With AI now a common presence in businesses everywhere, a need for smarter and more intuitive cybersecurity is also paramount, with defenders and attackers alike harnessing the power of the technology.
But how should your business prepare? At the recent AWS re:Invent 2025 event, I sat down with Amy Herzog, Chief Information Security Officer, to get her views and advice on staying safe in the AI age.
Gen AI for good
Like many of the top announcements at AWS re:Invent 2025, a new security agent hit the headlines for its ability to work alongside human workers to relieve some of the strain in everyday work.
Herzog notes her team has been experimenting with using generative AI tools to help solve security problems at Amazon at scale over the past year, but outlines how using agentic AI to mimic humans wasn't the most successful way to think about agents - instead, they found these agents should focus on doing one specific job really well, then be pulled together into a larger framework which can help with human effort.
"If our product teams aren't grounding themselves in their customer experience, and I'm not grounding myself in the builder experience inside AWS, I can't do a good job,” she notes, highlighting the need for actual on the level information for security teams to ground themselves.
Perhaps surprisingly, Herzog also notes that her role recently has included an attempt to deflate the hype around AI “a little bit” for customer, instead, looking at how they can pragmatically use the technology for something grander - in effect, not just adding AI to everything, but getting value too.
“You need to know what the agents want to do,” she says, explaining the need to de-mystify AI agents for customers, whilst noting while the same basic security needs that have always existed, expanding them in an agentic context is the challenge, as security is so fast-paced, “sometimes it's good to reset and realize this isn't too different to what we had yesterday.”
"I would encourage customers to think about going beyond the processes they have in place, towards focusing the risk you're trying to eliminate, measure that as well as you can, then you're going to notice when stuff is changing and you need to adapt to,” she adds, “sometimes security teams can get caught up in, what is my scanner producing, and "what am I resolving" rather than here's how quickly I'm fixing each of the individual things that my scanner is finding, which is a more coherent view to adapt from.”
Reflecting on the new AWS security agent, Herzog outlines how, “things are going to change - the goal is, do we now have a new tool to catch when they do."She adds that possibly the most exciting thing about the security agent is the ability to catch and prevent things before they're ever in front of a customer's eye, noting how, “it's important to respond to the moment, but also you have a lot less to respond too if you get it right the first time.”
Boosting defenses
With levels of AI hype continuing to rise, there is at least a high level of realism in the security industry, where new threats develop every day - so I ask Herzog, will there ever be such a thing as “100% security”?
"It sets up a bit of a false choice,” she says with a smile, “I can make you a perfectly secure computer system - but you won't like the way it functions!"
“It’s not a binary - but that shouldn’t be our goal…we should be thinking about what’s the best balance of functionality and control to achieve the thing that we want to achieve - we want to be more pragmatic as security professionals in shipping securely in the way that delivers the best value to customers in the long term.”
"Gen AI is not always the point, this is a pretty darn exciting new way to accomplish more of the same kinds of things that we've always wanted to accomplish…the advice I'm trying to give right now is that we know that security in six months, a year, will not look quite the same as today - so what you need to do is be alert and be curious, and be aware of what the changes are so that you can adapt at speed to them.”
“In some cases this is going to mean protecting against things that we don't know exist yet, but in others, it might actually be that we've got a new opportunity to improve our defenses that we couldn't do before.”
- We've rounded up the best endpoint protection software around
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.