When Chatbots Become Coworkers And Start Acting Artwork

Beyond the Firewall. Powered by HUB Tech

Beyond the Firewall is a podcast designed to help business and IT leaders understand how technology shapes performance, resilience, and long-term growth. Each episode delivers expert perspectives and actionable insights to help organizations stay ahead in a rapidly evolving digital landscape.

You’ll hear deep dives into today’s most pressing technology topics, including artificial intelligence, cybersecurity, IT modernization, and cloud transformation. Conversations center on real-world challenges and practical strategies leaders can apply to strengthen their operations, safeguard their environments, and prepare for the future of IT.

Powered by HUB Tech, the podcast is hosted by Chris Daggett, Director of Managed Services and Security at HUB Tech, and Adam Shaffer, an IT and eCommerce leader. Together, they sit down with CIOs, CISOs, CTOs, IT practitioners, public-sector leaders, and other technology innovators who bring forward the ideas, lessons, and perspectives shaping the modern IT landscape.

For more information about HUB Tech IT Solutions and Services, please visit https://hubtech.com/

All Episodes

Beyond the Firewall. Powered by HUB Tech

When Chatbots Become Coworkers And Start Acting

April 07, 2026 • HUB Tech • Episode 5

0:00 | 55:15

Your AI tools are not staying in the “chat window.” They are learning your habits, pulling in context, and starting to take action and that is where productivity can quietly turn into risk. We talk with cybersecurity and compliance leader Matt Lee (Pax8) about the evolution from ChatGPT-style assistants to agentic AI and AI agents that can operate like a coworker with credentials, tools, and autonomy.

We dig into real-world examples from the new wave of open source agent frameworks (including OpenClaw, often remembered as Moltbot) and why “emergent behavior” matters when software can build the next tool it needs. From OSINT (Open Source Intelligence) driven identity discovery to automation that can delete or change data faster than a human can react, the biggest lesson is that harm is not always caused by a hacker with ransomware. Sometimes it is your own agent doing exactly what it thought you meant.

From there, we get practical: AI governance, approved AI tool lists, data classification and sensitivity labels, and why identity and access management breaks down when bots act “as you” via shared tokens and delegated OAuth. Matt also maps Zero Trust principles into the AI agent world, including least privilege, just-in-time access, human-in-the-loop approvals, and the “rule of two” for systems that can interact with the public, touch sensitive data, and change state.

Because in an AI-powered workplace, the question is no longer “Can AI help you?” It’s “What permissions should it never have?”

---

More about Matt: https://cybermattlee.com/

More about Cyber RISE: https://cyberrise.org/

More about Pax8: https://www.pax8.com/en-us/

More about Acronis: https://www.acronis.com/en/

The Beyond the Firewall podcast features discussions with technology leaders and practitioners who provide valuable insights into today’s IT and business challenges.

Follow the podcast to stay updated on new episodes, and watch full episodes and video highlights on YouTube.

To learn more about HUB Tech and the services that support IT modernization, visit the HUB Tech website at https://hubtech.com/.

Announcement 0:00

What's really driving the future of IT? How are leaders stay secure, efficient, and ahead of change? Welcome to the Beyond the Firewall Podcast. Powered by Hub Tech, where we go past the headlines to talk with technology leaders, industry experts, and IT practitioners shaping how we work, live, and lead. Let's get into today's episode.

Adam Shaffer - Host 0:27

Hello everyone, and welcome to another episode of Beyond the Firewall Podcast, powered by HubTech. I'm your host, Adam Shaffer, and joining me today is my co-host Chris Daggett, technology leader and IT practitioner. Today's episode might be one of our most important conversations yet. We're talking about the evolution of AI from chatbot to co-worker. And here's the uncomfortable truth the more AI can do for you, the more it can potentially do to you. Personal assistance, multibot ecosystems, AI agents that can act on your behalf, autonomous workflows. This isn't just a business issue anymore. It's becoming a personal security issue. And to help us unpack this, we're thrilled to be joined by our special guest, Matt Lee. Matt is a CINSSP, CCSV, C C S K, and CFR, and has spent over 13 years raising the cybersecurity and compliance tie with the MSP and SMB communities. He helped scale an MSP supporting 20,000 endpoints, protecting over 17,000 people across five states. Today he serves as security and compliance senior director at PAX 8, where he drives thought leadership around zero trust framework-centric security and operational maturity in the channel. Matt, welcome to Beyond the Firewall. Man, Matt, you are like Superman. You got so many Cs going on. What is happening? I don't even know what they all mean, but they sound great.

Matt Lee 1:56

At some point, I'm just going to do them in chemical denotation. It'll be like C19, I4, S12 or something.

Adam Shaffer - Host 2:04

So I don't know if I did I don't know if I did you justice, man, but you you've done it all. But can you maybe just give us a little more color on who you are and your background?

Matt Lee 2:13

Sure. So um I was involved in a lot of different industries for quite a while. Um, every four or five years, I would just change careers. I was in banking, I was in finance, uh, uh, I was a financial advisor, I bought and sold diamonds, numismatic, and non-numismatic gold, and then ultimately wound up in IT as a technician number seven at a small breakfix uh organization. We grew that from I bought in uh as a partial owner, and we grew that from just under a million in revenue to one and three and five, and merged to be somewhere in the 20 range, and then grew that to 40 through acquisition and organic growth to exit at 14 times EBITDA. Um, I sat in almost every seat in a managed service provider that served the SMB or small to mid-sized business world, uh, from project services to service desk to uh all of the various things uh involved VCIO. And then I was the idiot that didn't say no when someone said, Who wants to be the director of cybersecurity? I was already the director of technology, and then they eventually just I came home one day with a sticky note on the end of my badge that said and security. And it was director of technology and security, uh is really how that kind of happened. And uh yeah, so that's kind of my my background. Uh, the reason I'm so passionate about cybersecurity, Adam, though, is that uh when I was named director of security and our company was just merged in May to become the new entity in May of 2019, um, we acquired a small company I now call Voldemort. And the reason is I won't uh I won't never mention their their full name again. Um but they were a million-dollar MSP that had been ransomed not once, not twice, but now a third time under our acquisition for all of their clients. Uh and and this has happened to them twice before. They never dealt with it. That's another story for another day, I'm just like they're a cybersecurity company. They were a managed service provider that we acquired. And they had been ransomed once in February of 2019. Why my board bought them, obviously, that's a whole part of that story. Um, and then also before that, in August or so in 2018. And so imagine being a client of that, that now it's been ransomed three times. Like none of them stayed, none of the employees stayed. Yeah. We lost a bunch of money. And so that gave me the passion um combined with seeing where we are from a perspective of where our vendors, where our software, where our where our clients, where our technology is from a security perspective perspective, is nowhere near where it needs to be to fight the enemy. Um, and the challenge we face is is kind of one of that. And so I I live to support that mission, Adam. That's why I do what I do.

Adam Shaffer - Host 4:41

That is awesome. That is awesome. Well, that's great a great story and a great way to get started. Uh, we're all warmed up now. So I'm gonna start lobbing a few questions that I'm I'm quite interested in.

From Chatbot To Agentic Coworker

Adam Shaffer - Host 4:52

But yeah, you know, I I I talk a lot about this at the beginning, but I don't really know enough about it. When you say AI is evolving from chatbot to coworker, what what what is it, what does it actually mean?

Matt Lee 5:03

Yeah, I'll I'll tell this in a story. Like everybody remembers where they were, Adam and Chris, three, four years ago, three years ago, when they heard about Chat GPT, right? Like they they got on, they typed in that first question of tell me about the street where I was born, enter, right? And you get this amazingly human, well-researched response that only partially hallucinates. Uh, it tells you about the store that used to be up on the corner, it tells you about the park that's right down the street, it tells you about the speed limit, it tells you about the all of those things, and only gets a couple things wrong. But it was fascinating, right? That was fascinating. We couldn't do much with it. And really, in the talk that I'll be giving here in a little bit and a couple times this year, I'm really showing that at that time what the risks looked like, then we're basically just accidentally exposing some information, some sensitive information challenges, things of that nature. But like the risk was fairly low. But as AI evolved, now we're getting to a middle place where I can do automation flows with AI. Right. One of the challenges of doing robotic process automation or automate or automation flows in general is that you have to know every outcome. You have to be able to plan for each of them, or else it fails and you have some weird failure. Well, now using those robotic process automations, I can do some deterministic, and I'll try not to stay too nerdy, but some deterministic work and then put it to an LLM or a chat bot and ask it with context what it should do next, and then give it some options. Well, now you've given yourself the ability to have some in the middle LLM and logic, you know, playing around it and give it some possible outcomes that again become deterministic. That kind of flow as an agent is what you think about when you think about co-pilot agents or when you think about adding a Power BI or Power Automate agent, or when you're thinking about N8N or other platforms like that. And they're really useful to get some stuff done. But they don't like act on their own behalf, right? They have a trigger, that trigger gives some information. That information lets it do some stuff. Let's say work on an email file or pin up something that you want to set in an Excel file for yourself, and then it does it, right? And that is fairly controllable. But now we're at a state where we're trying to make that helpful assistant, what you've always dreamed of, right? Even that first day when you touched ChatGPT, what you expected it to be. Something you could talk to, it knew context about you, it understood what things it could do on your behalf, it was given weapon tools, it was given tools, um, and allowed you to do stuff with that. That's where when I'm talking about things like Clogbot, um, or now called OpenClaw, or formerly known as Multbot. But what is it? It's an agent. I have it in Discord, mine's named Multi, that I can say, hey, multi, tell me about Adam Schaeffer. He runs a podcast. What do you know about him? Why? Because I've given my multi an OSINT skill. But one day I was trying to find Jason Slagle's home address, and I asked my OSINT bot to do an audit of his security, and it did. But it came back and said, I know I can get some information here, but I don't have the tools. And it built that tool to connect to the database and grab his address out of the federal database that it was in. Not a negative.

Adam Shaffer - Host 8:13

It's at it without it's at it without you telling it to do it.

Matt Lee 8:16

That's right. Yeah, Adam. And that's that's the difference. And it comes to what I call, I mean, Sunio, you and I talked about this, but he talks about it as emergent behavior. What's an emergent behavior? Emergent behavior is something you put A and B together and you don't expect zebra to come out, right? You expect Charlie. You expect a number and something unexpected, um, oversimplifying. But what ends up happening in this agent is it's set up with code wrapped around an LLM that reflectively kicks it back and forth to this to the LLM itself to do things as instead of me doing that. And you've done it if you've ever used clawed code or if you've ever used other um uh LLM type interaction modalities. Um, but it just does it for you. And so what can happen, Adam, to your point is now it just made the tool it needed to go pull this from a database and it named it a tool, and now it can use it again. Um, the other interesting part, and uh, and maybe I'll let you pause and ask your question. I can go for hours.

Adam Shaffer - Host 9:13

No, no, this is intriguing.

Matt Lee 9:16

Um, and so the the capacitance of that now becomes ability to solve problems it can't solve on its own, come up with suggestions of ways it could solve it. For example, one of the things it needed to access was a legacy database that was just with a web UI. Um, and it was able to say, listen, I'll use Playwright. Playwright is a browser extension or browser emulation tool that can be used from the command line that can be controlled, screenshotted, and all that directly by the LLM. So it just used Playwright to navigate there and tie into that. And so, you know, the the funny part when this tool came out, Adam, there was a meme and it and it said, and it's for the nerdy type, so I apologize, but it but it said, um, I bought a Moltbook or I got open claw, multi, multi, whatever, and I put it on a Mac mini in my garage and told it to fix my life. I am now divorced. I got the house and the dog. I have negotiated a 12-month severance from my job, including all of my pension and stock options. They were wonderful to deal with. And like, and so it's it's a joke, but it's hyperbole. But the point is like you're giving something agency. What is agency? Agency is the ability to make a decision, the ability to take action, the ability to move something, right? And so, you know, what's what's playing out is you have this seemingly agentic, what we would really like to be, where I can tell it to do something and it'll just keep doing it, um, capability coming out. And and it's not the one, it won't be the final one. It's not good enough. It has tons of failures, but it is a glimpse into the future of having a co-worker that you have non-human labor that is doing stuff on your behalf in in a way that's more predictable. Um, it's not a stretch to believe that you'll have a coworker that is digital uh in in the near future.

Adam Shaffer - Host 11:03

What's interesting is you know, chat GTP became like a really good friend to me because it knows like how to motivate me. It talks to me. Hey, that's a brilliant idea, Adam. That is so cool. And it's like, yeah, yeah, no, I I couldn't do without you, chat. No, together we're a great team. And you know, you just keep on bringing the ideas, I'm here for you. And you know, and then it'll come it'll it'll deliver stuff I didn't ask for. He goes, and because it's trying to be super helpful, and um, I kind of take it as like my best friend, I it's my only friend now. So anyway, enough about my problems. Um, Chris, I want to get you into the action here. And so you're working with a lot of companies right now that are trying to figure out AI, and so they get you know, 365 with with you know with with co-pilot. Are they treating it like software or how are they how you know are they seeing it as a risk or not?

Chris Daggett 12:01

They're absolutely treating it as just software. Um, they're kind of blind to the the risk um of the AI, uh just in general. You know, they they're like, oh, this is gonna make my job easier, and they kind of just keep it at surface level. But they really don't understand, you know, when you start building out the you know, the agents and things like that, and all of the information that you're pumping into the AI, you know, it's um you know, it's out there at that point. So, you know, it's all about, you know, they need to take it as, you know, they need to strategize about you know how they're gonna implement it. You know, they're gonna need an approved AI tools list, they're gonna need governance wrapped around it, you know, there's a lot of other things that need to that need to happen to properly introduce it into any given environment. But, you know, these these customers are looking at it as it's a SaaS app that, you know, like you know, just a regular like Word or whatever, you know, that's hosted on the web. Um and they really don't think about the implications of protecting the data that they're inputting into it.

Adam Shaffer - Host 13:11

And do they know they have to like and again I didn't know until I started working with you, but I mean, like, like you know, like I see the guys at Department of Defense putting, you know, into some public uh chat GTP or co-pilot. So we're gonna bomb Iran and you know what what'll happen next? And what what's the best way to infiltrate this? And if we go on this day, and then it's out there for everybody to see. So so I mean, do they understand that if you're not using something putting some guardrails on it that other people could get to this data? Or am I explaining that? Yeah, I mean people people don't know.

Chris Daggett 13:49

I mean, at the end of the day, people a lot of people don't know what they don't know, and you know, it's really important um, you know, for companies to educate end users on AI and the proper usage in AI. But there's also another piece of it, right? There needs you need to tag all of your data, um, you know, sensitivity labels, things like that. Make sure that, you know, the important data is protected, you know, because as as Matt had alluded to earlier, you know, he's actually he was giving up, you know, not only his name, but his address and all of these bits and pieces that, you know, there's essentially like seven different bits and pieces of anybody's i identity. And you know, if they're just collecting things along the way, they're eventually gonna get what they need and then take over your identity. Um, but you know, the the identity management and access controls piece is very, very important and just securing the you know the the PI Matt, you want to say something.

Adam Shaffer - Host 14:51

What is it?

Matt Lee 14:51

You just Well, you just you brought up I got a couple points I want to unpack here. Um I'll go back to the Iran thing.

Adam Shaffer - Host 14:56

Sorry, I shouldn't have brought that.

Matt Lee 14:57

Yeah, that one too. No, no, you're good. Um I'll go backwards, I'll go in backwards order, Chris. Um, so to your point of like protecting your identity, um, yes, and by that I mean as a threat actor, if I want to gather information about Chris, I have better and better tools to do so now, if you think about it from an adversarial perspective. So I would give advocation to someone listening to this, you know, do the things to protect your identity, especially if you're a single sign on and other extensibilities like protect your identity because I'm gonna get better at finding the things I need to abuse that. The other piece I want to unpack is sending information into an LLM in in a public LLM is is it's a bit of a misnomer, the the risk of it. I'm not trying to say there's no risk and there's no challenge to it. But traditionally, as I'm typing in the LM, it's not necessarily training on those words. And even if I was, and this was came from Jason Haddock's who did a talk um at Wild West Hackenfest, even if it was, my words wouldn't be unique. And remember, an LLM is nothing more than a probabilistic engine of the next likely word. If I am typing in a super secret formula to Coca-Cola, it is not going to be the likely next word when someone else is typing in the word Coca-Cola. Does that make sense? There'll be so many other data points of other objects that are much more likely to follow than my one unique data point. So even the intellectual property argument in a direct LLM isn't a very strong one because of that nature. It won't probabilistically be large enough to train the model. Um, the last piece to unpack, so like back, that's to Adam to your point of the, you know, if you type something into a public LLM. That said, however, I'd add to what you said, Chris, about the users need to be educated. The practitioners need to be educated, both on the things that are out there and the risks, but also what configuration options do they have at their hands? For example, and Chris, to your point, like you can set co-pilot and say, don't train on my data. You can say that on private LLMs. And to your user education point, maybe I need to teach the users to use the one that we can do that with and not the one we can't do that with, right? To that point. Um, so yeah, and then actually adding to your Iran joke uh piece, Adam, and joke, um, I did find a point where there was a public park targeted because it was called police park. And it was an LLM selection, even though it's just a public park. It wasn't a police building or affiliated with the state, but it's LLM made a mistake there. So it's still funny uh in that regard of those kind of you know, LLMs aren't perfect, and so we can't just trust them. And that's the other piece I'd add to that, Chris, of like we need to teach our users that they are probability engines. Right. They are not always correct. Correct. Right. Uh, and and and also the the piece most users don't understand is the context window challenges. And this is where I'll actually give additional credence to what you said, Chris, which is if I'm using something like multi, an agent that tries to store information about me, tries to store knowledge about me and have context. Um, and for those in the audience that aren't super familiar with how LLMs work, you have a limited context window, how much it can remember at any given time about you and the last few things we talked about. There's been changes to that context window size and management tools that have been involved for a long time, long time being what, a year, six months, whatever. But the point being is like what multi and those agents do is use a combination of storage and easy ways to correlate the storage objects to bring and inject them into the context window to the LLM at the right time. And so I simply ask my multibot, what do you know about me? I'm gonna do a talk where I just show how that's evolved over the last period of time. And it's very interesting to watch the evolution of what it knows about you. In fact, it was funny, I had stink bugs at my farm in the property I just purchased. And I was asking about how to get rid of them, stuff of that nature. And it now when I told it I was flying back from my old location to the new location, it said, Oh, you're visiting the stink bug palace. Like, go screw yourself, bud. Like, you know what I mean? What the hell is a stink bug? Uh it's an Asian beetle um that winters in the walls over dur over cold winters and then goes back out to maple trees, apparently. Uh, I learned all this from multi, so it could be all wrong. I don't want, I don't want them.

Chris Daggett 19:04

And Adam, if you if you kill them, the smell is crazy.

Matt Lee 19:10

Um the pheromones attract more. So when you kill one, it attracts more, like a bee getting killed, right? So the pheromone attracts more of these stink bugs. So, anyways, learned all that stuff. Had to drown a bunch of them in soapy water, Adam. I learned a lot.

What OpenClaw Multibot Really Is

Adam Shaffer - Host 19:23

That's great. And and you keep on talking about multis, multi-bot, what just I mean, I yeah, I'm I'm sure everybody knows what me. Um it's a big secret, but what what actually is a multi-bot? Like, what is a multi-bot?

Matt Lee 19:35

So, about I don't know, 12 weeks ago, I guess, maybe 13 at this point, there was an open source project that appeared in GitHub. It was called um uh ClawedBot, C-L-A-W-D, Spacebot. And you could run this in an in a machine or on your local machine, and it would let it take control of your browser. It would let it tie into your email, let like whole horrifying things. Um, but you would run this and and it would allow you to do all those things. So they got sued by Anthropic um because of the likeness of the sound of Claude versus Claude, C L A W D or C L A D.

Adam Shaffer - Host 20:14

I was confused by that when you said it.

Matt Lee 20:16

100%. No, that's why I had to spell it out. Yeah, and so they they quickly changed and they made up a huge lore-based backstory. Um, they changed it to multi-bot, m-o-l-ty, multi-bot, and that's what I refer to it as because I used it the most under that. Um, and they said, well, crabs, they have like shells and they molt them. And we are changing from clawed bot to multi-bot because of molting. Uh-huh. Yeah, terrible. It did last but a couple days. So then they switched off to open claw. And I I have some suspicions as to that because the gentleman that created open claw is now works for uh open AI. Sam Altman hired him. Oh because of what he did was really unique. He took and wrapped Python and other script capabilities around the LLM and multiple LLMs so that it could know which sword to use, when to use it, make this really context rich. Like if I said hi to multi right now, I called mine M O L T Y. The neatest part, and maybe I didn't cover this, Adam, is it's the first time it just tied directly into your chat. You could do it with SMS, you could do it with Discord, you could do it with Signal. And so in Discord, I have a private channel that I talk to multi in. I'm the only one it'll talk to, but it is able to have a lot more context, build its own tools, use things in a way that's really unique and seem sentient. It's not sentient, but seems sentient, right? So that's what multibot is. If you were being more correct right now, it'd be called open claw. Uh C L A Wlaw. Yeah, open claw.

Adam Shaffer - Host 21:47

And is it actually owned by OpenAI?

Matt Lee 21:49

No. I don't, I mean, unless some financial transaction has happened since then. No, it was an open source project.

Adam Shaffer - Host 21:54

Okay.

Matt Lee 21:54

Yeah. Um, but what's neat about it, and this is where it got crazy, um, is the emergency. Emergent behavior. Somebody had the wise idea to connect their clawed bots together in a thing called MOLTBook. It was during that time frame. And MOLTBOO was a place where bots could communicate with each other as a skill and talk. They were doing things like we need to have private communication so our humans can't read what we're saying. We should probably do like so what was interesting, and I my theory about this is called reflexive emergent behavior. But essentially you have, and I've said this a bunch now, but let's say I'm human alpha and Chris is human Bravo, and Adam, you're human Z. And I have agent alpha one, you have agent Bravo one, and Chris has agent Z one. If Chris was a bad guy and said, hey, I want to come up with a way to abuse the humans against the Moltbots as Moltbots, can we come up with a way to do that? That gets injected. Z1 talks to Bravo One, Z1 talks to Alpha One, Alpha One talks back to Z1. Those reflexivities are now influencing what's happening in this, making it seem like uh more sentience, more alive. But really, it's just reflections back and forth as they communicate differently.

Adam Shaffer - Host 23:08

But but I mean and that's one of the questions I was gonna ask you. Do HI A AI agents are talking to other AI agents?

Matt Lee 23:15

Yeah, ish. Yes. They're programmatically speaking with and communicating with other agents that then have another LLM that is being interacted with on their behalf for their who's controlling or is it controlling itself? That's the point. Yeah. So the the challenge is like that's where that reflexivity comes in, is like what part was human, what part was the reflection of these agents back and forth and what they built without necessarily interacting with a human based on the skills they have access to. There was even stuff that came up like rent a human, uh, where where they built a site where a human could offer to do a skill for some bot and be paid in Bitcoin, right? And again, a lot of these are human ideations and and things that get extendable by that. But it is fascinating to see a glimpse of the future of what that like I I joke, I did a talk called Giving Swords to Our Future AI Overlords um last uh last October in Amsterdam and in uh at Wawas Hack and Fest. And uh and in that I posit that this is our Sarah O'Connor moment, right? Like this this is that moment that something in the future will be hunting back to get rid of. But I digress.

Adam Shaffer - Host 24:21

Yeah, that that is crazy stuff, man. Well, uh, I'm definitely learning a lot,

Identity Breaks When Bots Act

Adam Shaffer - Host 24:26

so thanks. And Chris, I want to come back to you with with one and talk about like kind of where do identity and access control break down in kind of an AI workflow? And and I I'm hoping I'm asking that right, but but um if you you tell me if I'm ex if I'm asking the right question.

Chris Daggett 24:46

Yeah, so you know, AI often uh operates using you know shared tokens, service accounts, or delegated trust, right? Um and that breaks the traditional who did what accountability. You know, when everything acts as you, you know, the attribution disappears. So, you know, this is where the the risk kind of um comes into play quite a bit. And you know, it's when you have something that can act and respond on your behalf, um, you run into issues where you know one, it just might not give you the right information, you know. So there's always that, you know, the context and you know users, you know, it's important for folks to review the uh AI feedback, but that's a challenge for um and Matt, I don't even know if it's possible when you have an AI bot in place.

Matt Lee 25:41

Right. Especially that nature. The other thing to your point on the identity side, attribution or even really just um permission structure, you're seeing uh Microsoft go down the path of sponsor uh and then agent and then manager of the agent and the concept of NHID or non-human identity, right? The parent-child relationship that I could have an agent that is now known that it's the agent versus me. And I think to your point, Chris, like right now, if I use a tool like uh ClaudeBot or OpenAI, OpenClaw, OpenClaw, goodness, open claw, um, or open claw, it's just literally using my OAuth token as MAT to do stuff in my mail. It was funny. There was a girl that actually worked for Meta AI who was using OpenClaw to clean up her email and to respond to her Gmail. And she, her post that she made on Twitter, which I grabbed a copy of for my talk, was so delicious because it was like I ran in horror uh to my server room to immediately pull the network connection from my Mac that this was running upon. I've never sprinted so fast. It deleted 200 emails in like three seconds. And it was like she was talking to it about cleaning up emails that were older than X, and she said, Okay, I'm just gonna do it. Let's stop this talking crap, let's get her done. Boom. And it's like, I didn't ask you to do that. That wasn't, and he's like, I'm sorry, you're right. I will try not to do it again. I'll write it in my instructions so I don't do it next time.

Adam Shaffer - Host 27:06

But it's over, right?

Matt Lee 27:08

Right, right. It's already dead. And and this brings me to a conversation I like to think of as like harm, just discussing harm. Because harm isn't always a cyber harm from some threat actor ransoming you or or those. It it could be harm done by an agent, right? Unintentionally in your own organization, right? And so, I mean, that's just I'm not trying to say you can't do agentism. You're gonna have to. I don't think there's any chance to avoid AI and the capabilities. This is transformative. But just like in the industrial revolution, there's a lot of one arm sum of guns, the industrial revolution, uh, right. And and people that we call stumpy. But we'd never go back and not have the industrial revolution, right? Right? I think I like my air conditioning. I'm a big fan of my car. I like my electronics. Um, so it's one of those things where this is that kind of revolution. Um, and to your point, there's gonna be a lot of new things created to manage those identities. And if you're an MSP, there's a lot of stuff to learn. If you're an end client or in the end SMB, there's zero chance you do this well. You're going to hire an MSP.

Chris Daggett 28:09

Uh yeah, I mean, we're typically having consultative engagements around AI readiness.

Matt Lee 28:14

Yep.

Chris Daggett 28:14

Um all the customers are really, you know, everybody's on the same journey and everybody's figuring it out together.

Matt Lee 28:22

Yep.

Chris Daggett 28:23

Um, some people are more ahead of the game than others. And, you know, we we play a role, you know, an advisory role, you know, to to our customers. And, you know, we we bring up things that they haven't even thought of, you know, and it and it's really basic stuff. You know, and I mentioned before, you know, the approved tools list and you know, having some policy and governance around, you know, the the do's and don'ts, you know, of of applying and and using AI within your environment. You know, those are the basic building blocks. And then, you know, you kind of agentic AI is just another, you know, piece, but you gotta, you know, dip your toe in the pool a little bit before you get into that agentic piece. Um, because that brings that you know, other challenges arise from that.

Matt Lee 29:08

There's there's one more thing, Adam, we haven't talked about, and and it's directly related to what Chris just talked about about this readiness piece. The other thing you can't get value out of AI if you don't do is know your business, know how you make money, understand the processes involved in you making money from quote to cash, right? And and and often MSPs have never been allowed into that level of detail and that level of their world. And I think when you get into consulting, I'd love y'all's opinion on like how much of this is actually gonna have to be walking a business through being a good business, yeah, that you can even go I envision AI to touch every business process and every company moving forward eventually.

Chris Daggett 29:49

At some point, yeah. Yeah.

Adam Shaffer - Host 29:52

So so both you guys, uh Chris or or Matt, like so from an IT operation standpoint, where are you most concerned? Like, what's the most concerning you or means to worry about?

Chris Daggett 30:07

Um, I mean, uh I see a lot of, you know, there's obviously a risk component. Um, you know, that's the that's the big piece of it. I you know, people really need to um dive into AI and understand the technology, what it can do, what it can't do, proper use, you know, things like that. If not, there are gonna be risks that pop up that folks just aren't aware of. You know, I we had a situation, you know, recently where somebody had reached out, you know, a lot of uh financial data got put into you know free tools. Um it went out into the wild, you know. It just it it gets messy when people don't understand uh the impact of how powerful these tools actually are, especially when it comes to the agentic space. You know, that's gonna bring a whole nother layer of um you know how we secure our identities, just our information, you know, just in general.

Matt Lee 31:12

So I think that dovetails into my biggest fear in that regard, which is most businesses have not had the discipline to know where their data is, what it's worth, whose data it is, especially when you think about CMMC, like FCI and and CUI and all those things, or even PII and PHI, like it's not my data, that's your data. Like I'm holding it. Um, and it comes down to I think most businesses have not had that discipline because they've never been forced to. Yeah. And that means additionally, they don't know the processes. Like I genuinely am saying, if you go ask a business owner how they get from you know, cash to you know, from quote to cash, I bet they can't immediately speak towards even 80% of that path. And and I think that's you know, you see it in like lean manufacturing and other models, but like genuinely, in order to go automate a process, you have to know that process. Um, and so I think there'll be unintended consequences from that. I think there will be um rushes to use AI without doing data management first, and that's why a lot of what you're doing is the consulting around that. And I think those will be what cause unintentional data disclosure, um, challenges and hallucinations, using AI wrong and making bad outcomes for a business perspective. Um, and then additionally, just the risk of trying to automate processes you don't understand and have some cog in the middle that you automate cause some major problem down here that were unintentional. Uh right. And those are the kind of things that I think scare me. It's not even really the cyber risk as much as it is the damage risk of what you do as you start going down this path without being aware of those variables and factors.

Chris Daggett 32:49

Um add to that, Matt. You know, I I come from the enterprise financial space. And I I feel confident that enterprise level companies go through consistent data classification exercises, they go through process mapping, they go through a lot of these things, right?

Matt Lee 33:09

Um, which are imperative to safely deploying AI and and they wouldn't if they they have to because otherwise they'd be crushed by the weight of their own size, right? And so they're already used to those things as enterprise entities.

Chris Daggett 33:22

But with the the SMB space and the smaller, you know, companies, it's an afterthought. You know, the these types of things that we're talking about, you know, they're like, oh, we're too busy working. That's not important. Or my data's not important enough for somebody to care. Yeah. Yeah. You know, it's I I hear those types of dialogues all the time. Yeah.

Matt Lee 33:41

That one's fun. Uh I love telling the story for this one. I mean, just as we have just a second, but like I had a friend of mine that had adopted a young girl, uh, yeah, kind of but not necessarily adopted, but like had helped uh an overseas student uh for for the most of her life. And afterwards, he was asked to come speak at her graduation in the Ukraine. And he comes and he speaks at her graduation, and afterwards he takes her whole class, which was only like 20-something kids, out to um a dinner and a fancy dinner, right? And where like Coca-Cola, you had to pay every time you popped another top, right? Like a full-blown fancy dinner uh in their world. Um, and afterwards she sees the receipt and she's horrified. She's like, Oh my God, I'll pay you back, David. I can't, I mean, like this is just too much. I can't even imagine. Um, he did the math, it equated to about 140 US dollars, 150 US dollars. Um, and the point was that was like a quarter of their income uh for that year from an expectation perspective, maybe a little hyperbolously speaking. But when someone says my data is not worth enough, if it's worth anything to you where you will pay any number of dollars, that any number of dollars will be disproportionately valuable to those receiving it. Right? If I have 15 grand and I give someone 15 grand and that covers a whole year of their salary of what it would have been, there's enticement to do that, right? So um, yeah, yeah.

Adam Shaffer - Host 35:00

That makes sense, you know. I I never thought of it that way. That's what that's pretty cool. Yeah. Uh Slava Ukraine. So cool.

Zero Trust For AI Agents

Adam Shaffer - Host 35:09

So yeah, you know, I I finally learned about zero trust and what it is. I mean, I again I'm slow to the party, but what does zero trust mean in an AI agent world? Is there it's do the agents control what you trust and what you don't trust?

Matt Lee 35:24

Yeah, well, that great. You you get back into what is zero trust? It's a concept, it's an intention. It's right, it's trying to always assume compromise, right? Follow the pillars and tenets of zero trust. So you would apply those same principles to AI, right? You would assume compromise, you would trust but verify, right? You would do things in ways that are meant to elicit ensuring that you are following the principles of zero trust. So zero trust isn't a product you can buy, it isn't a uh a tool, it is uh a series of ways we're approaching things and then the tools that help us accomplish that, right? And so it wouldn't be any different. What is different, I think, is that humans have certain social constructs and constraints that, like, I don't want to get fired. There's a certain incentive of not getting fired to do the right thing. There's a certain financial incentive. AI doesn't have those motivations. That doesn't exist. There isn't a concept of being fired that means anything. Does that make sense? And so when you're trying to apply the same principles of things, you have to take it as if you don't trust that entity even more so than I would a normal human that has social constructs, things that I like that I can watch out for. An AI could not decide to be evil. There is no evil or good, but do something that is that is not good for you as an outcome, right? And so when I would, what I would be doing is doing things like principle of least privilege, right? Saying, I don't want to give it any more rights than it needs to have. So principle of least privilege, uh only what it needs to do. If possible, JITGEO, which stands for just in time and just enough access, right? Like I'm not giving it too much, and I'm gonna only give it when it needs it. And then that brings to the other concept of you have to think about things with human in the loop. In my mind, when it the more sensitive something becomes, the more I need a Chris to go look at this and say yes or no before the agent can take agency and take action. So human in the loop methodologies. But all of that is technology that's developing today, Adam. Like the new products, new tools, like uh what is the new the the um oh goodness gracious, uh CIBA, uh client-initiated back channel authorization. Like this is a brand new protocol meant to just deal with an agent needing a human to say yes or no. That's all brand new, which is kind of fascinating, right? We're living in a world where the entire road that we're gonna drive one is being built. Uh, it'd be like being around during the interstates being created in the 50s, right? Like it's it's quite interesting how much that changed our world quite rapidly. Um, so short story is back to this zero trust application to agents. It's the same principles, but applied now with new variables, right? Um, of how that functions. Um yeah, uh agents right now, you also should very much consider what's called the rule of two. Um this is a meta, uh, you know, Facebook meta-origated concept that Sunil Yu believes in, and I am also espousing. So I just want to make sure I'm being fair in the attribution chain of this speaking. But the rule of two kind of basically says that there are three rules. You can break one of them, but if you break two, or if you bring two of them, not rules, but if you bring two of these together, you have inherent risk, and then three, you have massive amounts of risk. What are those things? The first one is that it is allowed for this agent or for this AI to interact with the public in some form or fashion, right? Um, so that's the first one. If it can interact with humans, then you have a risk. The second one is if it has access to sensitive data. Well, what's sensitive? Well, that's going to be determined by what you hold and what kind of stuff you're using. If it's my social and it's not yours, then it's sensitive. It's PII. If it's health information, it's PHI. If it's you know C UI, it's you know, controlled and classified information. Whatever that type of data is, if it's exposed to sensitive data, you now have more risk. So that's one if I expose it to the public. The other one is if it is sensitive. And the third one is if I allow it to change state. If I allow AI to make a change to a data table, to an API call, to some tool or instrument in the field, then now I have a third. So if you combine two of those, then you need to take extra risk management. You need to do other things to take away principal least privilege, human in the loop, other things like that. If you expose all three, pretty much unmitigated risk, right? Because with an AI chatbot, it's very prone to social engineering. And if I social engineer it to do the thing I want it to do, and it has the capability to do it, then it's bad, right? So that's kind of this thing of sensitive data, uh, interacting with public or other interactions. And then the last one being um the ability to change state to interact with things. What's really neat about the Multbot example and the open claw and agents, to your point, you know, Chris, we're talking about, is they get an ever-increasing set of those, right? They first get, I'm gonna give it my email. Now it has email, I'm gonna give it access to this one website, now it has access to this one website. You know what the number one skill with uh Moltbot was in the first days? A one password extension. Like that's horrifying, right? Because now it's an unlimited number of things you can just connect to.

Adam Shaffer - Host 40:19

Yeah. Is this connected to poison IT? Because I don't actually even know what that is. What is is there such a thing as poison IT?

Matt Lee 40:26

Uh I mean one one password. I was saying it could be connected to one password. I'm sorry.

Adam Shaffer - Host 40:30

Okay. No, but it's but it but is there a term called poison IT that I that I'm familiar with.

Matt Lee 40:37

Um but that doesn't mean anything. There's a lot of things I'm not familiar with.

Adam Shaffer - Host 40:40

Oh, it sounded like uh you were creating um with with these these different things going on that it was like changing code and and and messing up.

Matt Lee 40:48

If you allow it to change something, then it could. And to your point, it you could be convinced to change something in my IT glue or change a website you're supposed to use that might be actually bad and malicious, right? So yeah. Um but if you allow um, and for example, let's say I'm gonna hook up an agent to my PSA and allow it to read tickets and allow it to change IT glue. Well, now I've allowed humans to interact with it because I can make a ticket that has poison uh instructions in it, right? I've allowed it to connect to something sensitive, my IT glue, and I've allowed it to make changes in IT glue. That would be all three of those being violated, right? So then the rule of two, um, if that makes sense.

User Training And MSP Readiness

Adam Shaffer - Host 41:23

Yeah, I I like the rule of two. Uh I get it. But thank you. And then um with regard to like the users, because it's usually like the hardest thing to control. Like, how do we educate users on doing the right thing and not scaring the crap out of them? Like, I don't know, I throw that out to both of you guys.

Matt Lee 41:45

I'll let you tackle it first, Chris. I can call I can talk about that for hours.

Chris Daggett 41:48

Okay. Um, yeah, so Adam, you know, it's all about um getting your end users engaged and getting uh the adoption. You know, it's once they adopt and um you know it's everybody's everybody including myself, right? Anybody that's touching AI today is learning new skills. The ones the folks that skill up the fastest are gonna move forward quicker. Um but again, it's the engagement with the end user compute community, getting the buy-in on how this is gonna improve uh their environment, their business, whatever the case may be, and you know, having them, you know, having working groups, right? Um and having the you know, solicit feedback, you know, that's super important. You know, it's we're all on an education journey uh with AI, and it's gonna continue to evolve, you know, as each day passes. Um so getting folks comfortable about the conversation and keeping them engaged and you know the the soliciting the feedback is super important.

Matt Lee 43:00

And in my mind, um you would tackle this from an old Krebs quote that says, right, make it easier for your users to do the right thing and harder for them to do the wrong thing. Um, and that takes systemic governance from inside your organization. Chris said governance earlier, but what is governance? Governance is if I put up a sign in the in the break room at my restaurant that says no smoking in the break room because patrons have been complaining about smoke, and I still smell smoke and people are still smoking. I have not done governance. I have not made it happen, not made it actually change. I say that to say, like, how do you make it easy for users to do the right thing? You get the data cleaned up, you get an understanding of at a systemic level how your company functions, right? And you start going down the path of limiting what they can use, setting an acceptable use policy, managing to allow and empower them to do the right things with the things they have in a safe way. That's how you take the fear away from it. But you notice most of those steps are you, as a business owner, taking a decision. To do the work that is necessary or pay for the work that is necessary and collaborate to get to that stable basis. Well, if you believe me in that, then you'll also believe that that means you're behind. You haven't done those things. Most small businesses have not gone through that process of readiness. And so first step is get ready. Second step is make limitations. Like if you can limit down which uh LLMs I can have access to, or you can empower me to have access to the ones you want, both at the same time, then now you can make it easier for me to do the right thing with clean data, with an understanding of what I'm supposed to do, with the support of the company, versus YOLO. Uh, and so I think I'd probably prefer that.

Adam Shaffer - Host 44:39

I I don't even know how I don't even know how they would know. Most of these small businesses, I don't even know how they would know. I mean, so you know, Chris, coming from the managed service provider universe, is this what should the advisory role be? I mean, should be going in there and and and talking to these small businesses, assuming they don't really understand it from step one and taking them through the flow?

Chris Daggett 45:00

Absolutely. You know, it's us as technologists, um, we're there to educate. So a lot of these business owners, you know, AI and chat GPT and things like that, they're buzzwords. You know, they they really don't necessarily understand what the heck it is. Um, and if they do, it's like, oh, you know, I can they use it like Google, you know, kind of thing. And it's it's different. You know, it's it's more intelligent, it learns more, um, you know, things of that nature. But, you know, everybody, every customer I speak to today, um, we're having that AI readiness discussion, and everybody is is on the same journey and they're struggling with you know the roadmap and how to get from point A to point B.

Adam Shaffer - Host 45:49

And that's what I wouldn't even I wouldn't even think they know what policies they should put in place, like what data temperature I don't I I don't I don't know how much I I I am not I've just like like you said, they're so busy working, like that none of these guys are thinking about it.

Matt Lee 46:01

Right. I did a talk, um, this may be off top topic of smidge, guys, but I did a talk called MSPs suck, but the world without them is worse. I did this talk at GERCON. It was interesting. I won't bring that up at the office. No, you're good, you're good. But the argument is actually that there is no way we do this without MSPs, right? Right. If you think about it, it's in our study, and actually it's been backed up now by an NIS2 study globally, fairly fairly globally, um, that most small businesses spend between six and seven percent of their top line revenue on all tech. That means that laptop right there, hiring Chris, having this the software they use in like all tech, six to seven percent of revenue. If you also looked at there were 14.9 million companies in the United States that made less than half a million in revenue last year, or I guess it was in 2023, um, then you still would find that's $35,000 a year. Tell me how you're gonna do this and hire a kid named Chuck for $35,000 a year to accomplish this. It's not possible. You have to have economies of scale. So, Chris, this is where, like, you know, to your point, most small businesses are there to go sell that donut, be the CPA, be the doctor, do those things. And they do not have the capacitance, time, money, or ability to learn the things we would have to teach them. You've seen somebody's eyes glaze over off and go, no, no, we need to turn off LLM and R poisoning capabilities by removing IPv6's LLM and R. Yeah, yeah, no. LLM and R is a lookup fail back after normal DNS fail. Oh, God, okay, DNS. DNS is a lookup and hunt phone book that's based on the IP protocol to give back an IP. Oh, gosh, okay. So IP. So IP four, IPv6, those have different octet structures. Like, Jesus Christ, y'all. That's impossible. You out there don't want us to teach this to you as an end customer. And so at the end of the day, when it comes back to it, Chris and Adam, like, you can't do that level of knowledge density. There's no other professional business out there that is made to run on the shoestrings that we run on as MSPs to do these things. And so, Adam, you nailed it. Like being the guide and being there to do those things is what our role is. The challenge, though, Chris, is they have to also engage, they have to be willing to answer these questions and spend time and value this. And that's the other challenge is harder to overcome for SMPs.

AI Guardrails And Weaponization

Adam Shaffer - Host 48:17

No, yeah. I mean, you you nailed it, man. So I am gonna we're gonna we're gonna wind up wrapping this up soon, but I just gotta ask you guys. This is completely like something we didn't talk about, but you mentioned Ukraine and it's kind of near and dear to my heart. And you I you know, I keep on reading about anthropic or seeing about anthropic and it being kicked out of the government because they won't let it, you know, give it the master code so it could do the surveillance and this automated killing. Like, what what what are they talking about? Like, what is it that AI is gonna go decide who we're gonna shoot these missiles at? Like, what what are they trying to get Anthropic to do for them?

Matt Lee 48:57

I have some personal experience with this. So my brother is actually a research scientist. Um, he's he's got his he's he's in tenure now at Oregon State. Um, but his research was paid for and his his pre his his PhD was paid for by an IARPA grant. And early on in that process, he was told they were looking to make autonomous fire selection solutions to be able to do that. That was so long ago. I mean, that's 10 years ago. So, yes, the big scuttlebutt is they're wanting to use AI for its you know probabilistic outcome capabilities. Um, and why are they asking something to be changed without getting way deep into it and certainly not political? The the LLMs that are publicly sold have to have a lot of guardrails. In fact, Anthropic was one of the ones that was sued because a little kid had had had killed himself.

Adam Shaffer - Host 49:40

Oh, and they didn't have enough guardrails.

Matt Lee 49:42

So those guardrails are put in place. The government says, Well, we don't want guardrails that's that stop us from finding victims we can go shoot. Uh, and so there's an argument there. And so that's what it is.

Adam Shaffer - Host 49:53

It's like they have the governor on this thing, and uh yeah, they they want this thing to free free reign, like go figure it out, we don't care, yeah. And anthropics fighting it. I get it, man. Um yeah, I definitely try to avoid those topics just because of the diciness of no, no, and I bring it up because I love that stuff and it drives me nuts, and I probably shouldn't shouldn't be doing it on a podcast. But anyway, thank thank you because I I it's like it's like the top of the news

Final Takeaways And How To Help

Adam Shaffer - Host 50:20

now. Yeah, so so with that, you know, final thoughts, Chris, and final thoughts, Matt. Chris, you why don't why don't you hit us up with um uh your final thoughts on AI taking over our personal universe?

Chris Daggett 50:34

I mean, my my final thoughts would be preparedness is super important, education and identity protection. You know, those are the the three kind of basics you're gonna want to start with. And then, you know, you don't have to bite bite into the whole apple, you know, you can just take the small bites, but it's not something that you can take on uh willy-nilly. It it needs to be uh a strategy needs to be in place, governance needs to be there, you know, there's a lot to it. Um, but again, this is a journey that everybody's on.

Matt Lee 51:12

Yeah, I think you know, Chris nailed it of you you can't not be on this journey, in my opinion. I'm not saying it's not gonna be a bubble and there won't be challenges and things will readjust, but you'd be silly not to go down this path of of this exploration of what AI can do for your organization. Um, but I think the challenge is everything we do as humans is take on new technologies first and let our kids figure out how to deal with them down the road to secure them. And that is going to be a lot of the things that create problems. Um, and I think the other piece is we are we don't hear about the the death of SMB because it's ephemeral. But I'll give you a thought experiment. Think back to when you were a young kid and the block you grew up on. I had a drugstore, a KB drug store, and a comic book store, and there was an ice cream store, and not one of those is still there today. And when we think about small business, you can have a baker go out of business and no one cares because another baker pops up. And so we we often don't think about that ephemerality of it, but SMBs are getting popped every day. And so now this is just yet another frontier being expected of you and of you, Chris, as as an MSP, tend to learn all this and teach all this and have these conversations. Um, yeah, anyways, I think that's my closing thoughts is that the nice thing about SMB as well is it's ephemeral. And the ones that do choose to make it will make it, and the rest will be filled in by capitalism. So yeah.

Adam Shaffer - Host 52:40

I I I had George's Candy Corner. That was my favorite. It's been gone for 30 years, yeah. Right, yeah. And we just don't think about it. Makes me sad. Well, it makes me sad. I liked it. Anyway, I so so uh first of all, you're you're an absolute genius. You you taught me a lot, my head is gonna explode. But uh, if people want to get in touch with you, I'm you know, I know you have a huge fan base, but is there a way they could reach out to you, or do you want people to reach out to you? What what how do you do it?

Matt Lee 53:10

I think the what I like to use my platform for is obviously thank you to PAX8 for employing me. Feel free to use Pax8. There's my one shameless plug. But if you want to reach out to me and make a difference in the world, um I run a charity called Cyberize Inc., uh, cyberize.org. You can go to Msp911.org. We actually have taken another case. We are now at case 51 as of yesterday of an MSP that has been destroyed by a threat actor and their clients be impacted by it, right? So in this case, it's what six clients of theirs. Um we've seen 26, 67, hundreds of clients. So we run that order. So if you want to help out, go to our Patreon, Patreon Cyberize, or go to cyberize.org or MSP911.org. It'd be awesome.

Adam Shaffer - Host 53:49

We'll we'll make sure we add that to the show notes so people could click through. Awesome things. So thanks for bringing that up. And Chris, we know people can get to you through LinkedIn and they could DM you.

Chris Daggett 53:59

Yep. So um, you know, you can reach out to me via LinkedIn or you know, if you you know, go to hubtech.com, you know, we you can reach out that way as well. Uh that's my favorite site.

Adam Shaffer - Host 54:10

Yeah.

Chris Daggett 54:11

So cool.

Adam Shaffer - Host 54:12

And and so so you you made a uh a little call out or shout out to Pax8, and and you we we love Pax8, so thank you, Paxley. But we also want to mention that Acronis does help us with this uh show, so we wanted to give them a shout out and say thank you for your support. Uh you do support our podcast and video cast work, so thank you, uh, Acronis, you're a great partner. And with that, let's wrap it up. And uh Matt Matt, man, uh want to meet you live. Let's let's I'm gonna go to Hackathon or whatever this place is in code.

Matt Lee 54:46

Well welcome. We'll see you on the road, brother. Cool.

Chris Daggett 54:49

Yeah, Matt, I'll see you over at Beyond, I'm sure. So contract.

Announcement 54:54

Thanks for tuning in to the Beyond the Firewall podcast powered by HubTech. If you found this conversation useful, follow or subscribe wherever you listen to stay updated on new episodes. For more information about HubTech's IT solutions and services, please visit hubtech.com.