At KB4-CON 2026, Greg Kras of KnowBe4, chief product officer, presents the company's approach to managing human and agent risk through artificial intelligence, AI, including AI Defense Agents, AIDA and shadow AI discovery. Scott Hebner of theCUBE Research, principal analyst in AI, moderates the session and explores how long-term behavioral data informs automated personalized security programs.
Kras reports that AIDA orchestration yields measurable improvements, producing about a five-point reduction in risk score, approximately a 15 percent decrease, achieved with less effort. They emphasize three pillars of visibility, accountability and control for managing agents and shadow AI. Hebner notes that trust and governance shape enterprise AI adoption and that organizations must balance empowerment with oversight as agentic workforces scale.
The discussion addresses human risk management, agent risk management, agentic AI, behavioral analytics and strategies for automated personalized security programs to support enterprise cybersecurity and security awareness initiatives.
Watch the session for practical guidance on implementing AIDA orchestration and managing human and agent risk.
Forgot Password
Almost there!
We just sent you a verification email. Please verify your account to gain access to
KB4-CON 2026. If you don’t think you received an email check your
spam folder.
In order to sign in, enter the email address you used to registered for the event. Once completed, you will receive an email with a verification link. Open the link to automatically sign into the site.
Register for KB4-CON 2026
Please fill out the information below. You will receive an email with a verification link confirming your registration. Click the link to automatically sign into the site.
You’re almost there!
We just sent you a verification email. Please click the verification button in the email. Once your email address is verified, you will have full access to all event content for KB4-CON 2026.
I want my badge and interests to be visible to all attendees.
Checking this box will display your presense on the attendees list, view your profile and allow other attendees to contact you via 1-1 chat. Read the Privacy Policy. At any time, you can choose to disable this preference.
Select your Interests!
add
Upload your photo
Uploading..
OR
Connect via Twitter
Connect via Linkedin
EDIT PASSWORD
Share
Forgot Password
Almost there!
We just sent you a verification email. Please verify your account to gain access to
KB4-CON 2026. If you don’t think you received an email check your
spam folder.
In order to sign in, enter the email address you used to registered for the event. Once completed, you will receive an email with a verification link. Open the link to automatically sign into the site.
Sign in to gain access to KB4-CON 2026
Please sign in with LinkedIn to continue to KB4-CON 2026. Signing in with LinkedIn ensures a professional environment.
Are you sure you want to remove access rights for this user?
Details
Manage Access
email address
Community Invitation
Greg Kras, KnowBe4
At KB4-CON 2026, Greg Kras of KnowBe4, chief product officer, presents the company's approach to managing human and agent risk through artificial intelligence, AI, including AI Defense Agents, AIDA and shadow AI discovery. Scott Hebner of theCUBE Research, principal analyst in AI, moderates the session and explores how long-term behavioral data informs automated personalized security programs.
Kras reports that AIDA orchestration yields measurable improvements, producing about a five-point reduction in risk score, approximately a 15 percent decrease, achieved with less effort. They emphasize three pillars of visibility, accountability and control for managing agents and shadow AI. Hebner notes that trust and governance shape enterprise AI adoption and that organizations must balance empowerment with oversight as agentic workforces scale.
The discussion addresses human risk management, agent risk management, agentic AI, behavioral analytics and strategies for automated personalized security programs to support enterprise cybersecurity and security awareness initiatives.
Watch the session for practical guidance on implementing AIDA orchestration and managing human and agent risk.
>> Hello everyone. Welcome back to KB4-CON here in Orlando, Florida. And the conference is off and running here and thousands of people. It's been great so far and we have our next guest here, Greg Kras, who is the chief product officer for KnowBe4. Welcome.
Greg Kras
>> Well, I thank you very much for having me. I'm glad to be here.
Scott Hebner
>> Yeah, no, we were just having a great conversation about we go back to dial-up internet, OS/2 Warp, and WebSphere, huh?
Greg Kras
>> Yeah. Honestly, we spent more time talking about the, I don't know, good old days, but the old days. It was a lot of fun actually to remember some of these technologies and see where those have gone and just look at the corollaries with today and all of the changes that are happening. They're just happening a lot faster than they used to.
Scott Hebner
>> Yeah. It's like we've seen the same movie before, just different characters.
Greg Kras
>> Yeah. And faster. And faster. I mean, I was there for the adoption of the internet, the adoption of the cloud and now AI, but it's faster and getting faster.
Scott Hebner
>> Yeah, you're right. And the more it empowers people to do more, coding's become a whole new thing and software as a service is being dismantled into agents and it's just going to speed up, isn't it?
Greg Kras
>> Oh, it's ridiculous. I've got people on my team now that are coding that didn't know what a terminal was three weeks ago and I'm not exaggerating. They literally had never done terminal and now they're making their own interfaces.
Scott Hebner
>> It's crazy, isn't it?
Greg Kras
>> It's great. I mean, it's exciting. It's terrifying. I'm glad I'm not in the IT department.
Scott Hebner
>> Yeah. Well, good. I mean, I think the experience is key to keeping everything on track and all that. With the word experience, so you've been at KnowBe4 a decade or so?
Greg Kras
>> Let's go with or so. A little over a decade now.
Scott Hebner
>> A little over a decade.
Greg Kras
>> A little over a decade.
Scott Hebner
>> So why don't you tell us a little bit about, particularly the part of the audience that maybe knew to KnowBe4, a little bit about the history of your portfolio sort of up to where we are now and then we'll talk a little bit about some of the newer offerings.
Greg Kras
>> Okay. Yeah, certainly. So when I started, the world was just SAT. It was simulated phishing and training. That's what we started with. And frankly, I had to educate the market as to why that was okay and show the value. And now it's a given. It's table stakes that you go, what's your fish prone percentage? What's your risk score? This is very normalized out there in the space, but we started off with just this idea of what percentage of your users are going to fall for a phishing test. And I can tell you, honestly, 10 years ago people would guess 5%, no one. And then we'd say, "Okay, let's try with a hundred users." And the average was 35%. And then they're like, "No." And we're like, "Yeah, that's a problem." And that's how we started. We started with that. I think we had three pieces of training content compared to 1,800 now in 34 languages. So just perspective wise, we've sent billions of phishing tests. So it's evolved. I mean, that's still a core tenant of what we do is we're I think of myself as the human is the endpoint for me. Talking about existing for a long time in the space in a prior lifetime, I've had several. I did endpoint security, right?
Scott Hebner
>> Yeah.
Greg Kras
>> So when I started working at KnowBe4, it took me a little bit when I realized, oh, I still have endpoints. They just happen to be... These are endpoints walking around behind us. They're endpoints. I mean, they're humans, they have names, they're super fine, but I'm still securing them. And what's really cool is I can teach them. So before AI and everything, I actually could just work with traditional intelligence. I just had to elevate people up and that's how I started and that's what we're doing.
Scott Hebner
>> Yeah. So you've gone from security awareness training into human risk management, right? And now you guys are into the hybrid human AI agent workforce, digital workforce, if you will, and how to reduce the risk there, right?
Greg Kras
>> Yeah.
Scott Hebner
>> And that's been sort of the uber evolution.
Greg Kras
>> Yeah. We started just on the one side. Then we got into the broader scope of like, all right, what are the intersections with the human and the technology? And now with agentic and agents coming out, you run into these people that have agency who's running these agents, what are they doing? And then as we continue on more and more, the agents are running without as much human in the loop, which you've got to know when that's happening. And ultimately it's all going to roll up to a human somewhere, but someone's got to keep track of that and that falls well into our wheelhouse of what we know and how we operate. So that's why we're doing things with agent risks.
Scott Hebner
>> Yeah. Everyone's going to become sort of a manager and they're going to be managing a team of agents, but they're ultimately accountable. But you also have to know what the individual agents are doing and make sure they're secure.
Greg Kras
>> The fact that agents can beget agents, it becomes very interesting. If you think of traditional human staffing, you usually know when you have a new person on your team, but with agents, an agent could spin up another agent or ingest an MCP that may or may not be what they should be doing. So it's interesting. It's interesting times for sure.
Scott Hebner
>> Well, I love the theme here. I mean, sort of your words, but also my words, which AI powered, grounded in trust. And I would add built on, what, 10, 15 years of behavioral data from 70,000 organizations, 100 billion, whatever the numbers are, like a huge history of how to do this that just gets smarter and smarter as you apply AI, right?
Greg Kras
>> Oh yeah. Honestly, yeah, we've had training for over a hundred million users at this point, billions of data points. We understand what those intersections are like and we're able to use that knowledge to understand what's going to happen in the market and how are people going to interact with these agents. And so we're ready for that.
Scott Hebner
>> Yeah. We had a whole deep conversation with Matt. So anyone has interested in that . So we talked earlier, but let's talk products. So one of the newer parts of the portfolio is AIDA, right?
Greg Kras
>> Yeah.
Scott Hebner
>> AI Defense Agents. So tell us a little bit about that offering. It's pretty new, right? Within the last year, a little longer than.
Greg Kras
>> All right. We're really going to go back, we launched AIDA as a beta back in 2016. We've had this idea of doing AI in the product way before the LLMs became capable of doing these things. So really AIDA started to launch late '23, early 24, we started doing individual agents and they were kind of like point solutions like build a template and could do a wonderful job of building a template, build a landing page, give me content suggestions. Really though, the most recent one that's been the most exciting and it's relatively new, is what we call AIDA orchestration and that is running all of these things together. So the confluence of these individual point solutions now under an agent that can actually administer your program and it is wild what this thing has been doing. We're already seeing and the numbers are still rolling in. It's continuing. We haven't seen a plateau as far as how much of a delta, but I believe we're sitting at 5% now or five points better, which is actually closer to 15% reduction in risk score for customers that are using Orchestrator. And the crazy part is it's less effort. So better results with less effort starts to become a bit of like a, okay, what's the catch? It's not really a catch. Nowadays, everybody has had to come to a realization that traditional running of a security program is a compromise. It's a compromise of every human, every person that's walked past, they're different and you want to interact with them differently. And I don't care how good you are with your coworkers or your employees, you don't know them all, you don't know what they're going to be up to, but you want to make a program that's accustomed to them and that's what AIDA orchestration's capable of doing. So AIDA has been on a tear getting out there.
Scott Hebner
>> That's great. Yeah. So it's sort of the extension of your risk and security team. They now have agents working on their behalf to help defend the company by helping the employees, both the agents get trained and the humans get trained and do the scores and the scores aren't about rating people per se. They're about giving you advice and recommendations on how to protect yourself and all that. So it basically extends your team.
Greg Kras
>> Absolutely. Yeah. AIDA is the extension of the team and you're absolutely right. In fact, AIDA's key tenant is risk score. It's looking at risk score and some of the risk score has got nothing to do with what your behavior is or anything. It's literally... It could be based off your blast radius. If you get compromised, what's going to happen? And you don't get to change that. That's just the way that that works. So it's an interesting thing when you start looking at how AIDA is working to help your organization be more secure.
Scott Hebner
>> So let's now pivot to the newest of the family, which is the agent risk manager.
Greg Kras
>> Yes.
Scott Hebner
>> Tell us a little bit about that, because that's sort of the other side of the coin maybe.
Greg Kras
>> So that's the evolution, right? So everything, this has been talk about interacting with humans. Now we've got agents, right? And probably the number one thing you see out there is like, how many agents do you have as a company? What are those agents? What have those agents been given in the way of data? Are they authorized? Are you putting PII in those agents? Where are you adding in MCP? The amount of questions now that people have probably outweighs the answers and that's where agent risk management comes in, your agent risk manager, which is what's out there so that you can identify these things. You want to be able to, like this week we announced that you could start to see shadow AI, right? Or do you have someone that found a cool tool that may not be sanctioned for your organization because that's what's happening, right? You've been in this space for a long time. People find a way. They'll probably use different browsers. Do you remember the browser wars?
Scott Hebner
>> Oh, I do.
Greg Kras
>> Everybody had a browser, right? All the different browsers. So people would go find like, "Oh, no, I'm a big fan of..." I don't even remember all of them now.
Scott Hebner
>> And all the open source ones.
Greg Kras
>> Yeah. And they would just install their own because this one was cool. Well, same things. It's just happening now with agents. People are like, "Oh, yeah, I'm super into..." I don't know. I can't even keep up with all the different names of them because-
Scott Hebner
>> And all the specialized ones that...
Greg Kras
>> The specialized ones. Yeah.
Scott Hebner
>> Yeah. No, I think if we look back at that time period, the browsers were essentially the gateways into the world, the internet and eventually is how you built around it.
I think the LLMs today or the gateway into AI, the value is going to be how you build an architecture around it. And to your point, just like we had browsers all over the place and permutations all over the place, you got the same thing going on here with the LLMs and I think what's really different with the AI era compared to cloud and client server and IoT is that part of the value problem is empowering everyday workers to build their own agents. So this announcement you made around the shadow AI I think is in much need.
Greg Kras
>> Yeah. Because right now as a company, you're going to not do well if you shun AI because your competition is going to just eat your lunch because they've got this superpower. But same thing applies if you just open the doors without having any governance or control, you don't know what's happening in there. So you've got to be able to identify these things and take action on that.
Scott Hebner
>> So over the last couple years as you've been building these two digital workforce offerings, what jumped out at you? What surprised you that you didn't think was going to happen when you started it?
Greg Kras
>> I think it's fast. It's fast. I think the speed at which this changes and the perspective that people go through of like, oh, I don't really... I use AI, it gave me a good recipe to... I've got a person on my team that built a whole new front end for Jira that didn't know how to code at all. The speed at which people are able to move and then just the way that the market's moving towards that and the empowerment that organizations are giving to be able to do this and just the evolution. So I think the thing that surprised me... I've been watching the same movie multiple times over and over it feels like, but I think that this one is the speed of evolution and the fact that we're not done. We're still on an acceleration curve-
Scott Hebner
>> Yeah, we just started, huh?...
Greg Kras
>> for this AI.
Scott Hebner
>> Yeah. Yeah. We're in the browser era of e-business and that rolled out for well over a decade.
Greg Kras
>> I remember.
Scott Hebner
>> There's still innovations today around it.
Greg Kras
>> Exactly. I mean, you had to have things that came out. I mean, I remember payment processing was like a big deal to be able to do that and the way that that worked. I mean, I used to write back ends in Pearl to manage payments back the day if we want to go old skill. So I'd say yeah, that's probably one of the biggest ones is the speed of this particular one and the adoption and just I guess people getting to discover things that they didn't realize were out there like in the threat landscape. I mean, actually again, same book, just a different set of characters. We were launching SAT as a concept and really bringing out like, "Hey, what's your fishpond percentage?" And people are like, "I know probably three, 4%." You start running something like agent risk manager like, "Okay, how many different AI applications does your organization use?" One or two. Okay, you forgot the word dozen because at the end that's what you start when you start discovering that you go, "Oh, I had no idea that we were doing that." It's like, okay, well this is what's happening. It may be okay with you, but you can't measure it and you certainly can't control it and protect it if you didn't know it even existed.
Scott Hebner
>> Yeah. And that environment, trust... If there's one word to define the state of enterprise AI today, I think it is that word trust. And I think in the world of AI, trust is a compounding... So you don't want to fall too far behind because it may be really difficult to catch up as these things just become widespread across your organization and ever-changing, which brings me to something that you've been out talking a lot about, which I think of as the facets of visibility, accountability and control.
Greg Kras
>> Yes.
Scott Hebner
>> So let's talk just quickly, we'll go through each one of these a little bit about the visibility part of it. And I think the shadow AI is an example.
Greg Kras
>> That's probably the best example, honestly, like the whole nature of shadow AI, shadow IT, shadow, if you can't see it doesn't exist. You can do none of the other items. So by being able to actually see items that you had no idea existed, that's a big part. That's something that this week we literally announced, added that in because it was obvious as we started to use this and we started getting people playing with it, we realized they didn't know what they needed to look at. We're like, "Well, we could probably help with that." And so as we started to pull back that, we went, "Here's all of the interesting items that we are discovering that's being used in your organization." And that's a bit of an eye-opener. Yeah.
Scott Hebner
>> You have to know the problem before you can fix it. So get the visibility and continue to track it.
Greg Kras
>> Exactly.
Scott Hebner
>> For all the points you just made, which is it's so rapidly changed and so many people are empowered to get their own stuff that like a shadow AI becomes critical. So the second part is the accountability, just like humans are accountable.
Greg Kras
>> Oh yeah, that's going to be an interesting... We're going to hear about that a lot where it's like, okay, the agent just bought a pizza so who's responsible for that? Ultimately, it's the human somewhere, but it becomes interesting when you start doing, particularly when you get into the shadow AI or you get into the agent's beginning agents somewhere upstream, there's a human that was responsible for doing that. I can tell you it's not going to be, just like the ISPs aren't held accountable for the traffic that goes through them and the hosting services, they'll do best effort. Same thing's going to happen with the large language models and those providers. Look, this is a tool just like a hammer, a chainsaw, like these are tools.
Scott Hebner
>> Browser.
Greg Kras
>> Yeah. So a browser, exactly. So just because you got some sort of a weird drive by download with your browser, yeah, some browsers are better at it than others, but it's not the browser's accountability at that point. It's the person that was using the browser.
Scott Hebner
>> Customers have to start to think about digital HR. People have to have permissions, they have to have a badge, you're accountable, performance, all those attributes and especially like you said, when you start having agent to agent, you mentioned MCP and all that, you got to be able to track all that, right?
Greg Kras
>> You got to be able to... Yeah, it's a fascinating thing to get. And again, we, I believe are both human. So we think about things on human terms, but you have to look at what the agents are doing and they're goal and task driven, right? They're outcome driven. People are too, but we have certain limitations, right? We can only read so many documents so quickly. We can only execute so much code, right? We also can't spawn a thousand sub-agents very quickly. Yeah, that was a joke about how long it takes to-
Scott Hebner
>> Yeah, you can't go hire a whole team overnight.
Greg Kras
>> Yeah, I was going to say, I mean, the mythical man month is truly a thing. So ultimately at the end of the day, you do have to change around that, but it still is an agentic workforce that we're talking about.
Scott Hebner
>> How about control? Third facet.
Greg Kras
>> Yeah, that's the one that we're getting into. And that's something also we have where you could say, look, this is the type of data that you can use with this particular... This is an approved vendor, right? When you start talking about sensitive information, customer information and of course that's regional at a global level, GDPR for some places and then other HIPAA here in the states, all of these things you have to look at what are you going to allow to go in there? Agent risk manager is around that, right? Identify it, identify who's running it and then be able to put in policies, put in policies that actually lock down what you can use and what you can't do, but at the same time still allow you to have it and perform in this new workforce.
Scott Hebner
>> One last question before we wrap.
Greg Kras
>> Okay.
Scott Hebner
>> I told you it'd be the quickest 15, 20 minutes of your day.
Greg Kras
>> Okay.
Scott Hebner
>> Where's this all heading? We're sitting here next year, maybe 2028. What do you envision? Where's this portfolio heading? And I think we talked a lot about the rapid change. A lot of it is we're going to have to wait and see kind of thing, but just continuing to build out agents that are going to do more and more of the work and complimenting the humans. Is that...
Greg Kras
>> How long do we get to answer this question, right? Because I mean...
Scott Hebner
>> A minute.
Greg Kras
>> One minute. Where do I see this? Unrecognizable. It would be my short term. I think that that's where we'll be saying it. You're going to look at it and you're going to say, "Wow, that was silly. Remember a year ago we were talking about this and we're doing this?" Everything's going exponential. So if I'm adding one or two things to the portfolio this year, I'll probably add four or five next year. I'll start looking at the other areas that we have the data and that we can continue to add into our platform. I'm accelerating as well, right? The using of AI, my team is significantly more productive being able to use these tools so I'm able to put out more. Engineering's the same way. So I think that I'll probably do in the next 12 to 16 months the same amount of output that I did in the last six years.
Scott Hebner
>> And you'll still be expanding on that massive database of behavioral...
Greg Kras
>> And using that information, right? That's why I do what I do. I actually like... I'm helping every single person that's walked behind me as we did this interview, my job is to help them, help their people and it's all transferable skills. These are all things that people get to use in their lives, whether they're at home or not and protecting them and protecting the organizations that use them.
Scott Hebner
>> It's been a great conversation, Greg.
Greg Kras
>> Yeah. It's been a lot of fun.
Scott Hebner
>> I appreciate you being here talking about the good old days of dial-up internet and browsers.
Greg Kras
>> Yeah. I could do it unfortunately more and more as I get older, but I got to go things. Yeah.
Scott Hebner
>> I know. All right. Well, thank you all for taking your time to be here. We are at the KnowBe4 Conference, ninth annual KB4-CON and we're going to be wrapping it up here for the coverage by theCube. Thank you again for tuning in. And Scott Hebner, we'll talk to you soon.
>> Hello everyone. Welcome back to KB4-CON here in Orlando, Florida. And the conference is off and running here and thousands of people. It's been great so far and we have our next guest here, Greg Kras, who is the chief product officer for KnowBe4. Welcome.
Greg Kras
>> Well, I thank you very much for having me. I'm glad to be here.
Scott Hebner
>> Yeah, no, we were just having a great conversation about we go back to dial-up internet, OS/2 Warp, and WebSphere, huh?
Greg Kras
>> Yeah. Honestly, we spent more time talking about the, I don't know, good old days, but the old days. It was a lot of fun actually to remember some of these technologies and see where those have gone and just look at the corollaries with today and all of the changes that are happening. They're just happening a lot faster than they used to.
Scott Hebner
>> Yeah. It's like we've seen the same movie before, just different characters.
Greg Kras
>> Yeah. And faster. And faster. I mean, I was there for the adoption of the internet, the adoption of the cloud and now AI, but it's faster and getting faster.
Scott Hebner
>> Yeah, you're right. And the more it empowers people to do more, coding's become a whole new thing and software as a service is being dismantled into agents and it's just going to speed up, isn't it?
Greg Kras
>> Oh, it's ridiculous. I've got people on my team now that are coding that didn't know what a terminal was three weeks ago and I'm not exaggerating. They literally had never done terminal and now they're making their own interfaces.
Scott Hebner
>> It's crazy, isn't it?
Greg Kras
>> It's great. I mean, it's exciting. It's terrifying. I'm glad I'm not in the IT department.
Scott Hebner
>> Yeah. Well, good. I mean, I think the experience is key to keeping everything on track and all that. With the word experience, so you've been at KnowBe4 a decade or so?
Greg Kras
>> Let's go with or so. A little over a decade now.
Scott Hebner
>> A little over a decade.
Greg Kras
>> A little over a decade.
Scott Hebner
>> So why don't you tell us a little bit about, particularly the part of the audience that maybe knew to KnowBe4, a little bit about the history of your portfolio sort of up to where we are now and then we'll talk a little bit about some of the newer offerings.
Greg Kras
>> Okay. Yeah, certainly. So when I started, the world was just SAT. It was simulated phishing and training. That's what we started with. And frankly, I had to educate the market as to why that was okay and show the value. And now it's a given. It's table stakes that you go, what's your fish prone percentage? What's your risk score? This is very normalized out there in the space, but we started off with just this idea of what percentage of your users are going to fall for a phishing test. And I can tell you, honestly, 10 years ago people would guess 5%, no one. And then we'd say, "Okay, let's try with a hundred users." And the average was 35%. And then they're like, "No." And we're like, "Yeah, that's a problem." And that's how we started. We started with that. I think we had three pieces of training content compared to 1,800 now in 34 languages. So just perspective wise, we've sent billions of phishing tests. So it's evolved. I mean, that's still a core tenant of what we do is we're I think of myself as the human is the endpoint for me. Talking about existing for a long time in the space in a prior lifetime, I've had several. I did endpoint security, right?
Scott Hebner
>> Yeah.
Greg Kras
>> So when I started working at KnowBe4, it took me a little bit when I realized, oh, I still have endpoints. They just happen to be... These are endpoints walking around behind us. They're endpoints. I mean, they're humans, they have names, they're super fine, but I'm still securing them. And what's really cool is I can teach them. So before AI and everything, I actually could just work with traditional intelligence. I just had to elevate people up and that's how I started and that's what we're doing.
Scott Hebner
>> Yeah. So you've gone from security awareness training into human risk management, right? And now you guys are into the hybrid human AI agent workforce, digital workforce, if you will, and how to reduce the risk there, right?
Greg Kras
>> Yeah.
Scott Hebner
>> And that's been sort of the uber evolution.
Greg Kras
>> Yeah. We started just on the one side. Then we got into the broader scope of like, all right, what are the intersections with the human and the technology? And now with agentic and agents coming out, you run into these people that have agency who's running these agents, what are they doing? And then as we continue on more and more, the agents are running without as much human in the loop, which you've got to know when that's happening. And ultimately it's all going to roll up to a human somewhere, but someone's got to keep track of that and that falls well into our wheelhouse of what we know and how we operate. So that's why we're doing things with agent risks.
Scott Hebner
>> Yeah. Everyone's going to become sort of a manager and they're going to be managing a team of agents, but they're ultimately accountable. But you also have to know what the individual agents are doing and make sure they're secure.
Greg Kras
>> The fact that agents can beget agents, it becomes very interesting. If you think of traditional human staffing, you usually know when you have a new person on your team, but with agents, an agent could spin up another agent or ingest an MCP that may or may not be what they should be doing. So it's interesting. It's interesting times for sure.
Scott Hebner
>> Well, I love the theme here. I mean, sort of your words, but also my words, which AI powered, grounded in trust. And I would add built on, what, 10, 15 years of behavioral data from 70,000 organizations, 100 billion, whatever the numbers are, like a huge history of how to do this that just gets smarter and smarter as you apply AI, right?
Greg Kras
>> Oh yeah. Honestly, yeah, we've had training for over a hundred million users at this point, billions of data points. We understand what those intersections are like and we're able to use that knowledge to understand what's going to happen in the market and how are people going to interact with these agents. And so we're ready for that.
Scott Hebner
>> Yeah. We had a whole deep conversation with Matt. So anyone has interested in that . So we talked earlier, but let's talk products. So one of the newer parts of the portfolio is AIDA, right?
Greg Kras
>> Yeah.
Scott Hebner
>> AI Defense Agents. So tell us a little bit about that offering. It's pretty new, right? Within the last year, a little longer than.
Greg Kras
>> All right. We're really going to go back, we launched AIDA as a beta back in 2016. We've had this idea of doing AI in the product way before the LLMs became capable of doing these things. So really AIDA started to launch late '23, early 24, we started doing individual agents and they were kind of like point solutions like build a template and could do a wonderful job of building a template, build a landing page, give me content suggestions. Really though, the most recent one that's been the most exciting and it's relatively new, is what we call AIDA orchestration and that is running all of these things together. So the confluence of these individual point solutions now under an agent that can actually administer your program and it is wild what this thing has been doing. We're already seeing and the numbers are still rolling in. It's continuing. We haven't seen a plateau as far as how much of a delta, but I believe we're sitting at 5% now or five points better, which is actually closer to 15% reduction in risk score for customers that are using Orchestrator. And the crazy part is it's less effort. So better results with less effort starts to become a bit of like a, okay, what's the catch? It's not really a catch. Nowadays, everybody has had to come to a realization that traditional running of a security program is a compromise. It's a compromise of every human, every person that's walked past, they're different and you want to interact with them differently. And I don't care how good you are with your coworkers or your employees, you don't know them all, you don't know what they're going to be up to, but you want to make a program that's accustomed to them and that's what AIDA orchestration's capable of doing. So AIDA has been on a tear getting out there.
Scott Hebner
>> That's great. Yeah. So it's sort of the extension of your risk and security team. They now have agents working on their behalf to help defend the company by helping the employees, both the agents get trained and the humans get trained and do the scores and the scores aren't about rating people per se. They're about giving you advice and recommendations on how to protect yourself and all that. So it basically extends your team.
Greg Kras
>> Absolutely. Yeah. AIDA is the extension of the team and you're absolutely right. In fact, AIDA's key tenant is risk score. It's looking at risk score and some of the risk score has got nothing to do with what your behavior is or anything. It's literally... It could be based off your blast radius. If you get compromised, what's going to happen? And you don't get to change that. That's just the way that that works. So it's an interesting thing when you start looking at how AIDA is working to help your organization be more secure.
Scott Hebner
>> So let's now pivot to the newest of the family, which is the agent risk manager.
Greg Kras
>> Yes.
Scott Hebner
>> Tell us a little bit about that, because that's sort of the other side of the coin maybe.
Greg Kras
>> So that's the evolution, right? So everything, this has been talk about interacting with humans. Now we've got agents, right? And probably the number one thing you see out there is like, how many agents do you have as a company? What are those agents? What have those agents been given in the way of data? Are they authorized? Are you putting PII in those agents? Where are you adding in MCP? The amount of questions now that people have probably outweighs the answers and that's where agent risk management comes in, your agent risk manager, which is what's out there so that you can identify these things. You want to be able to, like this week we announced that you could start to see shadow AI, right? Or do you have someone that found a cool tool that may not be sanctioned for your organization because that's what's happening, right? You've been in this space for a long time. People find a way. They'll probably use different browsers. Do you remember the browser wars?
Scott Hebner
>> Oh, I do.
Greg Kras
>> Everybody had a browser, right? All the different browsers. So people would go find like, "Oh, no, I'm a big fan of..." I don't even remember all of them now.
Scott Hebner
>> And all the open source ones.
Greg Kras
>> Yeah. And they would just install their own because this one was cool. Well, same things. It's just happening now with agents. People are like, "Oh, yeah, I'm super into..." I don't know. I can't even keep up with all the different names of them because-
Scott Hebner
>> And all the specialized ones that...
Greg Kras
>> The specialized ones. Yeah.
Scott Hebner
>> Yeah. No, I think if we look back at that time period, the browsers were essentially the gateways into the world, the internet and eventually is how you built around it.
I think the LLMs today or the gateway into AI, the value is going to be how you build an architecture around it. And to your point, just like we had browsers all over the place and permutations all over the place, you got the same thing going on here with the LLMs and I think what's really different with the AI era compared to cloud and client server and IoT is that part of the value problem is empowering everyday workers to build their own agents. So this announcement you made around the shadow AI I think is in much need.
Greg Kras
>> Yeah. Because right now as a company, you're going to not do well if you shun AI because your competition is going to just eat your lunch because they've got this superpower. But same thing applies if you just open the doors without having any governance or control, you don't know what's happening in there. So you've got to be able to identify these things and take action on that.
Scott Hebner
>> So over the last couple years as you've been building these two digital workforce offerings, what jumped out at you? What surprised you that you didn't think was going to happen when you started it?
Greg Kras
>> I think it's fast. It's fast. I think the speed at which this changes and the perspective that people go through of like, oh, I don't really... I use AI, it gave me a good recipe to... I've got a person on my team that built a whole new front end for Jira that didn't know how to code at all. The speed at which people are able to move and then just the way that the market's moving towards that and the empowerment that organizations are giving to be able to do this and just the evolution. So I think the thing that surprised me... I've been watching the same movie multiple times over and over it feels like, but I think that this one is the speed of evolution and the fact that we're not done. We're still on an acceleration curve-
Scott Hebner
>> Yeah, we just started, huh?...
Greg Kras
>> for this AI.
Scott Hebner
>> Yeah. Yeah. We're in the browser era of e-business and that rolled out for well over a decade.
Greg Kras
>> I remember.
Scott Hebner
>> There's still innovations today around it.
Greg Kras
>> Exactly. I mean, you had to have things that came out. I mean, I remember payment processing was like a big deal to be able to do that and the way that that worked. I mean, I used to write back ends in Pearl to manage payments back the day if we want to go old skill. So I'd say yeah, that's probably one of the biggest ones is the speed of this particular one and the adoption and just I guess people getting to discover things that they didn't realize were out there like in the threat landscape. I mean, actually again, same book, just a different set of characters. We were launching SAT as a concept and really bringing out like, "Hey, what's your fishpond percentage?" And people are like, "I know probably three, 4%." You start running something like agent risk manager like, "Okay, how many different AI applications does your organization use?" One or two. Okay, you forgot the word dozen because at the end that's what you start when you start discovering that you go, "Oh, I had no idea that we were doing that." It's like, okay, well this is what's happening. It may be okay with you, but you can't measure it and you certainly can't control it and protect it if you didn't know it even existed.
Scott Hebner
>> Yeah. And that environment, trust... If there's one word to define the state of enterprise AI today, I think it is that word trust. And I think in the world of AI, trust is a compounding... So you don't want to fall too far behind because it may be really difficult to catch up as these things just become widespread across your organization and ever-changing, which brings me to something that you've been out talking a lot about, which I think of as the facets of visibility, accountability and control.
Greg Kras
>> Yes.
Scott Hebner
>> So let's talk just quickly, we'll go through each one of these a little bit about the visibility part of it. And I think the shadow AI is an example.
Greg Kras
>> That's probably the best example, honestly, like the whole nature of shadow AI, shadow IT, shadow, if you can't see it doesn't exist. You can do none of the other items. So by being able to actually see items that you had no idea existed, that's a big part. That's something that this week we literally announced, added that in because it was obvious as we started to use this and we started getting people playing with it, we realized they didn't know what they needed to look at. We're like, "Well, we could probably help with that." And so as we started to pull back that, we went, "Here's all of the interesting items that we are discovering that's being used in your organization." And that's a bit of an eye-opener. Yeah.
Scott Hebner
>> You have to know the problem before you can fix it. So get the visibility and continue to track it.
Greg Kras
>> Exactly.
Scott Hebner
>> For all the points you just made, which is it's so rapidly changed and so many people are empowered to get their own stuff that like a shadow AI becomes critical. So the second part is the accountability, just like humans are accountable.
Greg Kras
>> Oh yeah, that's going to be an interesting... We're going to hear about that a lot where it's like, okay, the agent just bought a pizza so who's responsible for that? Ultimately, it's the human somewhere, but it becomes interesting when you start doing, particularly when you get into the shadow AI or you get into the agent's beginning agents somewhere upstream, there's a human that was responsible for doing that. I can tell you it's not going to be, just like the ISPs aren't held accountable for the traffic that goes through them and the hosting services, they'll do best effort. Same thing's going to happen with the large language models and those providers. Look, this is a tool just like a hammer, a chainsaw, like these are tools.
Scott Hebner
>> Browser.
Greg Kras
>> Yeah. So a browser, exactly. So just because you got some sort of a weird drive by download with your browser, yeah, some browsers are better at it than others, but it's not the browser's accountability at that point. It's the person that was using the browser.
Scott Hebner
>> Customers have to start to think about digital HR. People have to have permissions, they have to have a badge, you're accountable, performance, all those attributes and especially like you said, when you start having agent to agent, you mentioned MCP and all that, you got to be able to track all that, right?
Greg Kras
>> You got to be able to... Yeah, it's a fascinating thing to get. And again, we, I believe are both human. So we think about things on human terms, but you have to look at what the agents are doing and they're goal and task driven, right? They're outcome driven. People are too, but we have certain limitations, right? We can only read so many documents so quickly. We can only execute so much code, right? We also can't spawn a thousand sub-agents very quickly. Yeah, that was a joke about how long it takes to-
Scott Hebner
>> Yeah, you can't go hire a whole team overnight.
Greg Kras
>> Yeah, I was going to say, I mean, the mythical man month is truly a thing. So ultimately at the end of the day, you do have to change around that, but it still is an agentic workforce that we're talking about.
Scott Hebner
>> How about control? Third facet.
Greg Kras
>> Yeah, that's the one that we're getting into. And that's something also we have where you could say, look, this is the type of data that you can use with this particular... This is an approved vendor, right? When you start talking about sensitive information, customer information and of course that's regional at a global level, GDPR for some places and then other HIPAA here in the states, all of these things you have to look at what are you going to allow to go in there? Agent risk manager is around that, right? Identify it, identify who's running it and then be able to put in policies, put in policies that actually lock down what you can use and what you can't do, but at the same time still allow you to have it and perform in this new workforce.
Scott Hebner
>> One last question before we wrap.
Greg Kras
>> Okay.
Scott Hebner
>> I told you it'd be the quickest 15, 20 minutes of your day.
Greg Kras
>> Okay.
Scott Hebner
>> Where's this all heading? We're sitting here next year, maybe 2028. What do you envision? Where's this portfolio heading? And I think we talked a lot about the rapid change. A lot of it is we're going to have to wait and see kind of thing, but just continuing to build out agents that are going to do more and more of the work and complimenting the humans. Is that...
Greg Kras
>> How long do we get to answer this question, right? Because I mean...
Scott Hebner
>> A minute.
Greg Kras
>> One minute. Where do I see this? Unrecognizable. It would be my short term. I think that that's where we'll be saying it. You're going to look at it and you're going to say, "Wow, that was silly. Remember a year ago we were talking about this and we're doing this?" Everything's going exponential. So if I'm adding one or two things to the portfolio this year, I'll probably add four or five next year. I'll start looking at the other areas that we have the data and that we can continue to add into our platform. I'm accelerating as well, right? The using of AI, my team is significantly more productive being able to use these tools so I'm able to put out more. Engineering's the same way. So I think that I'll probably do in the next 12 to 16 months the same amount of output that I did in the last six years.
Scott Hebner
>> And you'll still be expanding on that massive database of behavioral...
Greg Kras
>> And using that information, right? That's why I do what I do. I actually like... I'm helping every single person that's walked behind me as we did this interview, my job is to help them, help their people and it's all transferable skills. These are all things that people get to use in their lives, whether they're at home or not and protecting them and protecting the organizations that use them.
Scott Hebner
>> It's been a great conversation, Greg.
Greg Kras
>> Yeah. It's been a lot of fun.
Scott Hebner
>> I appreciate you being here talking about the good old days of dial-up internet and browsers.
Greg Kras
>> Yeah. I could do it unfortunately more and more as I get older, but I got to go things. Yeah.
Scott Hebner
>> I know. All right. Well, thank you all for taking your time to be here. We are at the KnowBe4 Conference, ninth annual KB4-CON and we're going to be wrapping it up here for the coverage by theCube. Thank you again for tuning in. And Scott Hebner, we'll talk to you soon.
Scott Hebner
