From Shadow AI to Secure Agents: The C.H.A.N.G.E. Playbook
Barath Subramaniam
BSides Seattle 2026 · Day 1 · Track 2
Barrett, a staff product security and AI engineer at Adobe, delivers a talk focused not on which AI model or tool is best, but on why well-meaning security teams keep failing to adopt AI securely -- and what to do about it. The talk centers on the **C.H.A.N.G.E. framework** (Communication, Human oversight, Attitude, Network, Governance, Enablement), originally developed by Nofar Gaspar at Superintelligent, which Barrett adapts specifically for security teams.
AI review
A culture-and-governance talk about AI adoption in security organizations. Well-structured around the C.H.A.N.G.E. framework with good supporting data (ISACA 83%/31% gap, shadow AI copy-paste bypassing DLP), but there is no original technical research, no exploit analysis, and no novel security mechanism. The three-tier autonomy model is common sense, not a contribution.