@prefix : . @prefix schema: . @prefix rdf: . @prefix rdfs: . @prefix xsd: . @prefix skos: . @prefix owl: . @prefix prov: . ############################################################ # Lightweight Ontology ############################################################ : a owl:Ontology ; rdfs:label "AI Security Office Hours Ontology"@en ; rdfs:comment "A lightweight ontology for modeling AI security concepts, agent identity governance, and the shift from human-managed to automated security policy."@en ; schema:name "AI Security Office Hours Ontology"@en ; schema:description "A lightweight ontology for modeling AI security concepts, agent identity governance, and the shift from human-managed to automated security policy."@en ; schema:identifier "https://tomtunguz.com/jonathan-jaffe-office-hours-post-event/" . :SecurityConcept a rdfs:Class ; rdfs:label "Security Concept"@en ; rdfs:comment "A key concept or thesis in AI security strategy — the intersection of automated offense, automated defense, and agent identity governance."@en ; rdfs:isDefinedBy : . :SecurityEngineeringConcept a rdfs:Class ; rdfs:label "Security Engineering Concept"@en ; rdfs:comment "Concepts about the transformation of security teams into engineering teams and the architectural implications for agent identity and policy."@en ; rdfs:subClassOf :SecurityConcept ; rdfs:isDefinedBy : . :hasSecurityImplication a rdf:Property ; rdfs:label "has security implication"@en ; rdfs:comment "The security or architectural implication of this concept for enterprises deploying AI agents."@en ; rdfs:domain :SecurityConcept ; rdfs:range xsd:string ; rdfs:isDefinedBy : . :AISecurityVertical a rdfs:Class ; rdfs:label "AI Security Vertical"@en ; rdfs:comment "A market segment impacted by or enabling AI-driven security automation and agent identity governance."@en ; rdfs:isDefinedBy : . ############################################################ # Main Analysis CreativeWork ############################################################ :analysis a schema:AnalysisNewsArticle ; schema:name "Security in the Age of AI Agents: Office Hours with Jonathan Jaffe"@en ; schema:headline "Security in the Age of AI Agents: Office Hours with Jonathan Jaffe"@en ; schema:abstract "Tomasz Tunguz's Office Hours conversation with Lemonade CISO Jonathan Jaffe explores how AI transforms security from a human-managed discipline into an automated engineering practice. Four theses emerge: AI is equally powerful for defenders and attackers, exploit windows are narrowing as AI accelerates code review and patching, security teams are becoming engineering teams, and every agent requires identity and policy governance at a scale that exceeds traditional IAM."@en ; schema:articleBody "The piece recounts an Office Hours discussion with Jonathan Jaffe, Lemonade's CISO. Jaffe argues that AI's defensive power matches its offensive power — while AI may generate vulnerable code, it also accelerates review, pen-testing, and patching, making software more resilient over time. The exploit window is narrowing because bugs in any software are finite and AI-driven resolution velocity increases. At Lemonade, every security person is an engineer — the team built their own AI platform with specialized agents, including one that reads threat intelligence and another that verifies whether a vulnerable method is actually invoked in production. Jaffe warns that a single endpoint could host 200 to 10,000 agents, each requiring identity and policy governance beyond current IAM capabilities."@en ; schema:url "https://tomtunguz.com/jonathan-jaffe-office-hours-post-event/" ; schema:datePublished "2026-05-28"^^xsd:date ; schema:dateModified "2026-05-28"^^xsd:date ; schema:inLanguage "en" ; schema:author ; schema:publisher :theoryVentures ; schema:about :aiDefenderParity, :exploitWindowNarrowing, :securityAsEngineering, :agentIdentityGovernance, :agentPolicyAutomation, :lemonadeAgenticPlatform, :aiSecurityAutomationMarket ; schema:hasPart :faqSection, :glossarySection, :howtoSection, :conceptsSection, :quotesSection, :industryVerticalsSection, : ; schema:citation :quoteAttackSurface, :quoteVendorDefense, :quoteAutomationNecessity, :quoteAgentIdentity ; prov:wasGeneratedBy . ############################################################ # People ############################################################ a schema:Person ; schema:name "Tomasz Tunguz"@en ; schema:givenName "Tomasz"@en ; schema:familyName "Tunguz"@en ; schema:url "https://linkedin.com/in/tomasztunguz" ; schema:identifier "https://linkedin.com/in/tomasztunguz" ; schema:jobTitle "Venture Capitalist"@en ; schema:affiliation :theoryVentures ; schema:alumniOf :google ; schema:description "Venture capitalist at Theory Ventures and former Google PM. Hosts Office Hours series with industry leaders. Publishes data-driven insights on AI, web3, and venture capital to 150k+ founders and operators."@en ; owl:sameAs . :jonathanJaffe a schema:Person ; schema:name "Jonathan Jaffe"@en ; schema:givenName "Jonathan"@en ; schema:familyName "Jaffe"@en ; schema:jobTitle "Chief Information Security Officer"@en ; schema:affiliation :lemonade ; schema:description "CISO at Lemonade. Leads an engineering-driven security team that built a custom AI platform with specialized agents for threat intelligence triage and production vulnerability verification. Advocates for agent identity governance and automated security policy at scale."@en . ############################################################ # Organizations ############################################################ :theoryVentures a schema:Organization ; schema:name "Theory Ventures"@en ; schema:url "https://theoryvc.com" ; schema:identifier "https://theoryvc.com" ; schema:description "Venture capital firm founded by Tomasz Tunguz, investing in early-stage technology companies with a data-driven thesis."@en . :lemonade a schema:Organization ; schema:name "Lemonade"@en ; schema:url "https://www.lemonade.com" ; schema:identifier "https://www.lemonade.com" ; schema:description "Insurance company that built its own AI platform with custom agents for security operations, including threat intelligence agents and production vulnerability verification agents."@en ; owl:sameAs , . :google a schema:Organization ; schema:name "Google"@en ; schema:url "https://www.google.com" ; schema:identifier "https://www.google.com" ; owl:sameAs , . ############################################################ # Security Concepts ############################################################ :aiDefenderParity a :SecurityConcept ; schema:name "AI Defender-Attacker Parity"@en ; schema:description "AI is just as powerful for defenders as it is for attackers. While the fear narrative focuses on AI-generated exploits, defenders can harden everywhere simultaneously — every vendor in the stack races to ship improvements. The net effect may be more resilient software, not less."@en ; :hasSecurityImplication "Enterprise security strategy should invest equally in AI-powered defense as in AI threat detection — the asymmetry narrative is overstated"@en ; schema:isPartOf :conceptsSection . :exploitWindowNarrowing a :SecurityConcept ; schema:name "Exploit Window Narrowing"@en ; schema:description "AI-generated code may initially contain more vulnerabilities, but AI-driven review, pen-testing, and patching accelerate the resolution cycle. Since bugs in any software are finite, increasing resolution velocity shrinks the window of exploitability over time, making software more resilient."@en ; :hasSecurityImplication "Invest in AI-driven code review and automated patching pipelines — velocity of resolution matters more than initial vulnerability count"@en ; schema:isPartOf :conceptsSection . :securityAsEngineering a :SecurityEngineeringConcept ; schema:name "Security Teams as Engineering Teams"@en ; schema:description "The transformation of security from a human-managed oversight function into an engineering discipline. At Lemonade, every security person is an engineer. The focus shifts from managing people to architecting automated policies that govern an agentic world — building platforms, not running playbooks."@en ; :hasSecurityImplication "Hire engineers for security roles; the CISO's job is becoming platform architecture, not compliance management"@en ; schema:isPartOf :conceptsSection . :agentIdentityGovernance a :SecurityEngineeringConcept ; schema:name "Agent Identity Governance"@en ; schema:description "Every AI agent needs an identity. With 200 to 10,000 agents potentially running on a single endpoint, traditional IAM systems are insufficient. A new layer of identity and policy control must be architected for the agentic world — one that governs what each agent can access, invoke, and modify."@en ; :hasSecurityImplication "IAM systems must evolve to handle agent identity at 100-10,000x scale — every agent is a principal, not just every human"@en ; schema:isPartOf :conceptsSection . :agentPolicyAutomation a :SecurityEngineeringConcept ; schema:name "Automated Security Policy at Scale"@en ; schema:description "Automation is the only way to handle the scale of threats in an AI-driven world. Security policy must be codified, versioned, and enforced programmatically — not transmitted through human training and manual review. The security team becomes the architect of automated governance."@en ; :hasSecurityImplication "Security policy must be infrastructure-as-code: version-controlled, tested, and deployed automatically across all agent endpoints"@en ; schema:isPartOf :conceptsSection . :lemonadeAgenticPlatform a schema:SoftwareApplication ; schema:name "Lemonade Agentic Security Platform"@en ; schema:description "A custom-built AI platform developed by Lemonade's security engineering team. Includes specialized agents: one reads threat intelligence and triages, and a second verifies whether a vulnerable method is actually invoked in production code before flagging it — reducing false positives by validating exploitability against the live codebase."@en ; schema:isPartOf :conceptsSection . ############################################################ # Quotes ############################################################ :quoteAttackSurface a schema:Quotation ; schema:text "There are tens of thousands of attack targets out there. The chances that you're going to be one of those is small."@en ; schema:author :jonathanJaffe ; schema:isPartOf :quotesSection . :quoteVendorDefense a schema:Quotation ; schema:text "At the same time, all of the vendors that you use will also have access to this to improve their services."@en ; schema:author :jonathanJaffe ; schema:isPartOf :quotesSection . :quoteAutomationNecessity a schema:Quotation ; schema:text "Automation is the only way you can deal with the scale of what's coming at us now."@en ; schema:author :jonathanJaffe ; schema:isPartOf :quotesSection . :quoteAgentIdentity a schema:Quotation ; schema:text "Every agent needs to have an identity, and more than that, you need a way to control policy for all of these agents."@en ; schema:author :jonathanJaffe ; schema:isPartOf :quotesSection . ############################################################ # Industry Verticals with NAICS ############################################################ :aiSecurityAutomationMarket a :AISecurityVertical ; schema:name "AI Security Automation Market"@en ; schema:description "The emerging market for AI-powered security platforms that automate threat detection, vulnerability verification, and policy enforcement — encompassing agentic SOC tools, automated pen-testing, and agent identity governance infrastructure."@en ; schema:naics "541511" ; schema:identifier "https://www.census.gov/naics/?input=541511&year=2022&details=541511" ; schema:isPartOf :industryVerticalsSection . :identityGovernanceMarket a :AISecurityVertical ; schema:name "Agent Identity and Policy Governance Market"@en ; schema:description "The market for identity and access management systems that scale to handle thousands of AI agents per endpoint — extending IAM principles to non-human principals with policy control at agentic scale."@en ; schema:naics "541512" ; schema:identifier "https://www.census.gov/naics/?input=541512&year=2022&details=541512" ; schema:isPartOf :industryVerticalsSection . ############################################################ # Entity Group Sections ############################################################ :conceptsSection a schema:ArticleSection ; schema:name "Key Security Concepts"@en ; schema:description "The four core theses from Jonathan Jaffe's Office Hours: AI defender-attacker parity, exploit window narrowing, security as engineering, and agent identity governance — plus the Lemonade agentic platform case study."@en ; schema:hasPart :aiDefenderParity, :exploitWindowNarrowing, :securityAsEngineering, :agentIdentityGovernance, :agentPolicyAutomation, :lemonadeAgenticPlatform ; schema:isPartOf :analysis . :quotesSection a schema:ArticleSection ; schema:name "Featured Quotes"@en ; schema:description "Key quotes from Jonathan Jaffe during the Office Hours discussion on AI security, automation, and agent identity."@en ; schema:hasPart :quoteAttackSurface, :quoteVendorDefense, :quoteAutomationNecessity, :quoteAgentIdentity ; schema:isPartOf :analysis . :industryVerticalsSection a schema:ArticleSection ; schema:name "Industry Verticals"@en ; schema:description "Market segments impacted by AI-driven security automation and agent identity governance."@en ; schema:hasPart :aiSecurityAutomationMarket, :identityGovernanceMarket ; schema:isPartOf :analysis . ############################################################ # Glossary — 10 Defined Terms ############################################################ :glossarySection a schema:DefinedTermSet, skos:ConceptScheme ; schema:name "AI Security Glossary"@en ; schema:description "Key terminology from the Office Hours discussion on AI security, agent identity, and automated defense."@en ; schema:hasDefinedTerm :termAISecurity, :termAgentIdentity, :termExploitWindow, :termSecurityEngineering, :termPolicyAsCode, :termThreatIntelligence, :termAgenticSOC, :termVulnerabilityVerification, :termIAMA, :termDefenderParity ; schema:isPartOf :analysis . :termAISecurity a schema:DefinedTerm, skos:Concept ; schema:name "AI Security"@en ; schema:description "The application of AI to both offensive and defensive security operations — encompassing automated threat detection, vulnerability discovery, code review, penetration testing, and policy enforcement."@en ; schema:termCode "ai-security"@en ; schema:isPartOf :glossarySection . :termAgentIdentity a schema:DefinedTerm, skos:Concept ; schema:name "Agent Identity"@en ; schema:description "A unique identity assigned to each AI agent, enabling policy-based access control. With hundreds to thousands of agents per endpoint, agent identity extends IAM principles to non-human principals at unprecedented scale."@en ; schema:termCode "agent-identity"@en ; schema:isPartOf :glossarySection . :termExploitWindow a schema:DefinedTerm, skos:Concept ; schema:name "Exploit Window"@en ; schema:description "The time between vulnerability introduction and patch deployment during which an exploit is viable. AI-driven code review and automated patching narrow this window by accelerating the resolution cycle."@en ; schema:termCode "exploit-window"@en ; schema:isPartOf :glossarySection . :termSecurityEngineering a schema:DefinedTerm, skos:Concept ; schema:name "Security Engineering"@en ; schema:description "The transformation of security from a human-managed oversight function into a software engineering discipline — where security teams build platforms, write code, and architect automated policies rather than running manual playbooks."@en ; schema:termCode "security-engineering"@en ; schema:isPartOf :glossarySection . :termPolicyAsCode a schema:DefinedTerm, skos:Concept ; schema:name "Policy as Code"@en ; schema:description "The practice of codifying security policies as version-controlled, testable, and automatically deployable artifacts — treating policy like infrastructure rather than documentation."@en ; schema:termCode "policy-as-code"@en ; schema:isPartOf :glossarySection . :termThreatIntelligence a schema:DefinedTerm, skos:Concept ; schema:name "Threat Intelligence"@en ; schema:description "Structured information about current and emerging threats. AI agents can read, triage, and correlate threat intelligence feeds automatically, reducing the manual burden on security analysts."@en ; schema:termCode "threat-intelligence"@en ; schema:isPartOf :glossarySection . :termAgenticSOC a schema:DefinedTerm, skos:Concept ; schema:name "Agentic SOC"@en ; schema:description "A Security Operations Center where AI agents perform detection, triage, verification, and response tasks — shifting human analysts from operators to platform architects who design and govern automated workflows."@en ; schema:termCode "agentic-soc"@en ; schema:isPartOf :glossarySection . :termVulnerabilityVerification a schema:DefinedTerm, skos:Concept ; schema:name "Vulnerability Verification"@en ; schema:description "The process of confirming whether a reported vulnerability is actually exploitable in production code. Lemonade's security platform uses an AI agent to check if a vulnerable method is invoked before flagging — reducing false positives."@en ; schema:termCode "vulnerability-verification"@en ; schema:isPartOf :glossarySection . :termIAMA a schema:DefinedTerm, skos:Concept ; schema:name "Identity and Access Management for Agents (IAMA)"@en ; schema:description "The extension of IAM principles to non-human AI agents — governing what each agent can access, invoke, and modify based on its identity and policy. Requires orders of magnitude more scale than traditional human-centric IAM."@en ; schema:termCode "iama"@en ; schema:isPartOf :glossarySection . :termDefenderParity a schema:DefinedTerm, skos:Concept ; schema:name "Defender-Attacker Parity"@en ; schema:description "The thesis that AI benefits defenders at least as much as attackers. While attackers use AI to find vulnerabilities, defenders use the same technology to harden everywhere simultaneously — every vendor in the stack races to ship security improvements."@en ; schema:termCode "defender-parity"@en ; schema:isPartOf :glossarySection . ############################################################ # FAQ — 12 Questions and Answers ############################################################ :faqSection a schema:FAQPage ; schema:name "Frequently Asked Questions"@en ; schema:description "Common questions about AI security, agent identity, and the transformation of security teams."@en ; schema:mainEntity :q1, :q2, :q3, :q4, :q5, :q6, :q7, :q8, :q9, :q10, :q11, :q12 ; schema:isPartOf :analysis . :q1 a schema:Question ; schema:name "Is AI more dangerous for security or more beneficial?"@en ; schema:text "Is AI more dangerous for security or more beneficial?"@en ; schema:acceptedAnswer :a1 ; schema:isPartOf :faqSection . :a1 a schema:Answer ; schema:text "AI is equally powerful for both. While AI can generate vulnerable code and enable new attack vectors, it simultaneously accelerates code review, penetration testing, and patching. Every vendor in your stack uses AI to improve their security services. The exploit window narrows because AI-driven resolution velocity increases — and since bugs in software are finite, faster resolution makes software more resilient over time."@en ; schema:isPartOf :faqSection . :q2 a schema:Question ; schema:name "What is the exploit window and why is it narrowing?"@en ; schema:text "What is the exploit window and why is it narrowing?"@en ; schema:acceptedAnswer :a2 ; schema:isPartOf :faqSection . :a2 a schema:Answer ; schema:text "The exploit window is the time between a vulnerability's introduction and its patch deployment. It is narrowing because AI accelerates every phase of the resolution cycle — code review, pen-testing, and patching happen faster than in human-only pipelines. Since the total number of bugs in any software is finite, increasing resolution velocity makes software more resilient over time, even if AI initially produces code with more vulnerabilities."@en ; schema:isPartOf :faqSection . :q3 a schema:Question ; schema:name "Why are security teams becoming engineering teams?"@en ; schema:text "Why are security teams becoming engineering teams?"@en ; schema:acceptedAnswer :a3 ; schema:isPartOf :faqSection . :a3 a schema:Answer ; schema:text "Because automation is the only way to handle the scale of AI-era threats. At Lemonade, every security person is an engineer. The role shifts from managing people and running manual playbooks to architecting automated policies that govern an agentic world. Security becomes a platform-building discipline — the CISO becomes a platform architect rather than a compliance manager."@en ; schema:isPartOf :faqSection . :q4 a schema:Question ; schema:name "Why does every AI agent need an identity?"@en ; schema:text "Why does every AI agent need an identity?"@en ; schema:acceptedAnswer :a4 ; schema:isPartOf :faqSection . :a4 a schema:Answer ; schema:text "A single endpoint could host 200 to 10,000 agents, each performing different tasks with different access requirements. Without identity, you cannot enforce policy — you cannot control what each agent accesses, invokes, or modifies. Traditional IAM systems designed for human principals cannot scale to this level. Agent identity extends the principle of least privilege to non-human actors at orders of magnitude more scale."@en ; schema:isPartOf :faqSection . :q5 a schema:Question ; schema:name "How did Lemonade build its agentic security platform?"@en ; schema:text "How did Lemonade build its agentic security platform?"@en ; schema:acceptedAnswer :a5 ; schema:isPartOf :faqSection . :a5 a schema:Answer ; schema:text "Lemonade's security engineering team built a custom AI platform with specialized agents. One agent reads threat intelligence and triages incoming alerts. A second agent checks whether a vulnerable method is actually invoked in production code before flagging it — a vulnerability verification step that dramatically reduces false positives by validating exploitability against the live codebase. This two-agent architecture separates signal detection from signal verification."@en ; schema:isPartOf :faqSection . :q6 a schema:Question ; schema:name "What is policy as code in security?"@en ; schema:text "What is policy as code in security?"@en ; schema:acceptedAnswer :a6 ; schema:isPartOf :faqSection . :a6 a schema:Answer ; schema:text "Policy as code is the practice of codifying security policies as version-controlled, testable, and automatically deployable artifacts. Instead of documenting policies in PDFs and training humans to follow them, policies are written as executable rules that are enforced programmatically across all systems. This is essential in an agentic world where policy must scale to thousands of non-human actors — manual enforcement is impossible."@en ; schema:isPartOf :faqSection . :q7 a schema:Question ; schema:name "How does AI-driven vulnerability verification work?"@en ; schema:text "How does AI-driven vulnerability verification work?"@en ; schema:acceptedAnswer :a7 ; schema:isPartOf :faqSection . :a7 a schema:Answer ; schema:text "AI-driven vulnerability verification checks whether a reported vulnerability is actually exploitable in production. Rather than flagging every instance of a vulnerable method, an AI agent analyzes the live codebase to determine if the vulnerable code path is reachable and invoked. This reduces false positives and allows security teams to focus on vulnerabilities that matter — the ones attackers can actually exploit."@en ; schema:isPartOf :faqSection . :q8 a schema:Question ; schema:name "What is an agentic SOC?"@en ; schema:text "What is an agentic SOC?"@en ; schema:acceptedAnswer :a8 ; schema:isPartOf :faqSection . :a8 a schema:Answer ; schema:text "An agentic Security Operations Center is one where AI agents perform detection, triage, verification, and response tasks. Human analysts shift from being operators — manually reviewing alerts and running playbooks — to being platform architects who design, deploy, and govern the automated workflows that agents execute. The human role becomes higher-leverage: curating policy, handling edge cases, and improving the platform."@en ; schema:isPartOf :faqSection . :q9 a schema:Question ; schema:name "How does the scale of AI agents change IAM requirements?"@en ; schema:text "How does the scale of AI agents change IAM requirements?"@en ; schema:acceptedAnswer :a9 ; schema:isPartOf :faqSection . :a9 a schema:Answer ; schema:text "Traditional IAM is built for human principals — employees, contractors, partners — numbering in the hundreds or thousands per organization. AI agents add 200 to 10,000 non-human principals per endpoint, each needing unique identity, access policies, and audit trails. This requires IAM systems that can handle 100-1,000x more principals, support automated identity lifecycle management, and enforce fine-grained policy at sub-second latency."@en ; schema:isPartOf :faqSection . :q10 a schema:Question ; schema:name "What is the defender-attacker parity thesis?"@en ; schema:text "What is the defender-attacker parity thesis?"@en ; schema:acceptedAnswer :a10 ; schema:isPartOf :faqSection . :a10 a schema:Answer ; schema:text "The defender-attacker parity thesis holds that AI's benefits to security defenders are at least equal to its benefits to attackers. While the fear narrative focuses on AI-generated exploits, the reality is that every software vendor uses AI to harden their products, find vulnerabilities faster, and ship patches sooner. Defenders can 'harden everywhere simultaneously' across their entire stack — a capability attackers cannot match, since they must find and exploit individual weaknesses."@en ; schema:isPartOf :faqSection . :q11 a schema:Question ; schema:name "Why does Jaffe argue the number of attack targets reduces risk?"@en ; schema:text "Why does Jaffe argue the number of attack targets reduces risk?"@en ; schema:acceptedAnswer :a11 ; schema:isPartOf :faqSection . :a11 a schema:Answer ; schema:text "Jaffe's argument is probabilistic: there are tens of thousands of potential attack targets, and the probability that any single organization will be specifically targeted is low. Attackers face a search problem — they must find a vulnerable target, develop an exploit, and execute before the window closes. As AI-driven defenses harden targets faster and the exploit window narrows, the attacker's search problem becomes harder, not easier."@en ; schema:isPartOf :faqSection . :q12 a schema:Question ; schema:name "How should enterprises prepare for the agentic security era?"@en ; schema:text "How should enterprises prepare for the agentic security era?"@en ; schema:acceptedAnswer :a12 ; schema:isPartOf :faqSection . :a12 a schema:Answer ; schema:text "Enterprises should take four steps. First, hire engineers for security roles — the discipline is becoming software engineering, not compliance. Second, invest in AI-driven code review and automated patching pipelines to narrow the exploit window. Third, architect an agent identity and policy governance layer now — don't wait until you have thousands of agents to build the infrastructure. Fourth, treat security policy as code: version-controlled, tested, and deployed automatically. The CISO's role is shifting from risk manager to platform architect."@en ; schema:isPartOf :faqSection . ############################################################ # HowTo — 7 Steps to Prepare for Agentic Security ############################################################ :howtoSection a schema:HowTo ; schema:name "How to Prepare Your Security Program for the AI Agent Era"@en ; schema:description "A seven-step guide to transforming security operations for the age of AI agents, based on Jonathan Jaffe's Office Hours."@en ; schema:step :step1, :step2, :step3, :step4, :step5, :step6, :step7 ; schema:isPartOf :analysis . :step1 a schema:HowToStep ; schema:name "Shift Security Hiring to Engineers"@en ; schema:text "Hire security practitioners who can write code and build platforms. The security team of the future is an engineering team — every member should be capable of building automation, not just running tools. At Lemonade, every security person is an engineer. This isn't about replacing people; it's about raising the baseline. Look for candidates who can architect policy-as-code systems and build agentic workflows."@en ; schema:position "1"^^xsd:integer ; schema:isPartOf :howtoSection . :step2 a schema:HowToStep ; schema:name "Deploy AI-Driven Code Review and Automated Patching"@en ; schema:text "Integrate AI-powered code review into your CI/CD pipeline. Use AI to scan for vulnerabilities at commit time and generate fix suggestions. Pair this with automated patching that can deploy fixes faster than human-only workflows. The exploit window narrows when your resolution velocity exceeds the attacker's discovery velocity. AI reviewing AI-generated code creates a positive feedback loop of hardening."@en ; schema:position "2"^^xsd:integer ; schema:isPartOf :howtoSection . :step3 a schema:HowToStep ; schema:name "Build an Agent Identity and Policy Governance Layer"@en ; schema:text "Start architecting an identity system for non-human principals now. Each AI agent — whether 200 or 10,000 per endpoint — needs a unique identity with scoped access policies. Extend your IAM to handle agent principals at 100-1,000x current scale. This means automated identity lifecycle management, fine-grained policy enforcement at sub-second latency, and audit trails that track what every agent accessed and modified."@en ; schema:position "3"^^xsd:integer ; schema:isPartOf :howtoSection . :step4 a schema:HowToStep ; schema:name "Implement Vulnerability Verification Agents"@en ; schema:text "Build or deploy an AI agent that verifies whether reported vulnerabilities are actually exploitable in your production codebase. Following Lemonade's model, pair a threat intelligence agent that ingests and triages alerts with a verification agent that checks if the vulnerable code path is reachable. This two-stage pipeline dramatically reduces false positives and ensures your team focuses on vulnerabilities that matter."@en ; schema:position "4"^^xsd:integer ; schema:isPartOf :howtoSection . :step5 a schema:HowToStep ; schema:name "Codify Security Policy as Executable Rules"@en ; schema:text "Treat security policy like infrastructure — version-controlled, tested, and automatically deployed. Write policies as executable rules that are enforced programmatically, not as documents that require human interpretation. This is essential for governing thousands of agents: manual policy enforcement cannot scale. Use policy-as-code frameworks to define, test, and roll out rules across your agent fleet."@en ; schema:position "5"^^xsd:integer ; schema:isPartOf :howtoSection . :step6 a schema:HowToStep ; schema:name "Leverage Vendor AI Security Improvements"@en ; schema:text "Every vendor in your stack is using AI to improve their security services. Audit your vendors for AI-powered security features — automated threat detection, intelligent patching, anomaly detection — and ensure you're using them. Don't build what your vendors already provide. The defender advantage compounds when you combine internal AI security engineering with vendor AI capabilities across the full stack."@en ; schema:position "6"^^xsd:integer ; schema:isPartOf :howtoSection . :step7 a schema:HowToStep ; schema:name "Redesign the CISO Role as Platform Architect"@en ; schema:text "The CISO's job is shifting from risk manager and compliance officer to platform architect. The most effective security leaders in the AI era will be those who can design automated governance systems, build engineering-driven security teams, and architect the policy layer that governs an agentic enterprise. Invest in platform thinking — the security team's output should be automated systems, not manual processes."@en ; schema:position "7"^^xsd:integer ; schema:isPartOf :howtoSection . ############################################################ # Country ############################################################ :unitedStates a schema:Country ; schema:name "United States"@en ; schema:identifier "US" ; owl:sameAs , . ############################################################ # Skill Provenance ############################################################ a schema:SoftwareApplication ; schema:name "kg-generator skill"@en ; schema:url "https://github.com/OpenLinkSoftware/ai-agent-skills/tree/main/kg-generator" ; schema:description "AI agent skill that generates comprehensive RDF-Turtle Knowledge Graphs from web content using curated prompt templates, schema.org vocabulary, and lightweight ontology design."@en .