#408 - AI vs AI with Joseph Carson

Jeff and Jim welcome Joseph Carson, cybersecurity expert and host of the Security by Default podcast, for a conversation on AI in offensive and defensive security. Joseph shares the real-world incident that inspired his EIC keynote - watching two AI agents negotiate a ransomware payment live. He breaks down how attackers use unconstrained models to lower the skill barrier and accelerate data exfiltration. The conversation covers NATO Lock Shields, the world's largest live cyber defense exercise, identity as national critical infrastructure, and the EU AI Act's risk-based approach. Also: Estonia's AI tax agents, the energy cost of being polite to AI, and the Tamagotchi theory of human-AI relationships.

Connect with Joseph: https://www.linkedin.com/in/josephcarson

NATO Locked Shields: https://ccdcoe.org/exercises/locked-shields/

Security by Default podcast (Spotify): https://open.spotify.com/show/0mzN5M5CkFVLn8fq5TnH0O

Connect with us on LinkedIn:

Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/

Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/

Visit the show on the web at http://idacpodcast.com

TIMESTAMPS

00:00 Welcome and intro

03:02 Conference season and IDAC discount codes

04:19 Introducing Joseph Carson and Security by Default

10:18 Optimist or pessimist on identity security

12:30 AI vs. AI - origin of the concept

15:02 Watching two AI agents negotiate a ransomware payment

17:26 The Tamagotchi metaphor for human-AI relationships

19:07 Who is winning the AI cyber arms race

21:00 How AI accelerates attacker capabilities

23:09 Dark web LLMs and bypassing guardrails

26:36 The energy cost of being polite to AI

28:15 Agentic AI skills, campaigns, and the Matrix analogy

31:34 Estonia AI agents filing tax returns

35:14 Introducing NATO Lock Shields

37:00 Protecting a simulated nation from 8,500 cyber attacks

38:08 Why identity is national critical infrastructure

41:18 AI in Lock Shields before and after

43:05 Lock Shields 2025 scoring explained

47:04 The EU AI Act - is it the next GDPR

50:18 Risk-based approach to AI regulation

53:35 Closing thoughts and cautious optimism

54:21 Scuba diving vs. snowboarding

58:05 Wrap-up

KEYWORDS

AI vs AI, agentic AI, identity security, NATO Lock Shields, EU AI Act, Joseph Carson, Security by Default, ransomware, dark web LLMs, guardrails, data exfiltration, phishing, critical infrastructure, Estonia, cyber defense, IDAC, Identity at the Center, Jeff Steadman, Jim McDonald