Why risk acceptance isn’t a viable option, with Jaya Baloo

Anyone who thinks security leaders are humorless sticklers for the rules has never spent half an hour with Jaya Baloo. But in this episode of Chasing Entropy, Dave Lewis does just that, and the result is a frank and irreverent conversation that proves that security may be serious business, but it’s still a fun job. Baloo is the co-founder and COO/CISO of Aisle, an AI-powered vulnerability management startup with the bold goal of “zero exploitable vulnerabilities.”

Baloo’s career has spanned telecom, cryptography, enterprise security, and AI-driven security research, but her love of computers started when she got her first computer (a Commodore 64) at age 9. The conversation tracks her journey from early BBS war dialing and CompuServe stories to the modern challenge of defending organizations against increasingly autonomous systems.

A major focus of the episode is the growing hype around AI-powered vulnerability discovery. Baloo acknowledges the seriousness of the threat, saying “It introduces this asymmetry in terms of attacker-defender advantage, where the advantage would strongly go to the attacker if they’re capable of finding new and novel vulnerabilities, and the ability to exploit them, and potentially doing this at scale, autonomously.” However, she cautions that fear of a Mythos-level model shouldn’t leave security leaders feeling too overwhelmed to take action. “We have elevated this to a level of hype that is not that beneficial to actually doing something about the problem.” 

Instead of panicking about the unknown, Baloo advises security to start by addressing the problems they are aware of. Organizations already struggle with asset visibility, remediation backlogs, inconsistent logging, and weak operational hygiene. AI may have increased the blast radius of these risks, but they existed long before LLMs.

The discussion also explores how smaller, open-source models can rival or exceed the results of heavily funded proprietary systems when paired with the right orchestration and context. Baloo explains how her team at Aisle used lightweight models to identify vulnerabilities in OpenSSL, including issues other systems missed entirely. She says, “If you can find new and novel vulnerabilities in the same codebase that were missed by this incredibly intelligent and well-resourced model, then maybe it’s not about the model. Maybe it’s about the way you’re running the model, and everything else around it.”

Dave also brings up the governance failures emerging around enterprise AI adoption. Internal copilots, third-party integrations, and poorly understood permission models are creating new forms of insider risk. “Our permissioning models need to change, and identity is a really big part of that,” Baloo acknowledges, pointedly hinting that 1Password could help drive that change.

Later, Baloo candidly addresses thorny issues of leadership and board accountability, particularly how CISOs are expected to manage risk they did not create. Baloo argues that security teams are often left cleaning up years of operational debt accumulated elsewhere in the business. She offers a pragmatic approach to tackling these issues, but is vehemently critical of “risk acceptance” culture, having seen organizations normalize small unresolved issues until they compound into systemic failures. “No risk acceptance! What a nonsense term,” she quips.

As always, Dave closes the episode by asking what advice his guest has for security professionals just starting in their careers. Baloo says she found success by following her interests and values, rather than her ambitions, and that this has led her not only to a successful career, but a happy one.