Zenity Research Published at RSAC 2025

Copilots and agents are a new access vector; How to build an AppSec program that scales to the level of citizen development

It’s been a busy week at RSAC 2025. We released new security research exposing the threats using of AI assistants and copilots, and shared insights on how to build a security program that scales to the level of citizen development.

At Your Copilot Is My Insider we showed how AI copilots and assistants can be AIjacked by attackers to compromise enterprise users and data. The talk demonstrated that AI assistants are a new initial access vector that attacks can exploit. We took a deep dive into how this is possible, and why AI vendors are unable to fix it. AI hijacking isn’t a vulnerability we can patch, its a problem we are going to have to manage.

At Scaling AppSec With an SDLC for Citizen Development we partnered up with Microsoft, sharing their internal story of how they built a citizen development security program at their scale. With over 2 million assets and 10 million credentials, none of the application security best practices apply. We were able to make meaningful progress by findings scenarios that we could auto-remediate, showing early success and getting management to buy-in and expand the program. Within 4 months, the team was able to remediate 90% of their violations. Those are incredible results. We really appreciate Microsoft sharing their story to help others who are establishing their programs today.

Reply

or to participate.