In this episode of Chasing Entropy, I sit down with Kane Narraway, a security leader who has built and scaled Zero Trust environments at companies like Atlassian, Shopify, and Canva. Together, we explore the evolution of cybersecurity, from digital forensics to agentic AI, and the ongoing tension between innovation and control. From Forensics to Frameworks Kane’s journey into cybersecurity began with a fascination for hardware, inspired by tinkering with spare computer parts from his grandfather. That curiosity led him into networking, digital forensics, and ultimately enterprise security, laying the foundation for a pragmatic approach to defense. He recalls the early days of building Zero Trust architectures before the term became an industry buzzword, emphasizing how early implementations were often “collections of Python scripts” long before robust vendor solutions emerged. The Last Mile of Zero Trust Kane and I discuss the progress and pitfalls of Zero Trust adoption. While modern identity and access systems have made implementation easier, Kane argues that the industry still leans too heavily on network-level controls. “The point of Zero Trust was to stop relying on networks,” he notes, describing lingering issues like single-factor API keys and limited endpoint-level enforcement. His team’s experiments with proxy-based access models highlight how innovation often means rethinking, not just reinforcing, old ideas. The AI Security Dilemma The conversation turns to agentic AI, autonomous systems capable of acting on credentials and data. Both Kane and I expressed concern that current security strategies, built for humans, are ill-suited for bots. “We’ve spent so long protecting human users,” Kane warns, “but now service accounts and AI agents are our weakest link.” They explore real-world examples, including AI prompt injection attacks, and question how organizations can extend Zero Trust principles to these new autonomous entities. Governance, Responsibility, and “Bot Jail” As AI governance becomes a boardroom topic, Kane and Dave tackle the thorny question of accountability: when an AI system goes rogue, who’s to blame? We mused about the idea of a “bot jail,” underscoring that explainability and traceability, not just prevention, are essential in the age of automation. Building Security Cultures that Fit Beyond technology, Kane offers insights into building effective security teams that align with company culture. At Shopify, for instance, strong platform alignment meant setting clear principles and empowering teams to work autonomously. His advice for leaders: build around your organization’s DNA, not against it. Measuring What Matters Security impact can be hard to quantify. Kane recommends balancing operational metrics with threat intelligence and industry trend data, using reports like Verizon’s DBIR as directional guides. As credential-stuffing attacks decline and software supply chain threats rise, he stresses the importance of adapting defenses to real-world attacker behavior. Advice for the Next Generation For newcomers to cybersecurity, Kane’s advice is simple but grounded: “Do whatever you have to do to get in, and then find your passion.” Not everyone needs to start in red teaming; roles in governance, blue teams, or compliance can open doors and build transferable skills. Closing Notes After a wide-ranging discussion, I close with this question: coffee or tea? For Kane, it’s coffee at heart, but tea in practice. The perfect metaphor, perhaps, for the compromises every security leader makes between passion and practicality. Listen to the full episode of the Chasing Entropy Podcast on YouTube or your favourite podcast platform. Be sure to like and subscribe! Hosted by Dave Lewis, Global Advisory CISO at 1Password.
