From Reactive to Adaptive: DTEX NEXT on Securing the AI Era

At DTEX NEXT, one message came through clearly: the threats security teams face have outpaced the tools they’re using. Legacy DLP was built for file-based environments and known threats — not for the behavioral complexity, unstructured data, and AI-driven activity now redefining insider risk. 

The consensus was clear: only a proactive, risk-adaptive model can prevent incidents from both human and non-human insiders in the AI era. 

DTEX NEXT crystalized what must change now in how we define insiders, secure AI, classify sensitive data, and act at machine speed and scale. 

Here are the most critical and actionable takeaways from DTEX NEXT for security leaders navigating this new reality. 

1. Legacy DLP cannot survive the AI era 

Traditional DLP tools were built to inspect file content, match strings, and block transfers. They create endless noise while missing context and intent — the very signals that matter most in detecting insider misuse or AI-assisted exfiltration. 

As DTEX CTO Rajan Koo noted, “The file era is ending. Generative AI is redefining how data is created, shared and consumed. But the human behaviors driving those interactions haven’t changed — and that’s where DTEX’s approach has become mission-critical.” 

Takeaway: If your DLP program is still rule-heavy and content-only, you’re already behind. Prioritize solutions that combine behavior, lineage, and adaptive enforcement. Static controls will not keep up with unstructured formats like source code, images, model weights, and prompts. 

2. Risk-adaptive DLP is the new standard 

The practical alternative discussed at DTEX NEXT was a risk-adaptive model that uses behavior as the starting point, not an afterthought. Baseline normal activity for humans and machines, then escalate enforcement as deviations stack up — deter, disrupt, or block depending on risk. 

This approach uses behavior-based classification and data lineage to infer sensitivity when keywords or regex fall short. That’s the only way to govern non-file assets such as images, video, or AI-generated artifacts. 

Kevin Mandia, Founder of Mandiant (part of Google Cloud), reinforced the point: “It takes way more than just looking for strings going across your network or files going across your network. I’ve always felt that network-based DLP was a long shot to be effective, and that you needed a host-based solution that could really see end-user behavior to find the data loss prevention that you needed.”

Takeaway: Start mapping your risk signals — aggregation, off-hours activity, shadow AI use — to adaptive policy ladders. Move away from brittle “allow/block” rules and toward context-driven enforcement that changes with the risk profile. 

3. Automate investigations to avoid analyst paralysis 

Most security teams are already stretched thin. Adding AI-driven activity and insider misuse into the mix without automation is unsustainable. DTEX NEXT highlighted agentic workflows that assemble timelines — prompts, reconnaissance, exfil attempts — and produce an executive summary for escalation. 

Takeaway: Don’t let investigations depend on manual pivoting across logs and dashboards. Automate playbooks for the most common insider scenarios and ensure the output is consumable by HR, legal, and compliance, not just SOC analysts. 

4. Nation-state tactics demand enterprise vigilance 

Rear Admiral (Ret.) Mike Studeman’s warning was stark: adversaries are no longer hammering the perimeter — they’re disguising themselves as insiders, sometimes even embedding as contractors or remote hires. Others are leveraging AI to scale deepfakes and infiltration attempts. 

“increasingly today, the greatest threat are those people who look like citizens of the kingdom, walking right across the moat into the castle keep. They don’t pull off a mask; they pretend to be legitimate insiders. You need capability that can detect anomalies and smoke out bad actors. That’s what DTEX is able to do,” Studeman said. 

Takeaway: Assume adversaries are already inside. Critical infrastructure and regulated industries must scale anomaly detection and adopt privacy-preserving telemetry to detect subtle insider behaviors. If your program doesn’t address supply chain hires or shadow AI infiltration, it’s incomplete. 

5. AI governance must enable, not stall 

CISOs face a dual challenge: prevent AI misuse without choking innovation. As David Hahn, Resident CISO of Ballistic VC, emphasized, “You have to have visibility. You have to know what’s actually happening inside of your company.”

“In a security program, you want to make sure that you’re enabling the right behaviors that are occurring, and at the same time, if there are mistakes or bad behaviors, you have a way to see it, to analyze it, and to quickly determine what is going on.”

Takeaway: Adopt AI governance as part of your security program. Document sanctioned tools, associated data classes, and usage policies by role. Combine this with adaptive monitoring so that approved usage flows without friction, while shadow AI and high-risk prompts trigger deterrence or disruption. 

6. Scale is the difference between theory and practice 

AI-driven threats don’t happen at human speed. Carl Meadows of AWS underscored that DTEX’s use of OpenSearch to analyze millions of endpoints in near real time is what makes risk-adaptive security viable. 

Takeaway: Evaluate whether your analytics pipeline can handle the telemetry volumes required to detect shadow AI patterns or aggregation spikes within seconds. If not, scale should be your next investment priority. 

7. Expand your definition of “insider” 

The insider threat category has permanently broadened. In addition to employees, contractors, and supply chain partners, organizations must account for AI agents that read, write, and move sensitive data at scale. These non-human insiders have the same access and influence as people but operate faster and with fewer guardrails. 

“You’ll always need technology looking for known bads in cybersecurity. But you also want a technology that’s easy to deploy and effective that comes at the exact same problem from we can find unauthorized behavior, meaning unknown bads,” Mandia said. 

“And with the AI shift change, you’re just going to see a lot of difference at speed, and you’re going to want to do both.”

“DTEX has already solved the hard problem of analyzing human behavior, and they are a great solution to solve watching and understanding unacceptable and unwanted non-human behavior.”

Takeaway: Update your insider risk taxonomy today. Include AI agents, service accounts, and automations in your identity and access reviews. Treat them as first-class actors whose behavior must be baselined, monitored, and governed. 

Final word 

The AI era has redefined the insider threat. Non-human insiders, shadow AI, and nation-state tactics are reshaping the battlefield. Legacy defenses aren’t just outdated — they’re counterproductive. 

The way forward is proactive, risk-adaptive, and behavior-driven. For CISOs and boards, the mandate is clear: expand your insider definition, implement adaptive controls, automate investigations, and secure AI without slowing business. The organizations that take concrete steps will be better positioned to manage insider risk as AI-driven threats accelerate. 

See how proactive, risk-adaptive security works in practice. Request a DTEX demo today and take the first step toward protecting human and non-human insiders.