Futureproof by Xano
Futureproof by Xano is a podcast for technical builders, entrepreneurs, and engineering leaders who want to stay ahead of what’s next.
Hosted by Xano’s CEO & Co-Founder Prakash Chandran, each episode features conversations with innovators and industry experts who are shaping the future of technology, business, and product development.
Futureproof by Xano
Foundational Thinking in the Age of AI—with Doug Merritt (Aviatrix)
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
If AI is making us faster, why does it feel like we're understanding less?
In this episode of Futureproof, Prakash Chandran sits down with Doug Merritt, CEO of Aviatrix. Doug is one of the most accomplished enterprise technology leaders of the last two decades—after serving as CEO of Splunk for years, he's now leading Aviatrix to tackle cloud-native security. Together, they unpack why the speed of AI adoption is outrunning foundational understanding, how a recent supply chain attack on the popular LiteLLM framework exposed a massive blind spot in cloud security, and why the leadership principles that matter most right now—curiosity, empathy, and purpose before action—are the same ones our attention-starved culture makes hardest to practice.
Topics covered include:
- As agents become more human, humans become more binary: Why the speed and abstraction of AI is making our thinking shallower at the exact moment we need it to be deeper—and how to fight back.
- The LiteLLM supply chain attack, explained: A breakdown of how attackers injected malware into LiteLLM, harvesting credentials from cloud environments—and why basic egress filtering would have stopped the damage cold.
- The three fundamental runtime controls: Why identity, endpoint, and network security are the only controls that actually stop attacks in progress—and why most cloud workloads are missing at least one.
- Cloud providers sold speed without brakes: How permissive outbound defaults became the norm, why cloud providers made firewalls an aftermarket add-on, and what that means for every organization deploying AI agents today.
- Five leadership principles for the AI age: Doug's hard-won framework—relentless curiosity, leading with empathy, purpose before action, radical accountability, and celebrating success—and why daily mastery beats chasing the next shiny thing.
Episode ID: 19139581-foundational-thinking-in-the-age-of-ai-with-doug-merritt-aviatrix
Subscribe to Futureproof wherever you get your podcasts.
From Xano - The fastest way to create a production-ready backend for any app or agent. Xano unifies AI speed, code control, and visual clarity, so you never trade reliability for velocity. Sign up for free today.
The fact that most environments that I have seen do not have basic network security controls across the entirety of their workloads. Every workload is its own perimeter in the cloud, is the most massive oversight I've ever seen in my career.
SPEAKER_01Welcome to Future Proof. I'm Prakash Chudran, CEO of Xano. Today I'm joined by Doug Merritt, chairman, CEO, and president of Aviatrix. Doug is one of the most accomplished enterprise technology leaders of the last two decades. As CEO of Splunk from 2015 to 2021, he led one of the most dramatic transformations in enterprise software, taking the company from an on-prem, perpetual license model to a cloud-based SaaS company, growing ARR roughly from$220 million to over$3 billion. Before Splunk, he held senior leadership roles at Cisco, SAP, and PeopleSoft, and co-founded Icarion, an early cloud-based HR tech company. Today he's leading Aviatrix through its own transformation, pivoting from cloud networking into cloud native security. What drew me to this conversation is something Doug said that really hit home for me. As agents become more human in their behavior, humans have become more binary. We're going to talk about that. We're in a moment where the tools are getting smarter, but our thinking is getting shallower. Deep synthesis and foundational thinking, the skills that have always distinguished great leaders and great builders, seem to be receding just when we need them the most. This conversation is about getting back to first principles and why the foundational layer always wins. Doug, it is really an honor for me to have you here. And one more thing that I'll say is that I remember meeting you as a meager consultant back in the days at Splunk. I also kind of met you kind of in the context of Aviatrix. And both times you were just lovely, like a really accessible and humble leader. And I just want to compliment you on that before anything else. And I really appreciate your time today.
SPEAKER_00Well, thank you for having me on, Pakash. And uh I'm excited for the conversation and incredibly impressed with what you are building and the tenacity and pivots that you've been driving as an on.
SPEAKER_01Thank you so much, Doug. So, first a little bit of background. Now, you know, you left Splunk after, as I mentioned, one of the most successful transformations in enterprise software. Um, you told yourself it was retirement, and then 18 months later, you're back running Aviatrix. So I'm curious in your words, like what really pulled you back and why another company built on a foundational layer that most people don't really think about?
SPEAKER_00Yes, two great questions. Um yeah, I mean, I definitely thought that I was retired after Splunk. Um you don't realize when you're in the midst of the battle how intense and depleted you actually are. Um, and as you know, as a CEO and leader and founder, like these jobs are insanely consuming in 24 by 7. Um, and I was excited about the concept of not being on that daily accountability operational chair every day. Uh, like most pretend retired people, my plan was to still stay connected. Um, so I partnered with a couple of really interesting uh early stage VCs, um, one particularly in the cyber area, Cyber Starts. Um, I did a ton of co-investing, probably too much. My portfolio is too broad and unmanaged at this point in time. Uh a couple board roles, um, and and learned a lot. Like there's our industry is unbelievable. The talent that that draws itself to uh the tech industry and the courage that it takes to start a company, um, which was most of the companies I was working with, uh, it's it is so gratifying to be around those folks. Um, but what I found over the 18 months is when certainly the way I was doing it, um, with my investing and advising and board work, it is more of an individual contributor sport. Um, you're spending time with folks, but it's kind of those brief touches. Um, you're not dedicated on a wholesale basis to one mission and one task. Um, and what I ultimately found is I I really am an operator more than I am just an investor or an advisor. And what I truly missed was the tribe, um, being around a group of people that are committed to a mission, um, working day in and day out, whatever it takes to accomplish that mission. Uh, and the depth of customer contact that you get, you just can't supplant doing the work that I was trying to do. Um, you're not involved in product reviews. You're you're just it's it's a it's a different life. Um and uh and I miss that life uh to the chagrin of my wife and family. Um like finally, finally. Yeah. I I I didn't really think through that I still I've got kids that are in middle school right now. So retirement's different in that world too. It's not like you can all of a sudden travel the world and be foot loose and fancy-free. Um, I'm curious about a lot of things. And yeah, maybe if I retire and officially retire in seven or eight years and the kids are out of high school, then it's just my wife and I that could find enough to keep my engagement level where I like it to be. Um, but it is it was great to get back in in the daily grind and operator seat.
SPEAKER_01I love it. Yeah, the consummate operator. Uh, I definitely understand that, wanting to be hands-on and have influence uh over what happens. Um, one of the things I wanted to ask you is why specifically, you know, Aviatrix. It seems like first with Splunk with data and now Aviatrix with the network, there's a pattern of kind of, you know, being or working on the invisible essential, right, that we all leverage and use. But I'm curious as to your reasoning.
SPEAKER_00Um, yeah. And that is yeah, there I like to go to overlooked areas with people and a technology that's underserved. Um, and that was definitely IT ops when I got Splunk and logs. It still wasn't very cool to think about logs. It didn't seem like an essential layer of the stack. Um, we obviously pivoted to security, which made it, I think, even more essential. Um, and then had that whole that whole fun cloud transformation as a public company. Um, but in those areas, like when you're dealing with low-level, super intensive technologies, it turned out to be an interesting choice in the world of agentic AI encoding. It's much more difficult to actually craft those technologies. Um that there was a kind of a pattern match that I saw with Splunk that that made Aviatrix meaningful to me, or I like I could see some of those patterns. Um, but the core really was there are uh a number of board members here that I'm really close to. Um and when I was going back and forth in my own in my own mind of I think I might want to go back and do something. Um, that the the draw, I didn't, I didn't do probably nearly as thorough of a search as I as I should have. Um yeah, people we're people are social species. Um I think the the strong and deep relationship with a couple of those board members and their overall pitch was it's one of those overlooked technologies, really, really hard to replicate. I think that you'll find something kind of like Splunk here, but you got to wait in and figure it out. Um, and we know you deeply and we trust you. And you know, if if you come, we'll just kind of turn the keys over to you and and let you figure out what you think the destination would be. Um, and and that was as strong or strong of a draw of almost anything else. Um I was going back because I wanted to get back with the tribe. Like at Bithur Pivot, I'd been lucky enough to be able to reconstitute a bunch of the spunk people I was close to. And um, and that that tribe existing with the board where we had long-standing relationships was definitely a very strong draw.
SPEAKER_01That makes a lot of sense. And having that um, you know, kind of being given the keys from people that you know and trust, I can totally see the appeal there and getting back into that operating rhythm. Um, you know, in that tenure so far, uh you've seen quite a bit of transformation in the market. Uh, I know you have been an early thought leader around leveraging AI. Um, but one of the things that I was excited to talk about with you is kind of this notion of first principles thinking and how we as software vendors and as a society are leveraging AI today. I opened up uh, you know, in the introduction saying that, you know, you said something to me. You said as agents become more human, humans have become more binary. And I think we're in a moment where people are either pressing yes uh mindlessly, right, and like skipping all the permissions entirely. There doesn't seem to be a middle ground. And um, it's very relevant to you just posted on last week's kind of uh attack. You know, you you can see the consequences are more just uh, you know, I guess consequential than ever, right? Like having so many second and third order effects. So I want to talk to you about how you're seeing people operate in the market today with all of the AI speed that it was introduced really in 2025. What are people overlooking and how are you thinking about um ways? Yeah, let's let's start there. What are you seeing in terms of how people are operating?
SPEAKER_00I mean, the the premise, the podcast, and that that intro, it resonates so deeply with me. Um I think so much of what we've gone through over the past 15 to 20 years with our online world has done two things to emphasize some of those weaknesses that you highlighted around foundational first principles thinking. Um, one, you know, technology has a great job of abstracting things. When I first started coding, uh, there are still a ton of assembler coders and people were really, really, really close to the metal. Um, and and therefore you understood the foundations of our industry at a layer that's very different than I think most people today. Um, and I think that that that's one vector that I'm seeing that's impacting some of that. How do you slow down and understand the foundations orientation? And then the other is so much of our of our obsession that we've gone through with technology is all super quick tit, quick twitch, um, sound bite orientation. There's been so many books written about our attention span continues to shrink. Um, and all the incentives for the companies that have done such an amazing job of growing to huge size isn't slow, thoughtful, and purposeful. It is clickbait, quick, transactional. Um, yeah. My kids have a hard time imagining that you can't just get online and get anything you want in less than 20 minutes. And they get upset if whatever they ordered is going to be more than 24 hours away. Um, I think that combination with a possibility of AI making you even more lazy in your thinking, that I think it it does has the opposite benefit in many faces, creates a pretty toxic landscape for us that we've got to really find ways to pierce through. Um, the the foundations of the industry, the foundations that everything runs on still adhere to the principles that you know govern the growth of our industry back in the late 40s, 50s, 60s, and 70s. Um, and and if you don't, if you're not willing to slow down and understand like something as simple as what does cloud mean and how does it actually work? The we we're gonna wind up, we're starting to see some of the consequences of moving too quickly and not understanding all the different tendrils and interconnectedness that's happening within the cloud. Um, so I think we've got we've got to find a way to recenter ourselves, despite all the incentives to go quickly. Um, and and I'm huge on learning and curiosity and iterations and yeah, what people could call failure. I'll call it more learnings. Um so moving fast and quick is good, but you do that so that you can depth, you can get deeper understanding of the underlying factors, um, not so you can forget those things.
SPEAKER_01Yeah. I want to talk a little bit more. I mean, so much of what you say resonates with me, and I'm uh a hundred percent guilty of this. It's very interesting to see how my behavior has changed to where I even just completely will rely on um AI or Claude before I even send anything out. Like before it took some kind of mental dexterity around crafting an email or a narrative, and it almost feels like, wait a second, I'm just like offloading this workload to a machine and not growing this muscle. What is the consequence going to be uh if I continue to do this? So I've tried to be a lot more intentional about the way I use it. And that's just like one small example. Are you seeing this with your own personal behavior as well?
SPEAKER_00Yeah, for sure. I mean, it's I like like you, um, there's almost nothing that I do at this point in time that doesn't pass through one or more engines before before it gets done. Um I think I went through the same journey that lots of other people went through, where like a year and a half ago, I felt like I was the, you know, the the most accomplished genius in the planet because my mental model for the engines was more based, what wasn't fully based on the core behavioral patterns that they have. Um, and it's amazing how smart they make you feel if you are lazy with quick interactions. Um, and you know, very quickly I realized this view that they're giving me is it's a view. It's largely sycophantic. Um, and it makes me feel great. But but the I I think the degree of thoughtfulness and patience for me has actually gone up. Like I use use it relentlessly. Um, but the amount of like I still I've been trying to think, is there anything that any of the agentic interactions or core engine interactions have given me that I've taken directly that that I haven't spent a lot more time with to get it to a level where I felt comfortable with. And I can't think of one thing. Um, as effective as Opus 4.6 is, and we're standardized on co-work, and I love what we're doing with the agents and the skills, and um, and and the quality keeps go going up. But if you really, really want to get to the depth of something, it's like and a simple email can take an hour, right? Because you've got to attack it from so many different angles to make sure that what you're conveying, for me at least, is is actually has the depth and the rigor and the criticality to it that that I want my my communications to come across with. Um, but it's yeah, we've all, I'm sure we've all got our tricks of uh how do you, you know, what does your MD file look like or your series of MD files, and and how do you try and push the the engines and the advents to be hyper-critical and controversial and deep in their thinking.
SPEAKER_01Absolutely. You know, I think you know, we're talking about email or some sort of draft creation, which uh, you know, has its consequences sometimes. I've definitely copied and pasted the prompt along with the message as well. This this notion of foundational thinking, deep understanding, and really kind of being a partner alongside like letting an AI just run free uh is is very relevant and has much more real consequences when you have situations, for example, like the AI supply chain attack uh last week, right? And you said something interesting in your post that I want to talk about a little bit. You said attackers are not the whole story. The harder question is why so many cloud environments are uh still allow sensitive workloads to talk freely to the internet. So I was hoping maybe just give a very high level as to what happened last week and what you feel like were kind of maybe some of the assumptions that just people made with AI, with their cloud infrastructure, that they really should have done more foundational work on to prevent something like this from happening.
SPEAKER_00Thank you for teeing that up. It definitely I'm so passionate about this. So uh for those of you that have not been deluged on X and read 18 different versions of what happened, it was an incredibly clever attack. And the interesting point, I'm gonna put out a couple more videos this week because we haven't seen, I think there are is so much more to follow because of what they did. Um, much less the other groups are probably gonna copycat and try and do similar things. Um, for all of us that have to deploy software, like we trust the repos that we pull software from. That's now any of us in the software industry, we take a lot of care in making sure that the code that we're pushing out is has high quality, that's efficient in the way that it's running and consuming resources, and that it's secure. Um there is a whole automated framework to make sure that that you do that to the best of your ability. Um, team PCP, it it's it's freaking brilliant. I mean, you've got to appreciate the genius of what they did. Uh, there are a whole host of security scanners out there that all of us run against our code to make sure that you've checked it for uh both nuanced and egregious security mistakes. Uh, one of the popular ones is Trivi put up by Aqua. Um, Trivi was compromised by this attack group. Um, and they were able to infiltrate and pull out, we don't even know how many keys. Um and those keys, like if you think about what are people doing with the security scanners, they're giving it the keys to the code so that they can actually run the scan and then you get the feedback so you can make corrections. So they're um very impactful um keys to the kingdom within Trivi. Um and one of the keys that they were able to harvest were the keys used by a extremely popular, we actually coincidentally pulled in a different tool about two months ago, but we were using it for many months. Extremely popular um AI framework, right? When companies are deploying agentic AI and LLMs, they don't want those queries and the data going against the public engines. They want to go against gated engines. And most of us want to offer, you know, four or five, six different engines to our teams. Light LLM is uh is a middleware layer that uh is the broker between the interactions that your employees have and the different engines that they're eventually getting the results from. Um so to do that work, it has insane amounts of credentials. Most light LLM instances are sitting in the cloud because they're going after workflows and data access and uh tasks that generally are cloud resident or with SaaS services. So it's got an incredibly rich set of privileged credentials. Um and what this tech group did is they used their security scanner compromise to then get into the actual build process of light LLM and uh create, uh insert malware into two published versions of Light LLM uh that were published on the public repository where any of us that use light LM would go and do an update or install for the first time. Um and that malware did two core things. Um it harvested credentials and provided a batch door so people get could get back in as long as that thing still existed. Um and for those harvested credentials, it encrypted them and then tried to communicate, and for most companies, sadly communicated, um, out to the team PCP server where those credentials were harvested. Why would Team PCP care about that? Because if I get API credentials, Kubernetes token credentials, key data source credentials from Fortune 500 company ABC, I can then use those credentials to do far more malicious things. I can go back into that environment in certain malware, I can exfil data and either embarrass the company or hold them for ransom or use it for some other nefarious purpose. Uh and my post was right, so you can be mad at team PCP. Um, and that was a super clever attack. And it's yeah, it's a classic supply chain attack, very, very detrimental. It's 39% of the AI landscapes out there using light LM. How do you prevent that? It's very difficult as a corporation when you're downloading that package to see is it infected with malware? That's that it's a binary. You can't very difficult for you to diagnose that. How you prevent that, yeah. Should organizations stop that injection that create that software? Absolutely. And there's a lot of stuff written about how to do that more effectively. But assuming that malware lands in your environment, and my assumption, given my many years of cyber, is there is malware all over your environments at this point in time. Um, I can go have a whole separate discussion on why that would exist. But malware is everywhere. How what is the fundamental control, going back to first principles, that would have stopped any detrimental consequences of you having light LLM, having the infected version about light LLM? You've got to have very thorough ingress and egress controls across. Across every single one of these workloads. The crime, the bad part, you had the attackers inside the vault. Now that was what the malware did when you downloaded it from the public repo. What they wanted to take were the jewels from the vault, which are the keys. To do that, they need an access path. That access path went to a URL that's not the URL that has tied to light LLM. It was a look-alike URL, but it's registered to a domain that's known in the dark web to be a malicious domain. So any company that got infected would have had zero consequence. The bad guys would be trapped in the vault. There'd be no impact at all if they just had the most basic element of what Aviatrix provides with their distributed cloud firewall of egress filtering. My concern is the amount of egress filtering that I see within those corporations is extraordinarily light. When you get to more difficult-to-cover workloads like containerized workloads or serverless workloads that do not have a static address, uh IP address, it becomes way more difficult. And this attack is going to be a pretty gosh darn consistent pattern. We've seen a few more already since the Light LM designation on Tuesday. And the simple fundamental protection, you would have never, I don't know, a corporation or a CISO that would have allowed a data center to be built back when you built your own data centers without pervasive firewalling across that data center. Certainly on everything that comes in from the internet and goes out to the internet, but usually liberally sprinkled across that data center. And the fact that most environments that I have seen do not have basic network security controls across the entirety of their workloads. Every workload is its own perimeter in the cloud, is the most massive oversight I've ever seen in my career.
SPEAKER_01Thank you for breaking that down. And I think in that breakdown, watching one of the videos that you put out on this, you said something interesting here that goes down to this foundational thinking around, you know, cloud infrastructure providers, they say that they're secure, but the like what you're putting on them, like there is a default, like this permissive outbound default that people don't necessarily understand. And again, if you're not understanding, if you're just deploying willy-nilly, leveraging AI without true understanding of like the different attack factors as you start to scale, um, I think, like you said, that is a leadership problem. And you were talking about, you know, cloud infrastructure. Think about like the second and third order effects that houses our uh hospital systems, our financial systems, our air, air, air traffic control. So many things are powered by this. And to have this permissive outbound default without you being thoughtful and just it doesn't take a long time. Like setting a switch and some uh some proper protections for yourself is uh is kind of ridiculous, right?
SPEAKER_00It it is. But but you've you've got to understand the foundations. Like I've been preaching for two years now. And there are really only three uh meaningful runtime. So there's two elements with cyber. How do you prevent bad things from happening, and then how do you stop bad things from happening? Um, both are really important. Stopping, I think, is way more important going forward. Is it should be should have a stronger amount of attention. There are only three fundamental runtime controls. If you look at the genesis of our entire industry, like what is our tech industry? Our tech industry is entities acting on compute, talking across the network to entities acting on compute. Like that, that's the simple fundamental uh orientation of our industry. The three runtime controls follow that. Like, if you want to, if something bad is happening, you want to stop it from happening, you've got to be able to revoke credentials of the entity, with human or non-human. That's one way of stopping it. You've got to be able to shut down the thing that it's operating on. That is classic endpoint security. Um, to do that, you generally need an agent that's inserted at the OS level of that thing. In the cloud, that is a declining percentage of the workloads because most of them are ephemeral, which means you can't insert an agent into it. And then you need a network runtime control. If going back to the light LM piece, if you just had basic URL filtering on it, you would see that this piece of software is trying to contact a URL that shouldn't be on your allowed list. And if you did any type of threat intel, it would actually be a nefarious site. Like stop it. Now, again, that thing is infected. You can revoke its credentials, you can pull it out of your environment, you can begin to cleanse your environment, but the actual detrimental thing would have never happened because you shut down that network control point. Um, and what I think a lot of executive teams heard, which is right, is Google, Microsoft, Amazon, Oracle shouting, we have built the most secure data centers on the planet. And they have. Like if you ever got a chance to go visit them, it's freaking unbelievable. Like it's brilliant what they built. What they are not saying loudly enough is, oh, and by the way, any virtualized stuff you put in the super secure data center, that's your problem. That's not ours, which I get. Like they can't control how I config my access to S3. Like that's got to be my responsibility. The fault that I place with the CSPs is I equate it to, and I said in the post, it's it's like selling a high-performance car and making brakes and seat belts and aftermarket add-on. Like, what why do they make permissive outbound approaches? Because they're trying to serve developers and developers want speed. And when you're standing up a development environment, you access it from somewhere else. And many of those services are directly internet addressable. So the default posture is permissive outbound. That's an oversight. Like done properly, going back to 2010, 11, 12, 13 with AWS, like there would be a click-through for every single workload on do you want basic URL filtering? Like, do you want basic firewall services around this workload? That wasn't done, which is why the majority of these workloads are naked. They're naked to the internet. They're either not directly internet addressable, but they can communicate with something that is, that is naked, which is an easy path out to the internet, or they're directly internet addressable. Um, and again, do they need to be? Absolutely. But you can gate what's a safe site and what's not a safe site. But but you've got to go back down to what are the foundational principles of cybersecurity and what do I need to have in place at the foundational level to make sure I'm secure? And then start working, worrying about all the other really interesting clickbait elements about cyber. Like there's so many tools out there, but if you don't have the foundation laid properly, those tools are not going to matter.
SPEAKER_01Yeah, I mean, this is something I wanted to maybe expand on a little bit. You know, we're uh we're talking about the incident last week, but you're also seeing a proliferation of tools like OpenClaw, like Perplexity Computer, a proliferation of Mac minis uh agents that will be operating on local networks and in the cloud and a mix of things. You know, I think that there is certainly pressure uh from the top, there's pressure from everywhere to adopt these tools, to automate your workflows, to uh reduce your workforce, and to basically set the agents free. I'm curious as as an application development leader is pulled in all of these different directions with all these new technologies and their developers are pushing them uh, you know, to uh assign an agent to every single person in their organization. How do you guide them? How do you like say, look, this is uh this is something, yes, that is coming at you, but how do you help them navigate this crazy world where it seems like every single day there's something new for them to consider?
SPEAKER_00Yeah, it is, and it is such a crazy world. I'm sure you're like me, Prakash. Like every day I wake up and I've got to reorient my worldview based on whatever happened in the past 24 hours. Um for me, for me, I just keep going back to you have to move fast. I am guilty as charged, right? I came into Aviatrix two and a half years ago saying we've got to be AI first, we've got to be AI first. I'm constantly pushing uh our CIO and CISO John Chen to be aggressive with the deployment of agents and MCP servers and frameworks, and because we've got to get the leverage. I'm less interested in reducing my workforce. I'm more interested in 10x than the productivity of my workforce. Um but we need that, we need agenda KI to do that. But you can't do that without a with without having clear first principles and tenets of what is necessary to make this secure. Because high productivity with low security is actually even worse. Like I'd rather not not have it than have these rampant, uncontrolled, massive breaches, which is what we're asking for as we deploy these agents and MCP servers. They've got, they're relentless, they move so quickly and they're so task-oriented and sycophantic. Like they are going to complete their task no matter what. Um, and so it's just good for me. It goes back to you better have a pervasive identity strategy, both human and non-human. You better have a pervasive endpoint compute strategy for the things where that can actually work. And you better have an integrated pervasive network security strategy to make sure that you feel even mildly comfortable. But I still have not set up an open claw at home because I just don't have the time to harden my home network, make sure I've got the right privileges and permissions, buy the Mac Mini that's clean and scrubbed without any of my credentials, figure out like there's just such an overload to get that done. Um, and that's just for my home environment. Like we're talking about corporations that serve hundreds of thousands, millions, potentially billions of people. And it's it's their data, it's their lives. And as we've talked about, like I cannot literally do a thing without being online anymore. I can't book travel, I can't go see a doctor, I can't order my prescriptions. Like, there's we're so dependent on this world. We have to make sure that we are driving foundational thinking across the CIOs and CISOs within these organizations so that um we we keep the amount of cyber breaches in check.
SPEAKER_01Yeah, you know, I think something you're saying there is like it's it's the speed plus the control. And there's a lot of like prerequisite thinking that you know you're going through, even in saying, like, you know, in order for me to deploy something like OpenClaw at home, there's all these things that I have to do before I even experiment with it. Um, there is a tension, however, the people that aren't necessarily thinking foundationally about giving access to all of their agents and getting that pressure, because you, you know, you've been saying yourself, like, we need to move fast, we need to leverage AI. It's interesting. I'm I'm I'm wondering tactically, how do leaders start thinking about, okay, let's say you're getting this mandate today? Let's say you're learning about open claw for the first time, perplexity computer, things that you are able to do to automate, to uh offload and get leveraged through AI and an agent for. Where do you tactically start beginning? Is it a meeting of the minds with your CISO, your CIO to talk about, you know, security first, safety first ways of doing things? How have you seen not only within Aviatrix, but some of your customers start to tackle this without getting in over their skis?
SPEAKER_00Um, so I think a big chunk of that goes back to culture. Right? Are you do you have a culture where um people that are close to the metal are allowed to speak up? Because there's very few orgs that I've worked with where if I go deep enough, the problems that I'm talking about, I can find the people who are like, oh, oh yeah, yep, yep, I know that's a problem, but no one will listen to me. Um, so making sure that you have the right feedback channels and people are allowed to express that, I think is is absolutely critically important. Um, because speed without safety doesn't make any sense at all. If you want there's whatever F1 quote of um, you know, why can they drive so fast? Because they've got great brakes. Like you you need you need both to actually get the performance that you're looking for. Um I've talked on a couple different forums and and podcasts about where are where where is that security person housed within the organization? Um, and you know, the default answer is always elevate people, but without the CISO having direct CEO access without a filter, I think it increases the chance for this to happen. Um, so you know, my R CISO here reports directly to me. Um, you know, they need DNO insurance. There's a bunch of support that they actually need to be able to do their job effectively. Why we're leaders and why the job is so hard is because you actually have to effectively deliver on uh 50, 100, 150 metrics. And some of those metrics are conflicting. Um, and that's a that's a hard job of synthesis and prioritization and judgment that we all have to have as leaders. And there is no excuse of I was, you know, I had to move fast, and therefore I optimized this one metric over every other metric. Um, there's a balance between them all. Uh and and I think we'll see in the next three, four months, because I can imagine the number of additional attacks are going to look like this, and some of the count consequences we're gonna see, a healthier dialogue on absolutely go fast, absolutely experiment. Um, but as you deploy, you have to do it in it. And you have to show the organization that you've done it away with the right visibility controls and runtime enforcement mechanisms so that as soon as we deploy, we're not on the front page of some newspaper and disappointing our customers. Something like Aviatrix, it is all infrastructure as code. It naturally fits into this shift-left mentality. It's our our job in a lot of my work is like, how do I get closer to the companies that are developing and deploying these Agentec frameworks organizations to see are they willing just to include it into their own build and instantiation process? Because the closer we can get to the developers, but you know, everything that we deploy is Terraform. It's easy to make this a default set of actions and activities that do not slow down developers. Like I get the tension. Developers have got to go fast. Um, so CISOs, figure out how you go at the speed of developers, but but you got to be there. Like there's no hall pass that they went too fast and I just couldn't keep up. So, well, you took the job. I'm sorry. That that is your job. Um it's a hard job. Like I've got so much empathy for the complexities of being a technical executive and a security executive within organizations right now.
SPEAKER_01Especially in today's market, for sure. Yeah. I want to shift a little bit. Just you mentioned culture. When you recruit, when you look for candidates, when you look for like the right type of people to run the organizations of today, what are kind of some core principles or learnings uh that you've taken away in the age of AI?
SPEAKER_00So I it took me a long time to get to a what I think is a refined enough list of leadership principles. Um and and I'm finally down to five. Um so I mean, this is what we really look for as we recruit, but I think that they are highly aligned with what we're dealing with with AI right now. Um and they're prioritized because I've seen in a sequence. Um the first is relentless curiosity. Um, I think it's the backbone of humanity, and it's certainly key with the AI age. There's so much that we don't know and so much to learn. Um, and if you're not relentlessly curious, it's you're gonna be, it'll be hard for you to be successful within Aviatrix, but I think within most organizations. But right behind that is lead with empathy. Um, because being curious is great, but if you're not willing to listen and really understand and put yourself in someone else's shoes, that curiosity is not going to be nearly as valuable. And the third is purpose before action, which is it's great that you do those first two, but now take those learnings and slow down and focus on what are the first principles, what are the foundations that you're trying to achieve with whatever the thing is that you're being curious and empathetic about. Um, and then the fourth is radical accountability. If you've gone through those three things and you're doing something, hold yourself and those around you accountable to learn and to iterate and to try and get to some of the outcomes you're looking for. And then the fifth is celebrate success, which is more for me because I don't celebrate my own success enough. But I think we all need to kind of step back and it's like, how do you keep the engine full and keep yourself moving forward? Um but when I think about with AI and everything I've gone through the past three years, like though that that journey serves me so well. And and even with the celebrate success, like it, it's I I feel so far behind. There are five educational sessions and podcasts that I feel I should have listened to every day that I didn't, that are new insights and breakthroughs on on how to leverage and operate more effectively. And um, but but it really, I mean, we I just we've never been in such a learning environment. It's intense to be in this time period.
SPEAKER_01I think the one theme that keeps uh coming up is actually to slow down just a little bit. Like I think that it's so incredibly easy to move fast uh because, like you said, like you feel like you should have listened to three to five podcasts when you wake up in the morning, you're already behind. Um, but there is a balance, right? And I think we, you know, I've mentioned this before, but it feels like we're sacrificing speed for skill development and understanding, especially in a world where, you know, you were kind of mentioning this first principles thinking, our the things that make us uniquely human are receding into the background as we become like accept machines, right? Um, it's important to really go back to the first principles around like, why are you building the thing that you're building? What problem are you really solving? Um, I think I was even talking to another CEO around because AI makes it so easy to build, we're building so much stuff. We don't, we stop, we don't stop to question like, should we even be building? When you had to stop and talk cross-functionally and get the make sure the data uh is coming from the right place, you could make more thoughtful decisions. So I think, I think it's this balance that we're all on the journey uh really to kind of find our own equilibrium in. But I think in this, and even in the principles and the tenets that you listed, it's trying to really take a moment, celebrate the wins, but be thoughtful, right? Like, and deep this deep transformation that we're talking about from first principles thinking um requires this process discipline, right? That more people need to instill in the way they're uh attacking problems. So that that's like an insight that I have. It's like, yes, we're moving so fast, but you might need to slow down a little bit to trade off the understanding that is going to help you later in the future.
SPEAKER_00Absolutely. I mean, distillation, you need distillation time. It's uh one of the things I did within Aviatrix is I brought in this author, Joshua Metcalfe, who is famous for writing Chopwood Carry Water, um, which is his least favorite book of the books he's written, but it's his most famous. Um, but but it's all around daily mastery. It's like letting go of the outcomes and focusing on the small repetitive elements that if you're willing to spend time on every single day, like the analogy I was giving before I read the book in Metrash was Steph Curry still does dribbling drills, footwork drills, three-point drills every single day. Every single day. He's trying to get a quarter percent better, which is why he or LeBron, or you give you know, through the list of any sport legends, why they continue to excel and set the bar. Um and and that both that focus on what am I trying to get done, what are the critical foundational elements that really make me perform better in this job. And then how do I pay attention to those with the compounding returns over time? That all that feeds into what you were saying because like that the distillation that happens because of the 10,000 hours, the 20,000 hours, and and everything in our society is against that right now because everything is just act and move and pivot to the next thing and pivot to the next thing and it'll just rebuild itself. And it's like, I mean, it can, it can, but what about go slow to go fast? And you've got to go fast enough you don't get left behind, but you've got to go slow enough that you actually are in gonna achieve, have a chance of achieving the thing that you set out to achieve. There's, I think, a lot of self-discipline that we all have to increase right now to uh try and stay purposeful and present and thoughtful.
SPEAKER_01We're talking about just kind of this frenetic, crazy world that we live in, always feeling behind. And you kind of offered some tips around, you know, trying to distill and kind of going slow to go fast. How do you go about prioritizing working on what's important in this world where you have so many different inputs, so many different signals? Um, you know, with this through this lens of foundational thinking, first principles thinking, and deep understanding, how do you take that? And then prioritize your day, your week, your month?
SPEAKER_00So, first I do try and gait time so that I can exercise in the mornings. Um, yeah, I can actually eat some reasonable non-processed food for a meal, have dinner with the family, uh, do our gratitudes at night. So I know it sounds so pedantic and silly, but easily we could all work 14 hours a day and that won't serve us very well in the long in the long run. For my prioritization, I try the where I try and elevate items I'm working on and spend in maybe too much time sometimes on them, um, is dependent upon the amplification of the leverage of that activity. Yeah, if I'm gonna write an article that is gonna post a LinkedIn, it's ridiculous how many iterations and takes I had to do before that LinkedIn video that I put there. Um and I, yeah, I had to fight every urge to publish it on Wednesday or Thursday or Friday because there's a news cycle. It's like I've got to be sure about what point I'm trying to make. Um, so those, yeah, that a product review session, a strategic account review, like what are any engagement with an employee? What are the things that have a uh an order of magnitude or an amplification or a greater impact versus a lot of the tasks? I woefully am behind on email because I'm there's so many transactional things that I just ignore. So I can try and prioritize and focus time on uh elements that are gonna require more thought and I think have higher amplification, which was again some of the maxims I've heard of, yeah, respond to every email right away and make sure people know that you're you're on top of it. And um, and if I ever trust Cloud Cowork enough, maybe I'll let it do the quick response to every meme email. I'm not there yet. I'm not there.
SPEAKER_01Yeah, yeah, neither am I. Um, and I just want to say that I think the post that you made uh was very well done. And you can tell that I think you can tell the difference when someone just like delegates to AI and copies and pastes versus something that is like far more thoughtful. And there was a comment on the thread that said something to the effect of like, that was well said and easy to understand. And that's the distillation process that like is a very human thing. And it's not that AI can't get close to that, but to make it your own and to really find that signal in the noise is I think what the highest and best use uh and how we can leverage AI the best, really just as a partner, but to really put infuse our intention into it. Um, Doug, I want to thank you so much for your time. I could just go on talking to you for hours, but uh uh unfortunately we have to wrap up. If people want to learn more about you, about what you're doing uh at Aviatrix, where can they go?
SPEAKER_00Uh if you go to Aviatrix.ai, that's our website. There's some really cool stuff in there. If you're if anything I talked about resonates with you, um email me at dmerit at aviatrix.com. But I really appreciate you having me on.
