AI-Based Attacks,
Artificial Intelligence & Machine Learning,
Events
RPC’s Spencer Scott on Why Security Basics Must Come Before Agentic AI Adoption
Artificial intelligence has brought about significant transformation in the realm of social engineering threats. The integration of AI technologies allows attackers to execute devastating deepfake-led schemes, voice cloning, and sophisticated phishing attacks at unprecedented speeds and low costs. This rapid evolution of techniques places immense pressure on cybersecurity defenders, who find themselves struggling to keep pace with these fast-moving threats.
A substantial contributor to these challenges is the emergence of what is termed “Shadow AI.” This phenomenon occurs when employees introduce unsanctioned AI tools and solutions into their organizations. These tools can expose the companies to a myriad of risks that elude the visibility of conventional security teams. As a result, the already complex attack surfaces become even more difficult to manage and assess, creating significant governance challenges for organizations striving to maintain cybersecurity integrity.
Spencer Scott, who heads information security at the law firm RPC, shared his insights into the current landscape during an interview with Information Security Media Group (ISMG) at the Infosecurity Europe 2026 conference. He emphasized the urgency for organizations to not overlook foundational security measures as they push forward with the adoption of cutting-edge AI capabilities. “A lot of companies are racing toward this agentic capability,” Scott remarked, highlighting how many are neglecting their existing vulnerabilities and risks which have not been properly addressed at the fundamental level.
Scott’s extensive experience—spanning over 25 years in IT, with more than 18 years focused specifically on cybersecurity—provides him with a unique perspective. He underscored the necessity for organizations to rethink their approach towards AI-enabled threat management. The rapid velocity of AI-driven attacks means that traditional methods of human-led threat analysis can no longer suffice. Instead, security measures must evolve and harness the power of AI itself to stay ahead of potential threats.
Additionally, Scott outlined the critical importance of integrating AI-specific considerations into third-party due diligence processes. This incorporation is vital for ensuring that partnerships and external collaborations do not expose organizations to additional vulnerabilities. Scott argued that just as organizations apply strict oversight in conventional IT infrastructure implementations, similar governance frameworks must be established for any AI technologies introduced into the fold.
During the interview, Scott delved into specific ways organizations can bolster their defenses. He mentioned the necessity of questions concerning AI capabilities being integrated into pre-existing protocols related to third-party risk management. These discussions should extend beyond mere compliance checks and delve into the technological implications of third-party AI solutions. Organizations must not only evaluate whether the tools are compliant but also examine how they align with the overall security posture of the organization.
In conclusion, Spencer Scott’s insights reflect an urgent call to action for organizations operating in today’s digital landscape. The urgent need to address foundational security elements before leaping into advanced AI capabilities cannot be overstated. In the current environment, where threats evolve at breakneck speeds, organizations must prioritize a robust and secure infrastructure that includes comprehensive governance and compliance measures, thus ensuring they remain vigilant against potential vulnerabilities and risks posed by AI-enhanced threats.