- 1 day ago
Digital identity has evolved from simple passwords and fingerprints into a complex web of data that proves who you are across the entire internet. Today, a single stolen credential or a sophisticated deepfake can compromise your bank accounts, medical records, and professional reputation in seconds. As AI makes it easier to synthesize human behavior and bypass traditional security, we are forced to rethink how we verify "personhood" without compromising our right to privacy. How can we build systems that are secure enough to stop a machine but simple enough for a human to use? And who should truly own the data that defines us?
Category
🤖
TechTranscript
01:00And to all of you, and perhaps to all of you here, is it really you?
01:03Is it really you?
01:05Clearly, I had one simple job of following instructions of where to sit, and I did not follow them.
01:10It's a philosophical of a question.
01:12Yes, indeed.
01:13So we are going to make it more digitally appealing to the crowd of VivaTech.
01:18And indeed, we are going to talk about something which also is going to be threatened by AI, which is
01:25securing digital identity.
01:27So with me this afternoon, I have a great pleasure to have Emmanuel Celiba.
01:33You're the chief investigative officer at GetReal, where you lead efforts to detect and expose digital deception, mainly focused on
01:43AI-powered attacks and threats.
01:45And actually, you're a pioneer in visual verification.
01:49You've spent nearly a decade as a U.S. broadcast journalist, most recently at ABC News and NBC News, leading
01:57teams across breaking news and investigation.
02:00So a pioneer in that field.
02:03Thanks to be with us, Emmanuel.
02:04Also with us, Sylvie, Sylvie Ouziel, you are the co-founder and CEO of BlueBridge Group AI, an AI native
02:15system integrator designed to maximize the ROI of AI agents and assistants in enterprise.
02:22Sylvie, you're also a former publicist executive who led AI strategy and partnership with OpenAI, Google, Microsoft, NVIDIA,
02:33after different leadership roles at Accenture, Allianz, and Envision Energy.
02:37It's great to have you with us, Sylvie.
02:40And also with us, Michele, Michele Santemero.
02:45You're the executive vice president at MasterCard in charge for MasterCard service business in Europe.
02:52You've been with MasterCard since 2008.
02:55And you've led business development, products, and customer success across regions.
03:00And you were previously country manager for Italy and head of business development for continental Europe.
03:05Great to have you with us, Michele.
03:09So what are we talking about this afternoon, frankly?
03:14Again, a topic that could have seen somehow sci-fi like five or ten years ago.
03:20I remember four years ago, I was at the Universal Expo 2022 at Dubai, and I presented a few futuristic
03:30cyber scenarios,
03:31including one where fake humans, digital avatars, would descend in a swarm to influence a target from every different angle.
03:41And I thought it was sci-fi, but then just two years later, in 2024, we learned that a finance
03:48worker at a very well-known engineering firm
03:50had been tricked into wiring 25 million Hong Kong dollars, roughly by what he believed were his own senior managers
04:00at a video conference.
04:01And actually, all the guys on the conference were all fakes, deep fakes.
04:07And at the same time, we've had a countless of new frauds begin to spread up, powered by AI from
04:13easily forged documents,
04:15we'll talk about that, to voice cloning that can mimic almost anyone on a call.
04:20We even had like small community cases in France around that.
04:24And this shows just how vast that field of digital identity has become.
04:31So, let me start with a round question for all the panelists.
04:35Let's start wide.
04:37From where do you sit, what do you think is the single most critical threat to digital identity right now?
04:46Let's start with you, Michael, and then we'll turn around.
04:49So, if I need to select one, I will start with synthetic identity fraud, meaning that with the existing environment,
05:00the regular KYC that you all know is no more enough.
05:03So, this is what I would like to deep dive later.
05:07So, we'll talk about that.
05:08So, no more regular KYC.
05:11Sylvie?
05:11I think it's easier than ever to impersonificate people with voice cloning, with agents simulating a conversation over Teams, WhatsApp,
05:20or whatever it means, you know, obviously.
05:22But I think AI agents themselves become to behave as colleagues, workers, and so on.
05:28And they can voluntarily or non-voluntarily trigger new vulnerabilities in systems, I would say.
05:37So, AI agents as new colleagues coming with their own vulnerabilities.
05:42And when you say AI agents as new colleagues, are you talking about just like a digital entity or perhaps
05:48an even full-fledged avatar who could talk to you on corporate networks?
05:55So, it's a bit of both.
05:56So, when I was at Publicis, which you mentioned, we had a fake Maurice Levy calling the CEO of Canada
06:02and asking to wire money for an M&A.
06:05And obviously, the guy, you know, didn't fall for the trap and he was coming from production.
06:09So, he found out that the visual he was looking at was not actually Maurice Levy.
06:13It was three years ago.
06:14So, the quality was not that perfect.
06:16But you can go as far as talking to fake individuals.
06:19And now, with the cost of AI going down and Google providing very good solutions to actually generate videos, you
06:27can go down.
06:28We were discussing about that.
06:29You can go down the hierarchy and actually emulate, simulate colleagues which are lower in the food chain and would
06:35attract less scrutiny if they call you to ask you to change an IBAN or wire money.
06:40And the second thing is, agents themselves can inherit your authorizations, your abilities to do stuff in the systems and
06:48they can be jailbreak, they can be misused.
06:50Or, with no bad intention, they can start to push doors in a rug, for instance, looking for information which
06:56you would not have pushed as a human being because you didn't know you could even push them.
07:01But a system being systematic would actually do it and access confidential information you should not have access to but
07:07you happen to have access to.
07:08And in implementing a lot of agents, we often see that, that rag, you know, retrieval augmented generation, is inheriting
07:15the habilitation of the person who is triggering it and then accessing data the person didn't even know they had
07:21access to.
07:22Okay.
07:23So, indeed, a full new realm of threats with agents.
07:28Emmanuelle, from your standpoint, what do you see as really a critical risk today with digital identity?
07:33I'd say the major risk to digital identity today is the fact that for years we've relied on certain signals
07:42that gave us the ability to trust digital identity.
07:47That was a face on the other side of a screen, a voice on the other side of a phone,
07:53maybe a document, a photo ID, and now all of those signals can be generated using a tool and can
08:01do it easily.
08:03Now, deception has always existed, right?
08:05It's nothing new.
08:06But the economics of deception, the speed, the scale, and the availability of deception, now, you know, as businesses, we
08:15no longer can rely on those signals that we've been trusting for years.
08:19So, all those elements of implicit trust, I see you, I believe you, this is gone, right?
08:25It's completely gone, and it should be.
08:28Key point, and we'll go back to that.
08:31Indeed, and let's stay with you, Emmanuelle, just so that the audience, indeed, can feel what's at stake, we mentioned
08:43a couple of threats that shifted from, you know, one-off video conferences to something more complex.
08:49You know, as the investigator that you are, you know, walk us through what you're actually seeing on the ground
08:56and also what surprises you and what scares you.
09:02So, when we think, when we talk about generative AI and some of what Silvian and Michele mentioned, is often
09:12you think of, you know, a simple impersonation, we were talking about this backstage, of a CEO or an executive.
09:18But now, I'm seeing, we're seeing impersonation as a strategy, and we're seeing the sector that is the most impacted
09:27is remote hiring, specifically any companies that has an IT workforce that is operating remotely.
09:35We know that North Korean operatives have trained thousands of IT workers to infiltrate your companies through that open door.
09:46Why? Because when you interview people, you're doing it mostly remotely.
09:51Few companies are flying in candidates, especially at certain levels.
09:55And you're probably interviewing with four to five different people across several weeks.
10:01You don't have a mechanism to verify that the person you're talking on day one is the same on day
10:05two, is the same on day three, is the same on day five.
10:08And these aren't small numbers.
10:10The UN estimates that DPRK workers generate about between $260 to $600 million a year.
10:21And the U.S. says $800 million annually is what they're able to make by infiltrating global tech companies.
10:27And these are Fortune 500s.
10:28These aren't, you know, there's small startups that I know it's happening to because I talked to them.
10:33But these are the Fortune 500s.
10:35Yeah, that's stunning.
10:36And do you have a sense of how do they do that?
10:39You know, the technology, the procedure, and how is it so easy for them to do that?
10:44They learn so fast.
10:45I mean, with every single interview.
10:47So they're using, one of the techniques we recently discovered is they're changing their accents, right?
10:53So they notice that they're getting caught because they have an accent that's detectable in interviews.
10:57So now they're using generative AI to change their voices live to sound more British or more American or more
11:05European.
11:06With every single interview, they bring back information back to their teammates, essentially, to pass the next.
11:13They change their faces, their appearances.
11:17They're always blurring the backgrounds.
11:18We know they use a certain type of VPN.
11:20So we're using environmental indicators as well as, you know, the synthetic tools that they're using.
11:26But, yeah, so they're progressing quite quickly because they can afford to.
11:31And it's a good business.
11:32It's a great business, apparently.
11:34Yeah.
11:34Fascinating.
11:36Sylvie, going back to the issue of corporate impersonation and AI agents as a new attack surface,
11:43you started to tell us a little bit about cases that you've come across.
11:50Can you tell us about that and also about the issue around, you know, forged documents, you know, fake teams
11:55and, you know, all of that, that seems to indeed, you know, be getting ground and is indeed using AI
12:04agents to leverage that.
12:06Yeah, yeah, yeah, and obviously the Fable 5, you know, topical discussions everybody is currently having is illustrating that.
12:14You've got more and more power at your hands to forge documents, you know, moving from the good old Photoshop
12:20tools to now being able to forge super realistic written documents, super realistic official documents.
12:26You can also forge voices, faces, as we discussed, and basically learn a full process.
12:33Obviously, again, when I was running large organizations, we have been facing, of course, fake candidates infiltrating the organization.
12:39We have been facing impersonification.
12:41We have been facing, also, repeated attempts to change I-bands to actually get money wired to the wrong destination,
12:48which is a very classic one.
12:49And all that becomes very, very easy because today you can actually fake all the authentication measures which used to
12:56be the ones enforced.
12:57And as we were saying, on top of that, you've got also now systems which are creating new vulnerabilities.
13:04We always say the weak point is human beings, you know, social engineering and the user in your own organization
13:12who is not, who is well intended, who is not malicious, is your weak point and can be manipulated and
13:18got into unveiling passwords or taking actions which they shouldn't take.
13:22And now you've got some new users who are actually the AI agents themselves, who have their own habilitations, which
13:28should not be exorbitant, but very often they are.
13:31They can do a lot of things.
13:32They can be gel broken.
13:34They can be lured into doing things they should not be doing by a prompt injection.
13:38Or they can, indeed, be totally entitled to doing things they should not have been entitled to do in the
13:44first place, like accessing, as I was saying, confidential information, which we see very, very often.
13:49So that's why in all the agents we are putting in place, we are actually being extremely vigilant regarding the
13:54rights they can actually be given and testing them for jailbreaking, obviously.
14:00And just going back to that, and then we'll have some questions to Mikaeli.
14:05So you mentioned human at fault.
14:08Okay, this is a big one, the one who actually handles the agents.
14:11And then you mentioned also your too wide habilitation for the agents.
14:18How do you go about that?
14:19You know, what's the thinking to try to perhaps mitigate those issues?
14:23So if we get into the solution, there are also, of course, a bright side to that.
14:28So first, we systematically test our agents and we developed ourselves three agents, which are white hackers, basically.
14:36So we've got the defense agent, which is the blue team.
14:39We've got the attack agent, which is doing penetration tests, which is the red team.
14:44And we've got the purple agent, who is learning from attacks to strengthen defense.
14:48So you can actually recreate in the AI agent world the type of cyber defense you would have in the
14:54first place.
14:55And second, good news is you can also use agents to conduct more systematic penetration testing and also to detect
15:03some signals that would not have been detected by human beings.
15:06So, for instance, at Publicis, to take one example, we are processing, they are processing tens of billions of dollars
15:13on behalf of the brands to pay the publishers.
15:16So they are moving money from the pockets of Danone, L'Oreal, AXA into the pockets of Google, Facebook, TikTok,
15:22and other publishers.
15:24And in that process, we were facing constant attacks to change high bands of publishers.
15:30And you've got tens of thousands of publishers, some of them being small influencers.
15:34So it's very hard to make sure the high band change is not legit.
15:38And if you don't change those high bands, you are under big pressure from the brands, from the marketing teams
15:43and so on, to actually pay those guys because they are threatening to stop advertising for you.
15:47So you need to make quick decisions.
15:49And the fraudsters were just using brute force.
15:52They were trying like 25 times to change and I've been learning from one attempt to the other, as you
15:57were saying.
15:57You know, this didn't work because I didn't provide that information or that was not valid or this was suspicious.
16:03And after the tens time, they might go through.
16:05And now what do you do?
16:06You can actually sense that they tried 25 times and you can actually track and trace this behavior because in
16:14the good old time,
16:14they would be talking to different people in India or Costa Rica who would not be able to connect this
16:19attempt with the tens previous attempts,
16:21which failed.
16:22Today, thanks to AI, you can better detect and raise the defense level when you see you've got this type
16:28of repeat attempts.
16:30So you can detect patterns and reply to them.
16:32Okay.
16:32So we're talking now about patterns to detection.
16:34And so this gets to a huge issue that I believe MasterCard may be, of course, very much, pretty much
16:41confronted with in terms of, you know, knowing customers and trying to identify, you know, how you can be careful
16:49about those elements of forged documents and so forth.
16:51So the underlying question I would have to you, Mikael, and take the time to think for that is in
16:57terms of developing deterministic checks or probabilistic checks, you know,
17:03what's the balance today and how do you see that evolving for your business and, you know, lessons that can
17:09be drawn for the rest of the audience?
17:13Before moving into deterministic and probabilistic, I want to create a bridge between what you just said.
17:22Think about agentic into the payment industry.
17:25Agentic pay that is coming is already live, right?
17:28So how important will be for the merchants to know the agent?
17:35So we are talking about know your customer, but think about know your agent.
17:39And even more, think about know the intent, because is really my agent that received my command to buy a
17:50pair of shoes in three weeks?
17:52So this will be a big transformation for the entire industry, and we are obviously replicating everything we are doing
18:00on the physical area.
18:01But about deterministic, deterministic is everything that you are well known.
18:06So when you have to open an account, when you have to subscribe something, you need to present a selfie
18:13video, you need to present an ID card, and everything that is well known by you, but also by the
18:19throster.
18:19And so the throster can immediately copy or create a virtual session of you, and so it's impossible to compete
18:31in this scenario.
18:33The only way is to move into a probabilistic approach in which we go deeper, we go behind what is
18:42happening in the, let's say, onboarding environment.
18:47Meaning that we are checking four major areas.
18:52The first is the person, the second device, payment, and behavior.
18:57For person, meaning we know that the person usually have a specific email, has a specific IDV asterisk, a specific
19:07laptop.
19:08And why not, we also know that usually make an order on e-commerce after dinner, during the week, and
19:19never in the weekend.
19:20And we know also that the same attitude happens in a specific area of the house.
19:28So we can really map everything out of all the transaction.
19:33And in particular, what we can also do is to combine all the information, even on how fast you type
19:41on your mobile phone or your laptop.
19:45How fast you are moving the mouse across the...
19:49So all of these behavior make the difference towards a bot or an automatic tool that can be found around.
20:00So I understand, going back to what you said, it's not only the habilitation of agents, but I believe what
20:06you mentioned about the intent of agents, right?
20:08What do we want to do?
20:09The intent of agents will be really the next barrier.
20:13Because it's so easy, again, to find out all the solution to recognize the agent, but even in terms of,
20:22you know, managing eventual issue between a consumer and a merchant, even in a real transaction, not in a fraud.
20:33So think about, I order something in three weeks, but I forget the order, so I go outside, I find
20:40the pair of shoes, so I buy the pair of shoes, and after three weeks, I receive something back in
20:45my home.
20:46And so, oh, what do I have to do?
20:48So it's important for the merchant to recognize that my agent got the proper intent, and so, unfortunately, I need
20:55to pay a second pair of shoes.
20:56So we need to set all the rules that are, for you, so easy and well-established into the payment
21:05network that can be replicated into these new rules, this new era.
21:10Indeed.
21:11And then all you mentioned about the different dimensions to understand the person, the device, the payment, and so forth.
21:18Emmanuel, in your world, slightly different from what we see in the banking world, what are also the criteria in
21:26terms of deterministic or probabilistic to identify, you know, that indeed we're facing with, you know, attempted fraud?
21:33How, again, do you define those elements, or how do you find them out?
21:41We primarily work in live detection.
21:44So we work inside of web conferencing, mostly web conferencing services, where we scan all of the participants in a
21:54conversation for different factors, whether they're wearing, whether there are any signs of use of synthetic tools, right?
22:02That can be, like I mentioned, changing your voice, or maybe you're changing your face, but we're looking at the
22:10environment as well.
22:11So, like Michele said, is it, we work with enterprises.
22:15So we're going to gather all of the information of your enterprise on a single identity, whether that's your email
22:22address, your IP address, your known environments.
22:27We're signaling whether or not you're using a VPN, and then we are working also on continuous identity verification.
22:37So not a single one check, you know, check, okay, you're not wearing a synthetic voice, you're not, you've not
22:44changed your face, but are you the person I'm supposed to be talking to that's attached to these credentials?
22:49And that's a different question than, is this the person I'm supposed to be talking to, and is it the
22:58same person continuously throughout our interaction and throughout a week, for example?
23:03Right now, a lot of organizations lack visibility on the pixels and audio inside of your organization.
23:09So you can see identities, credentials, names, et cetera, but you don't know which faces and voices are attached to
23:16those, and they can change.
23:18And that's the real threat at the moment that we're working on.
23:23So you do raise a very interesting concept about continuous identity verification that you start to talk to a little
23:29bit, but can you tell us a little bit more about that?
23:32You know, how far does that extend, and then I'll be happy to have Michele tell us if it's indeed
23:37something that you're thinking through at MasterCard.
23:44I think we're going to move towards a world where no conversation goes unverified, and I feel like I've mentioned
23:49this before.
23:50Whether it's your personal conversations, and it's as simple as establishing a safe word with your family, right, when discussing
23:56finances or anything like that, or within your organizations, having unverified conversation.
24:03As in, you have participants on a call that maybe you're not used to seeing.
24:09Perhaps you make a policy decision that before you move forward talking about a strategic decision, data, or a certain
24:15amount of money, every single participant has to be verified.
24:18Both, are you, are you, is there any synthetic person?
24:22Because it's not even just that they're threat actors.
24:26People are sending in their AI avatars and they're clones.
24:30And you should have the right, and you need to know from a business standpoint, who is on that call.
24:35So, continuous and then verified conversations throughout all of the conversations you're having inside of your organizations moving forward.
24:44Yeah, who is on the call, and for example, how do we call also, you know?
24:48Yes, how do they call, who is on the call, and are they, do they remain that same person throughout,
24:53you know, the lifetime of your enterprise?
24:54So, we're building, we have that technology in place.
24:57We're working with enterprises to provide that security.
24:59And, yeah, I think we're going to move towards a world where you need to be reassured and have that
25:06verification in place.
25:08That's interesting.
25:09That builds, you know, a philosophical question.
25:11How do you think about the continuity of a person, and when does that become your anomalous, for example?
25:19Michele, is it also something that you think hard at MasterCard, this idea of continuous verification?
25:25Yeah, continuous verification is absolutely mandatory.
25:30Think about your example of the interview, right?
25:33So, if you stop doing your check, you never discover the reputation after three, four times.
25:40But, in particular, the reason why it's so important is because Froster, in the moment in which they are able
25:47to enter somewhere,
25:49they immediately amplify the action.
25:52So, they don't stop simply because they are able to submit or to open an account.
25:57So, in the moment in which they are immediately inside, after a few minutes or after one day or a
26:05few hours,
26:05they can replicate a second action.
26:08And they replicate the action not only in the same area, but also they are replicating the same activity
26:16across different other banks, across different other merchants.
26:20So, it's so important that we keep the control always on because it's even more difficult for – sorry,
26:32it's even more dangerous the second step of the fraud.
26:37So, this is why it's so tactical and it's so important.
26:41But, even a stupid example, so years ago, in the U.K., we had several students opening bank account.
26:48After the school session of the onboarding, they left the island selling the account to the bad guys.
26:56And nobody discovered that it was a completely different owner of the bank account, right?
27:02But, in between, an automatic behavior started to jump in, discovering that the usage of the bank account was completely
27:13different.
27:14So, for the banks was, no, okay, I know my customer probably is becoming rich.
27:19Probably not.
27:20He started using Bitcoin.
27:22What's happened?
27:23So, this is why it's so important, to be vigilant all days.
27:27To be vigilant and, indeed, have this long track record, you know, as much as we can legally, to fully
27:33understand what's going on.
27:35Sylvie, in some of our proper article, you mentioned that, you know, beyond what we just discussed,
27:41there were also some very important elements around, you know, for example, all the elements of biometric stuff
27:49that we can get from, say, a client, and that can help, actually, to better secure systems.
27:57That was one thing.
27:58And then, also, to help, perhaps, also, secure AI agents' deployment.
28:03So, maybe tell us a little more about that.
28:05And so, exactly building on what you said, we work a lot for neobanks, digital banks.
28:11And as they designed, you know, from scratch for the AI era, they put a specific emphasis on making the
28:18upfront enrollment as easy as possible,
28:23as fluid as possible, and leveraging the latest technology.
28:26So, they do a lot, as you know, of biometrics.
28:28They avoid, you know, the tedious back and forth checking your passport picture and checking your proof of domiciliation and
28:36checking your proof of tax residence and so on,
28:39which is often, by the way, discouraging the client and which is, in fact, mobilizing a lot of the energy
28:46and the resources of the bank in the first place.
28:49So, they tend to have this process lighter and more relying on biometrics to allow you to open your account
28:57in the first place very quickly,
28:58to check your address only by simple means, like your card is not returned, you know, and to make it
29:03easier in terms of entry barrier into the bank.
29:06Some of them got into regulatory trouble, as you might remember, I will not mention specific names, by their local
29:14regulator,
29:15for lack of checks down the path in terms of anti-money laundry and detecting suspicious activities.
29:22And so, they tend to put more focus on continuous verification, so continuous know your customer,
29:28checking again and again that you are that person and that, you know, you keep being who you said you
29:33were,
29:34but also checking transactions and networks of individuals, which is something which is very old also,
29:39which I was doing when I was in charge of operations at Alliance,
29:43which is detecting the connections between the network of individuals,
29:47which is very telling in addition to your own activities,
29:50and also detecting pattern changes or suspicious patterns.
29:53And notably, they focus on not only big transactions, like suddenly you buy tons of bitcoins,
29:59or you wire, you know, a large amount of money to a suspicious country,
30:03but smaller transactions, which are notably performed by mules.
30:08So, you find someone who accepts to open a bank account with the person they said they are,
30:12but in fact, they are just, you know, money laundering for somebody behind them.
30:15And what's interesting to exactly your point is to detect mules,
30:19you detect specific behaviors, like, you know, and they've got all their checks in terms of
30:24the time between two transactions and the size of the transactions and the patterns and this and that,
30:30and the checks are different from one bank to the other.
30:32And the fraudsters learn to know the organizations behind the individuals who are mules,
30:38get to learn the pattern of verification,
30:41and they behave differently when they deal with Fortuneo as opposed to Bourse Bank,
30:46as opposed to Revolut, because they know those guys have different triggers.
30:49So, they know which alarms not to trigger.
30:51That's why, back to your point, you need defense and attack to actually stay in sync.
30:57So, even if you are, you know, putting the effort less on opening more in suspicious activity reporting,
31:03less on systematic suspicious activity reporting,
31:07which then triggers a lot of closing false positives,
31:09because you have been too systematic.
31:11So, your energy is about finding the sound from the noise,
31:15because you check too many things.
31:16But being very surgical, you need to change the way surgically you are performing,
31:21because those guys learn to actually avoid your detection.
31:25Very interesting.
31:26If I may, Ria, quick.
31:28So, even the scoring of people is completely new now.
31:33So, meaning, move away from the classic credit scoring.
31:38Now, the combination is to add all the behavioral aspects,
31:42all the behavioral attitudes that we can share in order to simplify all of this check.
31:49Okay.
31:49So, indeed, a new world, even in terms of, you know, trying to understand the people.
31:54Segue into elements of this new world.
31:56Well, again, you mentioned agents.
31:59A question to you, again, Sylvie, in terms of, you know, how, and this is a big one,
32:04how do we defend against AI agents jailbreaking?
32:08Can we do that?
32:09Actually, I say that because there's been a NIST paper that said that it could be difficult.
32:12But, you know, what can be the ways, the element of guardrails, or the ideas,
32:18to try to, indeed, protect those AI agents whose habilitation or intent sometimes can be risky?
32:27Yeah.
32:27And so, honestly, I will be short because I think I covered that already, to be honest.
32:32But, first, you know, it's really what you allow them to do.
32:36So, give them the access they need and just the access they need.
32:39Typically, do not believe that an agent should inherit the authorization,
32:45the habilitations of the owner of the agent in case it's a rag working for someone.
32:49Don't do that.
32:50It's a new application which is going to behave differently from a human being
32:53to typically perform different activities.
32:56So, you need to take habilitation from ground zero.
32:59And, third, test them the way hackers are going to test them.
33:04So, that's why we've got those red teams, you know, trying to do penetration tests
33:08in an agentic way, in a much more systematic way than you would have been doing in the good old
33:12time.
33:13Okay.
33:13So, again, test them, then test them, you know, which is a great segue to actually a previous conversation.
33:20We have confirmation that, you know, this is an environment where you need to test and experiment all the time.
33:26So, we talked a lot about technologies and understanding the issues around behavioral.
33:31I'd like to talk about, you know, one of the key elements beyond technology,
33:35which is, you know, governance, organization, culture, incorporation,
33:40which evidently play a huge role, you know, in assuring that you did put in place elements of security and
33:47safety which are needed.
33:48And, I'd like to hear the three of you on that, but starting with you, perhaps, Emmanuel, you know,
33:56how do organization needs to change?
33:59And, I'd like to also make a segue on your previous comment of last year, which I found was fantastic,
34:05that stated that, you know, in the corporate world, you know, one of the main entry points,
34:10and you kind of already mentioned about that, was HR department.
34:14Okay, so, how do we change governments, and how do we change HR, if we can?
34:22Really giving me the easy ones today.
34:24Of course.
34:26I mean, it goes back to my point of, one, there needs to be general awareness in every single enterprise.
34:34You know, humans have always been the vulnerable point in cyber attacks, right?
34:39And they continue to be, but the problem is now, the type of attacks are impacting our perception.
34:49What we see and what we hear, which is much more profound than it was in the past,
34:55because if I can't trust that I'm talking to a colleague, or if I can't trust that the person on
35:01the other side
35:01is actually, you know, a legitimate human being that I'm interviewing, and maybe not a North Korean operative,
35:07or an AI clone, like, we recently heard a CEO tell us that they went through a whole interview,
35:14and then the candidate at the end emailed them and said, by the way, that was my AI clone.
35:18And he had no idea that's how good this technology is getting.
35:23So there needs to be, one, awareness of what the technology is capable of doing,
35:28and it's moving extremely rapidly, right?
35:31Like, it's not like these terrible deep fakes that you're used to seeing.
35:37We're also being surrounded on social media.
35:40If you think of all of your employees, what are they consuming every day?
35:42Social media.
35:43What are they seeing?
35:44AI influencers.
35:46AI images.
35:47So our ability to perceive what is synthetic media is completely changing,
35:55because we are getting used to consuming it all the time,
35:58so we're becoming much more vulnerable if it shows up on the enterprise side.
36:03So I'd say a lot more awareness, and then you need the technology.
36:07You need to build in the technology inside of your communications internally,
36:12the policies in place, right?
36:14Like, maybe a simple thing is everyone has to have their camera turned on.
36:18That's a very simple policy change.
36:21No blurred backgrounds.
36:22Another simply, then you need to be deep fake resistant.
36:27What does that mean?
36:27You need to scan participants to figure out whether or not they're using any form of synthetic
36:33to change their voice or their faces.
36:35And that is a very complex, our research, our head of research is sitting right there.
36:39That is not an easy thing to do.
36:42You know, a lot of people think deep fake detection is simple.
36:45It's not.
36:46It's complex.
36:47We have some of the world's best PhD forensic scientists breaking apart web conferences
36:52to figure out how it changes when a certain tool is being used.
36:57So all of those things need to play together inside of enterprises moving forward
37:02if you want to avoid, you know, your front door being open to threat actors.
37:08Okay, so, you know, to sum it very briefly, at least, the element of awareness, you know,
37:14as you mentioned at first, at a moment where we have speed, we could even say there's huge
37:19acceleration.
37:20And so we should somehow revisit some of our bias and thoughts that indeed the world is
37:25changing beyond what we thought it was.
37:30Sylvie, in terms, again, on governance, organization and culture, you know, what are your thoughts?
37:37What needs to be put in place in corporations?
37:39So I will not resist.
37:40I spent a few years in advertising, so I will not resist.
37:43I will advertise.
37:43So on the 25th of June, we are going to unveil a barometer we did with AI.
37:51So we took all the annual reports, the financial communication of companies in FTSE, in DAX,
37:58in S&P, in CAC 40, so US, UK, Germany, France.
38:02And we looked between 2020 and 2025 about how they talk about AI and what they say about
38:09what's happening to the environment and what they do in terms of strategy, organization,
38:13operations, and technology.
38:15And we correlated that, what they say and how they say, to the share price evolution
38:20the year after, the following year.
38:22So stay tuned for the results.
38:24It's under embargo, so I'm not going to unveil too much, but I will spoil a little finding.
38:29The number one feedback on the environment of every company is huge cyber risk and regulatory
38:36compliance risk.
38:37That's the biggest warning, the biggest signal they sent about AI pervasively throughout the
38:44reports across countries and even more in the US than in Europe, interestingly enough.
38:49So the level of awareness about the cyber risk and the regulatory risk coming with AI is
38:54extremely high.
38:55What's more interesting is, is it just a blanket disclaimer to then be forgiven for any problem
39:01because we told you something was risky?
39:02Or are they actually acting and doing things to protect the organization and to strengthen
39:08the organization?
39:09Read the report.
39:11Okay.
39:12So we'll have to get to the report, I guess.
39:14But there may be a source of the linkage with corporate stock price, right?
39:20That is something interesting.
39:23Michele, in terms, again, on governance, organization, and culture, what's your take on this non-technology
39:29part, which is as important as the technology?
39:30Yeah, leveraging your evidence, right, that for all the corporate and the government now,
39:38cyber, it's the real threat.
39:40I think the important point is that all the tools available now allow everybody to move from
39:49a verification into a decision.
39:51So we are moving from a reactive to predictive of what can be done to avoid fraud, what can
39:59be done to avoid fraudster.
40:01Because it's so easy for the fraudster going on the deep, on the dark web to collect, let's
40:11say, tools as a service, like ready for and available for really less than 1,000 bags.
40:19So, the big difference is that they can even find all the tools, they can spot a small entry
40:29point, but they can't talk each other.
40:32So the big difference is that we, as a corporation, as people involved in the value chain, we can
40:39talk each other, we can share advancement, we can share progress, we can share difficulty.
40:45And so talking each other, we can create an ecosystem that can leverage from the AI.
40:50AI is leveraged also from the fraudster.
40:53But if we combine the forces, we can literally accelerate the benefit.
40:58And it's not only a matter of talking between us, but even within the same organization, most
41:07often the CFO is not talking with the technical guys, is not talking with the marketing team.
41:14And if something happens in one of the three verticals, the three of them are not talking,
41:19and probably the fraudster can enter in the second level or third level.
41:23So this is why and how we want to progress.
41:28So we are developing, we are investing on security since ages, meaning when we grew up,
41:36we need to defend money, data, and information that we are managing.
41:42And in this direction, we are also working with the government, with all the consortium,
41:47thinking about AUD wallet just to be back on the identity.
41:52So we need to help them incorporating everything we just said.
41:57We need to help them to talk to each other and to have the system and the wallet develop
42:03in each single country, talking to each other.
42:05Otherwise, we are not moving in the right direction.
42:09Okay.
42:09So sharing is everything.
42:11And we need to do that in cyber, in cyber for security.
42:15So in the last two minutes that we have, I'll just make a final kind of round rubin.
42:21You tell me what is the one trend to watch, and also I'll add, what is the one reason to
42:28be hopeful?
42:29And I'll start with you, Michele.
42:34So scam still evolving and is impacting all of us at every single level in each single
42:44organization, but within the family, within the friends.
42:48So stay vigilant, educate your network, even within the corporation.
42:55Let's run an education campaign, scam test, and let's be all together vigilant.
43:04Very clear.
43:05Yeah.
43:05I think there are more and more biometrics tools which are coming.
43:09We talk about brain prints and so on.
43:12And the wallet is coming.
43:13So I think digital identity is going to be strengthened, really.
43:17I believe that.
43:18And then it's less about the initial picture.
43:21It's more about the movie of all the transactions and what's happening later on.
43:24And so I think this move from, we know who you are and then the door is open and you
43:28do whatever you want, is going to be really changing.
43:31It will be faster and easier to know who you are now.
43:34And then the point will be about, are you staying the same person?
43:37And are you behaving in the correct way?
43:39Or are you just being used by somebody else to misbehave?
43:42So I think that trend of biometrics getting better and the movie rather than the picture
43:47is going to last.
43:48So biometrics getting better, that's a way to think positively about the future.
43:54And Emanuele.
43:55So in 2025, the reported amount of financial losses linked to deepfake fraud financially
44:06was over $1 billion.
44:09And I think that's underreported and that we're going to start seeing an increase at a
44:15velocity that most enterprises are not prepared for.
44:18I'm hopeful because there are some really brilliant people working on solutions, technologies,
44:25again, working across groups inside of enterprises to be more resilient against this, the coming
44:33wave.
44:35Okay, well, thanks a lot.
44:37We are ready for the coming wave.
44:39We know that we are going to use new identity.
44:41We are going to share a lot.
44:43And we are going to solidify this HR department, which has always been a problem.
44:48Thanks a lot.
44:49Thank you for your participation.
Comments