In this episode of Chasing Entropy, I sit down with Kane Narraway, a security leader who has built and scaled Zero Trust environments at companies like Atlassian, Shopify, and Canva. Together, we explore the evolution of cybersecurity, from digital forensics to agentic AI, and the ongoing tension between innovation and control.

From Forensics to Frameworks

Kane’s journey into cybersecurity began with a fascination for hardware, inspired by tinkering with spare computer parts from his grandfather. That curiosity led him into networking, digital forensics, and ultimately enterprise security, laying the foundation for a pragmatic approach to defense. He recalls the early days of building Zero Trust architectures before the term became an industry buzzword, emphasizing how early implementations were often “collections of Python scripts” long before robust vendor solutions emerged.

The Last Mile of Zero Trust

Kane and I discuss the progress and pitfalls of Zero Trust adoption. While modern identity and access systems have made implementation easier, Kane argues that the industry still leans too heavily on network-level controls. “The point of Zero Trust was to stop relying on networks,” he notes, describing lingering issues like single-factor API keys and limited endpoint-level enforcement. His team’s experiments with proxy-based access models highlight how innovation often means rethinking, not just reinforcing, old ideas.

The AI Security Dilemma

The conversation turns to agentic AI, autonomous systems capable of acting on credentials and data. Both Kane and I expressed concern that current security strategies, built for humans, are ill-suited for bots. “We’ve spent so long protecting human users,” Kane warns, “but now service accounts and AI agents are our weakest link.” They explore real-world examples, including AI prompt injection attacks, and question how organizations can extend Zero Trust principles to these new autonomous entities.

Governance, Responsibility, and “Bot Jail”

As AI governance becomes a boardroom topic, Kane and Dave tackle the thorny question of accountability: when an AI system goes rogue, who’s to blame? We mused about the idea of a “bot jail,” underscoring that explainability and traceability, not just prevention, are essential in the age of automation.

Building Security Cultures that Fit

Beyond technology, Kane offers insights into building effective security teams that align with company culture. At Shopify, for instance, strong platform alignment meant setting clear principles and empowering teams to work autonomously. His advice for leaders: build around your organization’s DNA, not against it.

Measuring What Matters

Security impact can be hard to quantify. Kane recommends balancing operational metrics with threat intelligence and industry trend data, using reports like Verizon’s DBIR as directional guides. As credential-stuffing attacks decline and software supply chain threats rise, he stresses the importance of adapting defenses to real-world attacker behavior.

Advice for the Next Generation

For newcomers to cybersecurity, Kane’s advice is simple but grounded: “Do whatever you have to do to get in, and then find your passion.” Not everyone needs to start in red teaming; roles in governance, blue teams, or compliance can open doors and build transferable skills.

Closing Notes

After a wide-ranging discussion, I close with this question: coffee or tea? For Kane, it’s coffee at heart, but tea in practice. The perfect metaphor, perhaps, for the compromises every security leader makes between passion and practicality.

Listen to the full episode of the Chasing Entropy Podcast on YouTube or your favourite podcast platform.

Be sure to like and subscribe! Hosted by Dave Lewis, Global Advisory CISO at 1Password.

In this episode of Chasing Entropy, I sit down with Heidi Potter, longtime organizer of ShmooCon and now CEO of Turngate, for a heartfelt conversation about community, chaos, and legacy in cybersecurity.

From ShmooCon to What’s Next

For 20 years, Heidi helped shape ShmooCon into one of the most influential community-driven conferences in the industry. She reflects on the decision to sunset the event, sharing stories of the unexpected impact it had: first talks that launched careers, lifelong friendships, even marriages that began at the con. What started as a grassroots gathering became a cornerstone of hacker culture, thanks to her team’s dedication and her philosophy of “happy staff, happy event.”

Lessons in Transparency and Leadership

Heidi shares how ShmooCon embraced radical transparency through its Own the Con sessions—revealing the financial realities, challenges, and choices behind running a conference. She explains why building the right team and treating the venue itself as part of that team are essential to success. Her guiding principle of “lead with kindness” underscores both her event leadership style and her approach to life.

Stories, Chaos, and Community Magic

From snowstorms that stranded attendees for days, to the legendary “Shmoo Bus,” to the serendipity of LobbyCon, Heidi and Dave trade stories that highlight the humor, chaos, and magic that defined the event. For Heidi, coordinating chaos isn’t just a skill, it’s a way of finding order, meaning, and connection in unpredictable moments.

Looking Forward

While ShmooCon has closed its doors, Heidi isn’t done building community. She’s already laying the groundwork for new events under her Moose Meat initiative, with plans to create smaller, more flexible gatherings in the future. Above all, her focus remains on giving back to the community and leading with kindness.

Listen now to hear Heidi’s reflections on two decades of ShmooCon, her insights on building inclusive communities, and why the stories we create together matter just as much as the code we write.

In this episode of Chasing Entropy Podcast, I spoke with Paul Klein about the emerging “agentic web”, where AI agents perform real-world digital tasks on our behalf. Paul shares how Browserbase builds secure infrastructure for these agents to interact with websites safely, and how new integrations with 1Password’s Agentic Autofill enable secure, human-approved credential use without exposing secrets to AI models.

Together, they explore how this evolution of automation can make the web more useful, while keeping it secure, observable, and aligned with human intent.

Key takeaways

1. The rise of the “agentic web”

• The internet still runs on legacy systems with no APIs—think DMV forms and government portals.
• Browserbase enables AI agents to safely automate tasks on these sites using headless browsers (full browsers without a GUI).
• These agents can perform structured, repetitive workflows—like procurement, compliance checks, or data lookups—without human micromanagement.

2. Automation that works like an intern

• AI isn’t magic, it needs structure.
• Klein compares AI agents to interns: they’re capable but need clear instructions, context, and defined steps.
• Repetitive “SOP-style” tasks are ideal; vague one-line prompts aren’t.

3. Stagehand & Director: Building automation for everyone

• Stagehand (open-source) allows natural-language automation using “fuzzy selectors” like “click the login button”, instead of brittle scripts.
• Director lets anyone prompt AI to build web workflows, see the generated code in real time, and reuse it in production environments.

4. Guardrails: Observability before autonomy

• Browserbase includes live session replay—you can literally watch what your AI agent is doing in a headless browser.
• Observability ensures safety and accountability; cached workflows reduce dependency on LLMs over time.
• Governance best practice: treat AI tool use as remote code execution—sandbox it, restrict tool access, and monitor every action.

5. Secure authentication for agents

• 1Password Agentic Autofill now works in Director, allowing agents to securely log in with stored credentials.
• The human stays in the loop: every login request is approved (or denied) in real time.
• Passwords are never shared with the model, 1Password fills them directly into the browser.

The pragmatic future of AI automation

Paul sees agentic browsing not as a replacement for humans, but as a relief valve for digital drudgery. AI can handle the tedious work, checking orders, renewing passports, filling government forms, so humans can focus on creative and strategic thinking.

For CISOs and security leaders

Paul’s advice:

• Treat AI agents like RCE: Lock down execution environments, sandbox them, and validate every dependency.
• Constrain tool access: Only approved connectors or MCPs should be callable.
• Start with observability: Log every action and enable real-time oversight before allowing automation to run at scale.

Memorable quote

Listen to this episode of Chasing Entropy wherever you get your podcasts, no hype, no FUD, just the humans behind the next wave of cybersecurity and AI automation.

Also on YouTube: https://www.youtube.com/watch?v=o4tgJz_4WcM