AI Security: Barriers, Biases, and the Dual Nature of AI

David P · 80:17 · 2025 · Track 2

aigrccompliance

David P on ai security. A Track 2 session from Simply CyberCon 2025.

Open this segment on YouTube ↗ · jumps to 2:34:09 in the Track 2 livestream

AI Security from Louisville: Barriers, Biases, and the Dual Nature

David P, an AI Data Security Analyst out of Louisville, draws the last slot before lunch and uses it to walk through what AI security actually looks like inside a company that is just waking up to it. He frames the whole talk around Louisville landmarks (the Slugger Museum, Fort Knox, the Ali Center) to make a single point: AI is all about context, and most organizations are deploying it without any.

The Barriers Are Boring, and That Is the Point

David is not selling exotic threats. He is selling the unglamorous reality of being the AI security person at a company that does not yet know what it has bought. Lack of visibility. Limited expertise. Data governance gaps. Tool fragmentation. Tech debt from acquisition after acquisition. Cultural resistance from people who range from early adopters to laggards. Every one of these existed before AI and AI just makes them sharper. Role-based access controls were tolerable when nobody could query them at scale. Drop a chatbot in front of the same data and somebody types "who makes more money than me" and the answer comes back instantly.

Garbage In, Compliance Out

The dual nature theme is where the talk gets sharper. Predictive models scrape the open internet, which means they ingest fake news, disinformation, and bias by default. The fix is supposed to be human review, but the same companies laying off ten thousand people a quarter are the ones expected to keep humans in the loop. Compliance is moving faster than headcount. CMMC, PCI DSS, FedRAMP, StateRAMP, SOC 2, GLBA, GDPR, plus state-level prohibitions like Louisiana's executive order against purchasing AI products. David's point is that compliance is dynamic now, not static, and the organizations treating it like a checkbox are going to get caught.

Context Is the Whole Game

The Louisville photos are not filler. David uses them to argue that you cannot evaluate an AI output without understanding what it was trained on, what it was prompted with, and what scope you set. Bad prompt in, bad answer out. Wrong scope on a NIST 800-53 assessment, wrong control set. He pushes back on the idea that students who never learned cursive, long-form math, or how an abacus works will be able to sanity-check AI output. The calculator analogy lands: we trust calculators because we learned the math first. AI is the calculator without the math class.

Who Should Watch

Anyone who has been handed AI security as a side responsibility with no team and no budget. GRC people trying to keep up with regulation that lags the technology. Anyone whose company just acquired three more codebases and a new generative AI vendor in the last quarter.