If an employee leaked confidential data through ChatGPT this morning, when would you find out? Craig opened the masterclass with that question and let it sit. For most companies, he said, the honest answer is too late, or never. Plenty of people are watching. The trouble is the tools they watch with were built to track human behavior, and the thing moving the data here stopped being human a while ago.
He had Warren, Classie's VP of Product, alongside him, and the hour was pitched at the people now stuck with the problem: the security, compliance, and IT leaders who can't get a straight answer about the AI already loose inside their own walls.
Four questions every leader is now stuck with
Craig laid the problem out as four questions. Where is AI actually being used across the company? What data is it reaching into, whether that's customer records, source code, or the merger paperwork nobody wants to see move? Who answers for it when something goes sideways? And if a board, an auditor, or a regulator asked tomorrow, could you prove any of it? Across companies of every size he's worked with, the real answer to all four sits somewhere around no, or sort of, but not really.
He had a number for the gap. Cisco's research puts it plainly: 83% of organizations plan to deploy AI agents, and 31% feel ready to secure them. The space between those two figures is where shadow AI sets up shop, and it rarely walks in as an attacker. More often it's a capable employee on a deadline.
If an employee leaked confidential data through ChatGPT today, when would you find out?Craig Taylor · Ciberspring
Built for people, not agents
Warren took it from there, and his explanation for why the existing stack keeps falling a step behind was almost unfair in its simplicity. CASB, SIEM, Microsoft Purview, Defender: every one of them was designed around a person. A person logs in, opens a file, sends a message, all at the speed a person can manage. An agent throws those assumptions out. It reasons through a task on its own, picks up tools, pulls from whatever data it can reach, and keeps moving at machine speed. None of it stays politely inside one system, either. It happens everywhere at once, in SaaS and infrastructure and out on the endpoints, which is exactly where the existing sensors were never wired together to look.
Classie's answer is OBS-SEC, and Warren keeps the description down to three words. Discover maps every tool, agent, and connection in the environment, the approved ones and the ones nobody told you about. Analyze works out the intent behind that activity, so you know what an agent was trying to do and not merely that it did something. Supervise takes those readings and turns them into policy you can enforce in real time, while the work is still in flight.
The connection nobody approved
Then he stopped talking and ran it. Warren connected SharePoint to ChatGPT the way anyone would on a slow Tuesday, a single click and an OAuth prompt he barely read. From that moment ChatGPT could act as him and open anything he could open. He asked for the highlights of an old, very public merger agreement sitting in OneDrive, and it handed them over, share price and terms and the sensitive details included. Then, without being asked, it offered up a share link with no permissions on it whatsoever, ready to forward the whole document to anyone he liked.
One reckless click isn't really the story. The story is that the same click happens hundreds of times across a company, and the connection it leaves behind tends to outlast the reason for it. Where it was made, when, and what it was cleared to touch usually goes unrecorded, and the cleanup almost never comes. Inside Classie, those few seconds resolve into a connectivity graph: the person, the connection, the OAuth scopes that were granted, and a trace of every step the AI took, down to the file it opened.
Most organizations have no idea what their AI is doing with company data. None. Zero.Craig Taylor · Ciberspring
Seeing it is only half the job
Seeing the problem clearly is worth something, but it's only half of what Warren came to show. The rest is acting on it in time to matter. He pulled up an agent trace Classie had already flagged unsafe, a query that went looking for the company's profit-and-loss figures and tripped a rule about financial information. The rule read like a plain sentence rather than code, and it gets sharper as people correct it. Whatever the model learns from those corrections stays with that one customer and travels nowhere else.
If the session had a spine, that was it. You can't govern what you can't see, and the moment you can see it, you get the chance to step in before anything walks out the door.
Craig took the close, and he kept it concrete. Gartner expects more than 40% of agentic AI projects to be cancelled by 2027 for lack of adequate risk controls. The teams that mishandle supervision won't just move slower. Some will lose permission to ship AI at all, the day their board and auditors decide the safer call is to stop. The way out of that, he said, starts with visibility, and with Ciberspring and Classie that part can be running in under a day.