The CISO's New Nightmare Isn't Ransomware, It's a Prompt: The Rise of "Shadow AI" with Josh Cridlebaugh

Josh Cridlebaugh on the AI security revolution. He explores how "shadow AI" and the talent gap are redefining cyber threats and corporate defense strategies

The most significant cybersecurity threat has shifted from unpatched servers in a data center to the unguarded conversations between employees and AI chatbots.

This hypothesis is the new reality described by Josh Cridlebaugh, CEO and Co-Founder of Unseen Security. He observes a world where AI adoption has happened not through corporate mandate, but through organic, individual use; a "shadow AI" phenomenon eclipsing the old concerns of "shadow IT."

Cridlebaugh argues that the attack surface is no longer just code and configurations, but the very prompts and data we feed into language models. In this interview, Cridlebouth explains how this fundamental shift is forcing a rapid evolution in cybersecurity, moving the frontline from the network layer to the natural language layer, where governance, visibility, and trust are the new currencies of defense.

Interview with Josh Cridlebaugh

What does market growth in cybersecurity look like in the AI era?

The U.S. cybersecurity market is changing faster than I’ve ever seen. Everyone keeps talking about AI like it’s something that’s coming, but it’s already here. It’s in our homes, our offices, our classrooms, and even in the way kids think about finding information.

I help lead a youth group, and a few weeks ago I asked fifteen teenagers how many had used ChatGPT in the last week. Every single hand went up. Then I asked how many had used Google search in the last three months. Not one. That stopped me for a second. It shows how quickly behavior is changing and how deeply AI has already integrated into daily life.

That change happened in less than two years. And it’s not just students. Every company, every team, every person with a laptop or a phone is using AI in some form, whether their security team knows it or not. We used to talk about “shadow IT.” Now we have “shadow AI.” People are pasting data, and customer information into models they don’t own, sitting on infrastructure they can’t see, with no idea where that information actually ends up.

When I talk with CISOs, the fear feels familiar but bigger. Back in the early cloud days, we were nervous about giving our applications to AWS or Azure. We didn’t like losing control. Now it’s different. People aren’t just giving away apps; they’re uploading raw thoughts, internal strategies, and confidential data into black boxes that can’t be audited. That’s the new reality. It’s forcing the cybersecurity industry to evolve fast.

This isn’t about firewalls anymore. It’s about trust, governance, and visibility at the natural language layer, protecting the conversations between humans and machine in a way that has never been imagined before. 

Where are you seeing the most significant investment and adoption in AI, and what is the key concern driving those budgets?

The industries leading this change are the same ones that have always had the most to lose. Healthcare, finance, and manufacturing all sit under heavy compliance pressure. They know AI can make them faster and more efficient, but they also know one wrong prompt can expose regulated or proprietary data. So they’re investing heavily in ways to use AI safely and responsibly.

What’s really interesting is how quickly this is spreading across organizations. It’s not just the technical teams anymore. Marketing, legal, HR, and operations are all finding ways to use AI in their daily work. That creates a brand-new governance problem because now every department is “talking” to machines and generating sensitive content through them.

Investors see the shift too. You can see the funding move toward solutions that balance enablement and control. No one wants to be the company that banned AI and slowed everyone down. They want to be the company that used it safely and pulled ahead. That balance between safety, visibility, and speed is where the next generation of cybersecurity investment is happening.

How is the cybersecurity talent gap changing ?

The talent gap has been a headline in cybersecurity for over a decade, but the way companies are handling it is starting to change. You can’t just keep hiring your way out of it anymore. There aren’t enough qualified people, and the volume of alerts and incidents keeps growing.

The organizations that are adapting the fastest are the ones using automation to handle the noise. They’re letting AI handle triage, summarize alerts, and even write the first draft of reports so humans can focus on actual problem-solving.

When I talk with CISOs, they’re not trying to double their team sizes. They’re trying to multiply the impact of the people they already have. They want every analyst, responder, and compliance officer to be ten times more effective. The companies that figure that out will win, not because they’re the biggest, but because they’re the most efficient and the most focused.

How is the recent wave of regulatory pressure, from the SEC to the EU AI Act, fundamentally changing a CISO's day-to-day priorities?

Regulations are finally starting to catch up with technology. The SEC’s new four-day disclosure rule changed the game overnight. You can’t hide a breach behind a press release anymore. You have to be transparent and fast. CISA’s reporting requirements are getting stricter too, which is forcing organizations to build real-time awareness instead of relying on after-the-fact investigations.

And now there’s AI regulation entering the mix. California’s new laws on AI accountability and Europe’s AI Act are setting global standards. Companies are being asked a new kind of question. It’s not just “are we secure?” anymore. It’s “can you prove you understand what your AI systems are doing with your data?” That is a massive shift. Governance has become as important as prevention. You can’t just keep things safe; you have to be able to explain how and why they’re safe.

What is the single biggest challenge for Small and Midsized Enterprises today, and what's a practical first step to overcome it?

For small and mid-sized companies, the challenge is even tougher. They’re understaffed, budgets are tight, and the complexity of security tools can feel impossible to manage. But they’re also the ones moving fastest toward practical, simplified solutions.

The smartest companies are consolidating their tools, automating patching, using managed detection services, and creating simple AI use policies for employees. When I talk to these organizations, they don’t ask for perfection. They just want security that fits how they actually work.

They know employees are using ChatGPT, Copilot, or Claude whether they’re “allowed” to or not. The question isn’t how to stop it. The question is how to make it safe. That mindset shift is huge, and it’s going to shape how security gets democratized in the next few years.

What emerging technology do you believe is most misunderstood in terms of its immediate impact on cybersecurity?

Personally, when I think of “emerging tech” it's all about Quantum and AI. AI and quantum are both reshaping the cybersecurity landscape, but on very different timelines. Quantum is the long game. Post-quantum cryptography standards are starting to take shape, and the smart teams are already preparing for that future. It matters, but it’s not an immediate concern.

AI, on the other hand, is today’s challenge. It’s changing how we defend, how we attack, and how we make decisions. The threat surface has moved from code to conversation. What people type into chat windows can be just as dangerous as a misconfigured firewall, and no one would have believed that a few years ago.

This is what keeps me and many CISOs up at night. It’s not ransomware or zero-day exploits anymore. It’s employees unknowingly exposing sensitive information in a prompt. We’ve entered a world where it’s not enough to protect your network. You have to protect your words. That’s the next frontier for cybersecurity.