NS_AI_Security_Talk/transcript.txt

**Transcript (Dutch):**

Railways, but with the AI agents, security doesn't stop at that first green light. I worry a lot about the false clear AI agents that initially look safe, but derail later. My name is Rens, and as an AI officer at the Dutch Railways, I focus on strategy and policy for our AI management system. So AI governance, basically. And I do this within the cybersecurity department, where I also still work on software security. So I do love a lot, really appreciate being here. The Dutch Railways has some impressive numbers. Besides running nearly 4,000 trains every day, we've got train stations, workshops, retail, bike rentals and repairs, tickets and info, mobile apps. APIs with 48 billion calls per year and thousands and thousands of IT and OT and IoT systems. This is going to be our agenda for today. To kick things off, what's heading our way with AI? Big tech is going all in. Time magazine crowned AI the single biggest influencer of 2025. why these tech bros collectively poured $427 billion into investments. And this year, $650 billion extra are expected. And they're dying to make that money back. So we're seeing intense pressure to adopt. But where's the focus? On speed of innovation? Or of compliance, accountability, and reliability. You know the difference, huh? Yeah. I think we all know the answer. Since jet liquidity, there's been practically a new model every week that blows all previous ones out of the water. And yet, this matters less and less. And there's barely any difference between the top models anymore. Think of LMS as interchangeable engines. And what car? You drop them into, makes all the difference, the so-called harness. For two years, Labs treated the model as the product and now the stack is flippin'. The model becomes a component inside a persistent system that observes, remembers, and acts. And she is talking about AI agents, of course. And Sequoia sums up this chatbot transition as from talkers to doers. This shift is clearly visible in the data. Back in the ancient times of 2024, the majority of tools were only sensed or analyzed. And now, action-taking agents are dominant and still unwise. Their share of usage has climbed from 27 to 65% in just 16 years. months as agents move from observing environments to actively modifying them. We're in AI's agentic era. The hyperscalers and the data centers, the next phase of the AI boom will be an AI agent. Agents, agents, agents, agents, agents, agents, agents. So, what is agentic AI? Surely nothing can go wrong with that. Maybe you've heard of OpenGLOB, the fastest growing open source project in GitHub history. It's only been around since November and quickly became a global sensation. It went viral in China in January. And from nerds to grandmas, everyone wanted their own group of agents. And honestly, I think that's pretty cool. You can see where this is going. Never before have I seen the words "security nightmare" pop up so often in such a short time as with OpenMob. And it became a running gag in the tech press. So this technology shift has massive implications for cybersecurity. As I'm sure you're all aware, because you're here tonight, thank you. And our agents might turn into double agents. And we'll start with this paper to understand how AI agent system architectures introduce new fundamental security problems. And I'll highlight just these three concepts. And let's start with probabilistic trusted computing base, which sounds more exciting than it actually is. For traditional IT security, think of a lock where only your exact-- ...password fits. An agentic security is more like a bouncer who has to make judgment call based on their clients. And why is that? Because LLMs always run on probability. Even when you feed them are rules. Second, where does the security check actually happen? Traditionally, that's a clear cut: a login attempt gets a stamp of approval or a rejection, but AI agents continuously perform raw actions like mouse clicks in a virtual desktop. And when you can no longer tell where escalation ends and the decision begins, it becomes ne
Add transcript.txt 2026-05-03 15:02:21 +00:00			`Transcript (Dutch):`

			Railways, but with the AI agents, security doesn't stop at that first green light. I worry a lot about the false clear AI agents that initially look safe, but derail later. My name is Rens, and as an AI officer at the Dutch Railways, I focus on strategy and policy for our AI management system. So AI governance, basically. And I do this within the cybersecurity department, where I also still work on software security. So I do love a lot, really appreciate being here. The Dutch Railways has some impressive numbers. Besides running nearly 4,000 trains every day, we've got train stations, workshops, retail, bike rentals and repairs, tickets and info, mobile apps. APIs with 48 billion calls per year and thousands and thousands of IT and OT and IoT systems. This is going to be our agenda for today. To kick things off, what's heading our way with AI? Big tech is going all in. Time magazine crowned AI the single biggest influencer of 2025. why these tech bros collectively poured $427 billion into investments. And this year, $650 billion extra are expected. And they're dying to make that money back. So we're seeing intense pressure to adopt. But where's the focus? On speed of innovation? Or of compliance, accountability, and reliability. You know the difference, huh? Yeah. I think we all know the answer. Since jet liquidity, there's been practically a new model every week that blows all previous ones out of the water. And yet, this matters less and less. And there's barely any difference between the top models anymore. Think of LMS as interchangeable engines. And what car? You drop them into, makes all the difference, the so-called harness. For two years, Labs treated the model as the product and now the stack is flippin'. The model becomes a component inside a persistent system that observes, remembers, and acts. And she is talking about AI agents, of course. And Sequoia sums up this chatbot transition as from talkers to doers. This shift is clearly visible in the data. Back in the ancient times of 2024, the majority of tools were only sensed or analyzed. And now, action-taking agents are dominant and still unwise. Their share of usage has climbed from 27 to 65% in just 16 years. months as agents move from observing environments to actively modifying them. We're in AI's agentic era. The hyperscalers and the data centers, the next phase of the AI boom will be an AI agent. Agents, agents, agents, agents, agents, agents, agents. So, what is agentic AI? Surely nothing can go wrong with that. Maybe you've heard of OpenGLOB, the fastest growing open source project in GitHub history. It's only been around since November and quickly became a global sensation. It went viral in China in January. And from nerds to grandmas, everyone wanted their own group of agents. And honestly, I think that's pretty cool. You can see where this is going. Never before have I seen the words "security nightmare" pop up so often in such a short time as with OpenMob. And it became a running gag in the tech press. So this technology shift has massive implications for cybersecurity. As I'm sure you're all aware, because you're here tonight, thank you. And our agents might turn into double agents. And we'll start with this paper to understand how AI agent system architectures introduce new fundamental security problems. And I'll highlight just these three concepts. And let's start with probabilistic trusted computing base, which sounds more exciting than it actually is. For traditional IT security, think of a lock where only your exact-- ...password fits. An agentic security is more like a bouncer who has to make judgment call based on their clients. And why is that? Because LLMs always run on probability. Even when you feed them are rules. Second, where does the security check actually happen? Traditionally, that's a clear cut: a login attempt gets a stamp of approval or a rejection, but AI agents continuously perform raw actions like mouse clicks in a virtual desktop. And when you can no longer tell where escalation ends and the decision begins, it becomes ne