moves through a bunch of different channels. So you may have a, a piece of sensitive data in an S3 bucket that someone grabs and they,

[00:12:01] they email it and, you know, someone else sends it over a file share system and someone else has it in an automated MFT run. Um, and having disparate systems, uh, is a real challenge from a compliance and regulatory standpoint, because you have to stitch together the audit trail of where that particular regulated data went from all of these different systems.

[00:12:26] So having a unified platform that looks at all of the systems of, of, uh, all of the workflow systems that data can move through, provide a unified audit log at the file level, uh, becomes really, really critical because then you can, uh, prove, which is all the whole point of regulations is to demonstrate and prove, um, that you've met those regulations and to be able to control all of that in one, one system is, is really, really critical.

[00:12:56] Of course, kite works comes with that layer of, uh, value, uh, especially when data is in transit or in use. There's another, um, technology movement coming, uh, called DSPM data security posture management that compliments us really well because it goes across all of your data environments and, and, uh, understands using AI usually what data is, um, sensitive, what isn't tags it as such.

[00:13:24] And then once you have that visibility across all of your data repositories and you have it tagged, uh, in relationship to the regulations that you're required to comply with, you can then grab, uh, use something like kite works and manage control monitor its movement. Across all of your data, uh, movement channels or data transit channels. And of course, every cyber security conversation will involve AI ransomware compliance and many

[00:13:53] leaders still see another threat, mainly quantum as a risk that is more of a future problem rather than a right now thing. They've got enough on their plate right now. They're going to think we'll worry about that when we get there, but I am hearing more and more stories of the bad guys harvesting, uh, encrypted data now, knowing that in a few years they will be able to de-encrypt it and then wreak havoc on the world. But I mean, based on the timelines around cryptographic, uh, depreciation and long lived

[00:14:21] sensitive data, what should enterprises and indeed government agencies, what should they be doing right now to avoid that inevitable last minute high cost scramble that, uh, when things go wrong? Yeah. Yeah. So data discovery is, is a big part of that. That's why DSPM vendors come in really handy. It is looking across all of your, uh, your tech stack and your repositories and understanding what data you have. You don't, you can't protect the stuff you don't know you have. Uh, that's, that's number one.

[00:14:51] Yeah. The harvest now decrypt later thing is, is an issue. And when I talked about the, uh, sort of legacy DRM that plays right into that because with legacy DRM, you would still send the file to somebody and it would be encrypted and then, you know, password protected. Uh, but they would have the file. Uh, and even if you had no data within your own environment, um, it could be, you know,

[00:15:19] with ransomware, obviously they can take it and do something with it later. Um, so it's really just about understanding what data you have and then layers of protection on top of that. Uh, and you know, you, if you ask, well, what's the timeframe for this, uh, two years ago, everybody was saying 10 to 20 years. Um, now that time, and it does depend on who you ask, but that timeframe is shrinking significantly.

[00:15:47] Uh, there's been a lot of breakthroughs in, in quantum computing, but it's, it's still not understood how challenging it will be for, uh, let's call it quantum computing light for lack of a better word, quantum at scale. So there might be companies like Google that have a quantum computer that can decrypt AES 256. Um, maybe, but there's one and Google has it.

[00:16:16] So, you know, the, the, the scale of this is sort of unknown and the timeframe's unknown, but you know, if you can at least layer in your security, ensure things are encrypted to, you know, at least AES 256 and then not give out your data when you don't have to. And that gets back to the next gen type of DRM where you're streaming data access and collaboration instead of sending the actual file.

[00:16:43] Those three things together are probably the best you can do right now. And another reoccurring theme in the research is that widening gap between cyber leaders and everyone else out there. So in practical terms, what are the operating model governance and technology decisions that separate organizations that contain breaches quickly from those that absorb the full financial and reputational impact and that increasing blast radius that we're seeing a lot of?

[00:17:13] Yeah, it's, it often comes down to visibility of, of your environments. Uh, again, you can't protect and you can't rebound from what you don't know you have. So, you know, the NIST CSF, uh, there's a cybersecurity framework out of, um, you know, the U S, uh, gives companies a great sort of framework and roadmap for how to be resilient.

[00:17:39] Um, and, and that's being adopted by the most forward thinking leaders, um, in, in cybersecurity because it does give you that sort of do this, now do that, now do this, make sure you have all of these, uh, security measures in place to be as resilient as you possibly can. Um, that's probably the, the biggest recommendation I think most in, in cyber circles have for one another is follow the NIST cybersecurity framework.

[00:18:08] Um, and in that framework, uh, you, you know, you definitely have know your assets. So assets being everything, know your data assets, know your, uh, infrastructure assets, know your endpoint assets, know your cloud assets, knowing everything, uh, and using all of the tools to your, that are available to you to know everything is probably 80% of the battle.

[00:18:34] And also, I think we've got to talk about identity, which is increasingly being described as the new data perimeter, especially with AI agents and automated processes, increasingly accessing, uh, sensitive information. So when you look at this change here, I mean, I downloaded an AI browser recently and straight away wanted to connect with everything. I got nervous and didn't go there, but how does this reshape access control, least privilege

[00:19:00] strategy and the way we think about zero trust at the content level? Yeah. Well, you do have to think about agents as a digital human, digital employee, whatever you want to call it. It's a digital version of something that can, uh, operate with end games and goals and objectives and tasks and, uh, complete those. So that broadens the identity landscape. There are a lot of companies coming out now with, um, solutions to how you, how you identify

[00:19:29] agents versus humans. Um, I, myself, uh, kind of similar to you. I, it wasn't a browser, but you know, recently, uh, um, an open source project called what started as Claude bot went to mold bot for a hot minute and then became open claw. Uh, I think if, if your listeners or viewers aren't familiar with that, I, I encourage you to go look, but this is an, an open source project, sort of an experiment that went viral, uh, because

[00:19:59] it allowed you to essentially create what is best described as an autonomous persona and an autonomous agent that if you give an end game to, it will do anything in its power without the guardrails that you set to get that objective done. Um, it will build applications. It'll create websites. It'll go into your repositories. It'll do literally anything in its power.

[00:20:28] Um, so that record, basically the industry said, hold on a second, we need to figure out a way to identify all of these agents. If they're going to be able to, you know, spin up applications and do whatever they can. Um, and so, yeah, like I said, there's, there's a lot of technologies out there that are trying to identify, uh, these types of, um, entities, if you will. Uh, but you know, data or the end of the perimeter, actually, I would argue that it's

[00:20:56] isn't necessarily the identity alone. It's the identity plus the data location. Um, you know, the perimeter for a long time was the network, then it was the cloud. And, you know, we started talking about perimeterless environments and how you, uh, control that. But if you think about it, all of that, all of those perimeters, historically infrastructure, network cloud work to protect the data. So now you look at, okay, well, this, this particular file, I'm going to send it to Steve.

[00:21:26] Steve's going to send it to Sally. Sally's going to send it, you know, all of a sudden this data goes five to 20 layers external. That's now your perimeter for that piece of data, but it's only a perimeter if you combine it with identity. So identity plus data is what I would define as the new perimeter. And now you've got identity of humans and the identity of agents, uh, uh, accessing that data wherever it goes. Yeah.

[00:21:53] Such a great point about some of the agents and how they'll do anything to achieve their mission. I was reading about one a few days ago. I think he was using the helper agent on open AI. And just as a test, I think he was asking it to buy 12 eggs. It ended up above and beyond to get 12 eggs and paid $32 for those 12 eggs without asking for his permission. Yeah. So you do have to be so careful there. But I mean, if you were advising a CEO or a government department or anybody listening

[00:22:22] here heading, uh, uh, or trying to work out what they're going to do for the rest of this year and they have limited skills or budget, what are the first steps that you would ask them to, to consider before building a true data resilience or the road that they need to take to do that? What would you advise? So under the constraints of what you gave, I have to say you can learn so much by leveraging

[00:22:46] AI and having an AI copilot in your journey to understand how to be resilient, how to reduce your, um, your exposure. And, you know, there's a trust layer that I think people might have with say like, well, let's just open up clot and start my journey to become a better, more cyber aware and a better cybersecurity professional. There's a trust, uh, component of that and open AI, but there are companies out there that

[00:23:14] are wrapping these, these, um, incredible tech. They're just incredible technologies at this point. There's no, no doubt about it. They're incredibly intelligent, incredibly stupid at the same time, which is like, uh, there are vendors coming out with wrappers and guardrails, but using these models on the backend for training to help companies, um, be faster and do more with their cyber resiliency.

[00:23:39] And so I would suggest to the CEOs, go to your, your, your IT team, your cyber team, and start building a plan for leveraging, uh, AI enabled, um, tools within your organization, both at a learning level and an execution level. Uh, because if you don't eat, there's no way to get caught up or, or maintain what, what needs to be maintained. Fantastic advice. I think it's a great moment to end on.

[00:24:08] And I will include a link in the show notes for everyone listening to that data security report, navigating threats and compliance that we referenced several times today, but for anybody listening anywhere else, you'd like to point them there if they want to dig a little, dig a little bit deeper on anything we talked about today. Yeah. I mean, we have, you know, um, obviously our website, you can find out a lot about this stuff, kiteworks.com. The, the blog is a great resource. We also have a sub stack.

[00:24:36] I think that's every other day you'll get a insights in your inbox on what's happening in the industry. It's, it's not promotional at all. Uh, and then we have a LinkedIn newsletter. If you just look at kiteworks in LinkedIn, it'll, it'll come up. There's a number of things that we do as a company that are not promotional in nature. They're just education in nature. And I would encourage people to, to find those and follow those. Awesome. Well, I'd add a link to the report LinkedIn newsletter, sub stack the website and where

[00:25:06] they can follow you on LinkedIn as well. Probably put your LinkedIn profile on there as interesting case anyone listening would like to connect with you. I urge everyone listening to check that out. As I, as you rightly said that none of this stuff we're talking about is promotional. It's more educational. And I think that is the key to everything as we've learned in our conversation, but thank you for sharing that with me today. You got it. Thanks for inviting me. Had fun. So if you're responsible for risk, compliance, or security outcomes, I think the message from Tim here is simple.

[00:25:35] The hard part is not buying just another tool. It's building repeatable control over how sensitive information moves in and out of your organization. And Tim laid out why third party relationships now feel like a almost extended attack surface. And why people remain the easiest route in for attackers. And why compliance demands are pushing teams towards a tighter integration between security,

[00:26:04] governance and audit readiness. So as you look at your own environment right now, do you have a clear visibility and control over every send, share, receive, and save of sensitive data? Or are you putting all your hopes on policy alone will keep up and help protect you? I'd love to hear your big takeaways from our conversation you heard from Tim today. What would you like to add to everything we talked about? As always, techtalksnetwork.com.

[00:26:32] You can leave me a message over there or connect with me on socials or check out 4,000 other interviews. But that's it for today. So thank you for listening as always. And I'll be back again very soon with another guest. Speak to you then. Bye for now.