Everyday AI: Leveraging LLMs for Simple Security Tasks
Matthew Sullivan, Dominic Zanardi
BSidesSF 2025 — Here Be Dragons · Day 1 · Main
Instacart's infrastructure security team built a suite of LLM-powered automations to tackle identity and access management problems that deterministic code could not solve — access request classification, role right-sizing, Terraform policy cleanup — achieving 95% auto-approval rates for access requests and dramatically reducing engineering burden. Matthew Sullivan and Dominic Zanardi share practical patterns, working code, and hard-learned guardrails for teams that want to automate the gray areas in security operations. ---
AI review
Sullivan and Zanardi shipped this at Instacart and have the production numbers to prove it — 95% auto-approval on access requests is not a pilot result, it's a real outcome. The tokenization-before-LLM PII guidance and the human-gating-PR-merges guardrail model are the most transferable takeaways. Practical, grounded, and refreshingly honest about what LLMs can't do.