Adapting Security for the AI Era: Insights from Will Bengtson

We hosted a virtual roundtable with Will Bengtson, VP of Platform and Security Engineering at HashiCorp, former Netflix security leader, and advisor to Oso. The session, moderated by Oso's Founding Engineer Gabe Jackson, brought together security and engineering leaders to discuss how AI is changing threat models, developer workflows, and the role of security teams.

Here are some of the key takeaways:

• Stay curious. You cannot set good policy without understanding the tools yourself
• Shift from blocking to enabling. Create guardrails that let teams experiment safely
• Focus on objectives, not hype. Match tools to business goals and control access carefully
• Update playbooks for AI speed. Threat actors move faster and processes must keep up
• Use AI to your advantage. Automate triage, vendor review, and vulnerability analysis
• Invest early in governance. Access, cost, and compliance get harder over time

Security as an enabler

AI adoption challenges security teams to keep pace without slowing innovation. At Netflix, Will learned to avoid saying “no” without understanding the tool first. His approach is to know what data AI tools touch, create safe spaces for testing, set clear rules for sensitive areas, and let teams accept documented risks when needed.

Managing the AI tool surge

AI features are appearing in every enterprise tool. Will’s guidance: define the goal first, pick the right tool for that goal, decide if it should be company-wide or team-specific, and put governance in place early to control cost and access.

New threats and faster playbooks

AI creates new attack vectors and accelerates existing ones. Defenders need more mature processes earlier, better automation for vulnerability management, accurate asset inventories, and runbooks tested for faster response times.

AI as a force multiplier

AI can make security teams more effective. Examples include SOC triage, faster vulnerability analysis, better vendor assessments, and security chatbots to answer requirements questions and flag reviews. Will expects more security teams to build their own AI tools over time.

A 100-day plan for security leaders

If joining a mid to large fintech SaaS company today, Will would:

1. Meet stakeholders and review policies, incident response, and continuity plans
2. Assess the team’s structure and skills
3. Check basic capabilities like asset management and application security
4. Build a one-year plan balancing quick wins with foundational work
5. Align with business priorities while maintaining security fundamentals

Why Will advises Oso

Will has spent much of his career in the identity and authorization space, building internal tooling at companies like Netflix and HashiCorp. At Netflix, centralized systems made it easy to define and manage policies across applications. Moving to an environment without that infrastructure underscored for him how valuable a simple, centralized authorization engine could be.

When he discovered Oso, the policy language, Polar, and the flexibility to run it in the cloud or self-host matched exactly what he wished he had in those situations. The product’s approach aligned with his past experience, and the combination of strong technical foundations, a trusted network, and a team he respected made his decision to advise Oso an easy one.

To go deeper on everything we discussed today, including policy design, securing AI applications, and building resilient access control, explore the Authorization Academy, a series of technical guides for building application authorization.