Blog
/
/
Risk Grustlers EP 25: AI is artificial, you are the intelligence

Risk Grustlers EP 25: AI is artificial, you are the intelligence

5
min read
Published on
Jul 15, 2026
Updated on
Jul 15, 2026
Authored by
Susmita Joseph
Content Writer
reviewed by
Barasha Medhi
Product Marketing Manager
Table of contents

Most teams have stopped arguing about whether to use AI. They’re stuck one step later: nobody wants to be the person who approves the tool, trusts the output, or owns what happens next.

In this episode of Risk Grustlers, Nicholas Muy, CISO and VP of Engineering for Platform and Security at Scrut Automation, sits down with Teri Green-Manson, VP of Technology at Elevate, to talk through what AI is actually forcing security and technology leaders to confront.

Teri has spent 18 years in technology, the last 13 as an executive. She started in broadcast engineering, including an internship at WGN in Chicago and an early role as Assistant Chief Engineer at La Ley, and later worked at IBM and TransUnion. That range shows up in the conversation as a mix of hands-on technical experience, operational leadership, and a low tolerance for hand-waving.

The episode opens on AI, but doesn’t camp out in the hype. Nick and Teri get into why fear isn’t a strategy, why governance can’t block innovation but can’t be skipped either, how to move AI from endless debate into implementation, and what a security review should actually ask before a tool gets approved.

Underneath all of it sits a harder leadership question: are teams really asking questions, owning decisions, and validating vendors, or are they hiding behind committees and process?

Listen to the full episode here.

Here are some key highlights from the episode.

Nick: You've been in technology a long time, but your path into security isn't a straight line. Tell me about your background.

Teri: Technology is the only field I’ve ever been in. Eighteen years in tech, executive for the last 13.

I started in broadcast. I interned at WGN in Chicago, and my first job was Assistant Chief Engineer at La Ley, the number one Spanish FM station in the city. From there, I kept moving. I worked at IBM and TransUnion and learned a lot from both. IBM gave me a strong cultural foundation. TransUnion stood out for how it treated its employees. So the background has always been technical, but across very different kinds of technology environments.

Nick: Thinking about cybersecurity right now, in 2026, what are you most excited about?

Teri: AI is the biggest wave right now.

I've been lucky to witness the major shifts, from cloud transformation to what we're seeing with AI adoption. These moments don't come around often. Every so often, technology gives you a shift that changes how people think, how they work, and how organizations operate. AI is the next one. That's what excites me about the field right now, and I'm glad to be part of it.

Nick: A lot of people are excited about AI. A lot of people are also worried. Do you have specific security concerns about this pace of adoption?

Teri: I don't have time to worry.

When cloud arrived, people were fearful too. They weren't sure about putting data in the cloud, so you had people with one foot in and one foot out. At some point, you have to decide how you're going to move forward. AI is progressive, but the question is where you fit in and how you move responsibly. You don't want innovation to outpace governance, and you don't want governance to slow the organization down so much that nothing moves. You still have to be tactical. For me, that starts with opening up your mindset.

Nick: What have you seen help people get there?

Teri: People being candid and truthful.

Right now, a lot of people talk about AI as if they're experts. Not everyone is, and people need to be more honest about that. It's okay to say we don't know everything yet, that we're all learning this together. The hard part is that people aren't always candid because they're afraid of what their peers will think. But if you want to be progressive in a way that actually works for your organization, you have to be clear about what you know, what you don't, and what you're trying to achieve.

That's why I built a framework called TEST. I kept seeing engineering teams spend too much time debating AI instead of figuring out how to implement it, often with no acceptance criteria and nothing measurable. TEST is how I move people from the idea of AI to actually putting it into production.

Nick: Walk me through the TEST framework.

Teri: It starts with better qualifying questions in the security review.

T is for what the AI touches. Where is it being used, intentionally or unintentionally? Is it touching sensitive or classified data? When someone tells me a system involves PII, I don't want them to stop there. PII is broad. Name it. Is it a name? A Social Security number? What exactly is it? Because if you can't model it, you can't secure it.

E is for evidence. You need something foundational. A lot of teams are still hypothetical about AI. They'll say they have a prompt, but the real question is whether you can trust the output. AI can sound clear and confident and still be wrong. Ask the same thing three ways, and you may get three different answers. That's why validation has to be part of the work.

S is for storage. People often don't fully understand where the data lives, or the ingress and egress points. Qualifying questions help you model that.

T is for trust. These principles come up every day in cybersecurity. They’re not abstract. They're practical questions teams are already dealing with.

Nick: How should teams actually implement something like that?

Teri: I wouldn't tell anyone to throw away their existing review process.

Every industry is different, and every organization has its own structure, but the questions are persistent. You can drop them into the process you already have. Maybe you start with inventory assessments, maybe somewhere else. Either way, you can add the right questions at the right points and then decide whether the AI component belongs in the infrastructure. The point isn't to make the process heavier. It's to make the review more useful.

Nick: You mentioned seeing AI review processes that didn't make sense. What was wrong with them?

Teri: I heard someone describe a process where the AI committee approved a tool first, and then it went to technology for validation. That's backward.

Why would the committee approve a tool before validation happens? Validate first. Confirm that the toolsets are actually beneficial and reliable for the organization. Then the committee chooses from options that have already passed the right checks. Otherwise, everyone is just waiting on someone else to make the call.

AI is artificial. The intelligence still has to come from people. These systems are built on the way we think, decide, validate, and govern.

Nick: That reminds me of cloud adoption. Years ago, people were afraid to move important workloads into AWS. Nobody wanted to be the one who made the decision.

Teri: Exactly. A lot of it comes down to ownership.

People are afraid. There's pressure around job security. They see organizations moving fast and wonder who's willing to own the next decision. But AI is one of those areas where you're going to have to choose. Move so fast that you risk trust, or move so slowly that you risk becoming obsolete. Which one are you going to risk?

Nick: Ownership is hard. When I hire, I'm not looking for perfection. I'm looking for people who will own the work, try things, and help fix the process when something breaks.

Teri: You still need a recovery strategy.

That's part of responsible ownership. You can move, but you should know how you'll recover if something goes wrong. The stakes matter too. Not every software decision is life or death, but you still need perspective and a plan.

Nick: You also talked about bringing security earlier into the development cycle. How have you approached that?

Teri: I've worked with teams on Agile, and it helped to bring the SecOps piece in, so security was considered from the start of the development cycle.

DevOps teams were often focused on productivity. I was thinking about efficiency, scale, and risk. People think about scalability, but they don't always think about the mechanisms or the risk implications of what they're building. Security needs to show up earlier, not only after something is already built.

Nick: A lot of teams spent years being told to follow instructions and not ask questions. Now they're being told to ask more, have opinions, and think critically. That shift can be jarring.

Teri: It should also be a reflective moment.

If leaders are imperfect, teams should understand it's okay for them to be imperfect too. But leaders have to model that. If a leader never admits they're wrong, the team learns the wrong behavior. Sometimes people wonder why their teams don't ask questions, and then you look at how those leaders operate, and they aren't asking questions either. They're just giving orders. You can't expect curiosity from a team if you don't model it.

Nick: That connects to something you said earlier: people need to ask better questions instead of pretending they understand.

Teri: You should never say you have something without clarity.

If you don't understand the ask, start asking qualifying questions. People are scared that asking will make them look unprepared, so they say they’ve got it even when they don't know what they were asked to do. That creates a bigger problem later. You come back with the wrong deliverable, and the issue isn't just that the output is wrong. It's that you didn't ask a single question when you had the chance.

That's happening with AI too. Boards may not even know exactly what they're asking for, but they still expect technical teams to lead through the uncertainty. If the questions are unclear and the security parameters aren't being discussed, teams end up in technical paralysis.

Nick: Vendor validation is another big issue. Everyone is selling something around AI right now.

Teri: They are. There are vendors everywhere telling people they need to buy something to protect themselves from AI risk. My question is: who's vetting the vendor?

I've had vendors tell me they can help with ISO compliance when they aren't ISO compliant themselves. That tells me people aren't always asking for the validation mechanism. If a vendor says they know how to help you do something, the obvious question is whether they've done it for themselves.

Nick: That's the strange thing about AI in cybersecurity right now. The buyer and the seller are often both figuring it out at the same time.

Teri: Exactly. There's a lot none of us know. That's why we have to keep moving, keep learning, and keep validating.

But there are still lines you don't cross. You don't compromise your integrity. You don't put your reputation on the line just to benefit an operation or an organization. If I'm the leader and I'm willing to put myself on the line in the wrong way, I'm doing the organization a disservice.

Nick: Looking ahead, what would you want to see more of from the industry?

Teri: More candid conversations and more validated research.

I also want people to sample products more. Open up the hood. Get curious about the product before you shut it down or adopt it blindly. A lot of what people call products are really prototypes. Prototypes are useful, but they shouldn't automatically become production systems. There's a difference between building something quickly and proving it belongs in an environment. You can't think of something new if you don't open your eyes to see what's actually there.

Nick: People talk a lot about AI replacing jobs. How do you think about that?

Teri: I don't believe the human gets removed from the process.

You still need validation. I wouldn't want systems writing directly into my environment without the right controls and review. But I do think AI will reveal things. It'll reveal who was actually doing the work, who was hiding behind activity, and where organizations didn't have a strong foundation. Hopefully, that makes us stronger.

Nick: Some of that lack of curiosity or ownership is learned behavior. A lot of people had bad managers or teachers who trained them not to ask questions.

Teri: I agree it can be learned. But we still have a choice. You can choose whether you stay a product of your environment or become something different.

That applies to work, too. Companies aren't just interviewing you. You're interviewing them. You have to do your own due diligence and due care, and you need to know who you are so you can walk into the right situation for yourself. It can’t be one-sided. If the relationship is only about taking a paycheck, burnout eventually follows.

Nick: A lot of technology is still built on the biases and decisions of people. AI doesn't remove that.

Teri: That's why this is an important moment. Either we change the tide, or we get swept by it. Security is built on trust and integrity. 

Nick: Toward the end, we got into the difference between prototypes and production, especially with AI-generated code.

Teri: Vibe coding can be useful for prototypes, but that doesn't make it ready for production. Building something quickly might give you the key pieces, but you still have to run it through a process before it becomes production-levelck:

There are ways to use agentic coding to build production-level code, but it's not as simple as writing one prompt and calling it done. The process still matters. But the process isn't the thing we worship. It's a means to an end. The point is to build products that solve problems.

The bigger takeaway

This episode isn’t really about AI adoption. It’s about what AI exposes inside technology and security teams.

Teri’s central point is that AI doesn’t remove the need for human judgment. It raises the stakes on it. Teams still have to ask what a system touches, what data it uses, where that data goes, what evidence backs the output, who validates the vendor, and who owns the decision.

That’s the gap a lot of organizations are falling into. They’re talking about AI, forming committees, buying tools, and debating risk. But if nobody is asking better questions, validating outputs, or making a clear ownership call, the process turns into noise.

There’s a leadership point underneath it, too. Curiosity isn’t optional anymore. Teams need to ask questions before they claim they understand. Leaders need to model that behavior. Buyers need to look under the hood before trusting a vendor. Builders need to know the difference between a prototype and something ready for production.

AI may be the next major wave in cybersecurity, but the work is still human. Ask better questions, validate what matters, protect trust, and own the decision.

Liked the post? Share on:
Choose risk-first compliance that’s always on, built for you.
Book a Demo
Book a Demo
Enjoyed this post? Let us know!

About Scrut Automation

Scrut Automation is a modern GRC platform designed to help fast-growing organizations simplify security, compliance, and risk management.

By combining continuous automation with expert guidance, Scrut reduces manual workloads, accelerates audit readiness, and empowers teams to scale their security posture confidently.

From HIPAA and SOC 2 to ISO 27001, GDPR, PCI, and beyond; Scrut helps teams achieve multi-framework compliance with ease.

Join our community and be the first to know about updates!

Subscribe
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Choose risk-first compliance that’s always on, built for you, and never in your way.

The Scrut Platform helps you move fast, stay compliant, and build securely from the start.

Book a Demo
Book a Demo