John Cranmer

Welcome to Orbit, the Hg podcast series where we talk to leaders and hear how they've built some of the most successful technology companies in the world. I'm John Cranmer, part of Hg's tech team, and my guest today is Gil Elbaz, Co-Founder and Chief AI Officer at Onyx Security.

Gil started in academia at Technion, was the CTO and co-founder at Datagen, creating data to train AI systems and pioneering synthetic data for visual AI. He then joined Nvidia, working as a direct report to the CTO on AI agents. Today, he's building Onyx, a secure AI control plane for the agentic era. Many organisations are now operating their own AI agents, and Onyx is helping them identify, monitor and control their usage.

Gil, great to have you.

Gil Elbaz

Thank you. It's a pleasure to be here. Thank you very much.

John Cranmer

Could you give us a bit about your background and, you know, essentially how you reached this point with Onyx today?

Gil Elbaz

Yeah, definitely. So I started off early on in the machine learning space at a time where we couldn't even say the words AI. People would laugh you out of the room. Essentially we were building out these very early models. Since then, 15 years in the making, we've gone through machine learning models that were able to produce high-quality capabilities that were one-shot, that were very specific, very well defined for critical workflows.

But today, we're seeing now with AI, of course, and AI agents that are all capable, that understand images, that understand video, that understand code, and that are able to produce all of these things in seamless ways. We see these general systems that are now applicable to everything, essentially, and can actually impact in positive ways almost every human workflow today, and are becoming more and more integral in every single app, every single product, every single application, every single workflow, internally and also externally.

This has been quite a revolution right now, and I've been very lucky to witness the journey of it from early days all the way up to today.

John Cranmer

Brilliant. Because I think we really are seeing a complete shift in this old attack surface that we used to see in the past. If you go back 20 years ago, there was always a very clear boundary between what was yours and what wasn't. And that was blurred very rapidly in the SaaS era. But now that has compounded even more, because pretty much everything is now attack surface. It's your agents, it's your data that your agents interact with. Anything can start to introduce issues and vulnerabilities.

I think that really shifts the way we're thinking about cyber security, and specifically from an AI perspective, I sort of see it in two or three different buckets. It's the external attack bucket, which has always existed but now has more opportunities than before. But then you've got these two interesting internal dynamics. Your users, again, have always been there, but now they've got different tools and mechanisms that they can seize upon. But it's also the actual AI itself. It can drift out of alignment. It can do something that is unexpected, not on purpose. Just because it doesn't know better, and it doesn't have the right controls in place.

It'd be really interesting to see what you're seeing in those areas and the sort of experience. Is that something you agree with?

Gil Elbaz

Yeah, yeah. So I totally agree with these three buckets. From my time in Nvidia, I was in the CTO office working on AI agent infrastructure, on a few pretty large multi-agent projects. We saw there that when you give these agents access to critical infrastructure, when you give these agents access to people and essentially their endpoints, it becomes more and more important to create those protection mechanisms on top of it.

To your point, it's not only a risk of external attackers. There is the risk of external attackers trying to manipulate these AI agents and make them do things that they're not meant to be doing. But it's not only that risk. It's also the risk of these agents going out of alignment. What we call rogue agents.

Rogue agents aren't necessarily prompted in malicious ways. They could be just running and doing things that are not by design. Not that they're not meant to be doing, but things that they're doing that could also include destructive actions. Irreversible actions on the organisation, on the environment. That includes data exfiltration, sending data outside of the organisation. That also includes remote code execution, potentially running malicious code on endpoints that definitely should not be running there. And it could also include things like erasing databases or erasing files.

When we have agents that have access to these tools and have write access to these tools, essentially the risk increases significantly. We need to make sure that they're not doing things they're not meant to be doing. So that's on the rogue agent side at least.

John Cranmer

Yeah. I've got my own OpenClaw instance at home, which I like to play about with. It's great fun. It's relatively addictive just to see what it can do. You give it access to more things and almost allow it to get involved more and more in your life. But I'm very much aware of the security implications of it, and have set really robust walls about it.

I've read a lot of the horror stories about when OpenClaw can go rogue on you. What's your experience of using it? Have you seen anything at Onyx where people have been using it, or just in your experience in general?

Gil Elbaz

Yeah. First of all, I agree it's an amazing piece of technology. It takes the capabilities of Claude Code, for example, but really elevates them and also provides new sets of unique abilities. To prompt itself, to be always on, to have persistent memory and the ability to manage its own memory, and also the ability for it to understand its own self, its own context, where it's working, what it's doing. So it's a highly capable AI agent.

What we've seen is that Google, for example, has showcased that similar agents can be manipulated through a Google Calendar invite. You can insert text, you can insert the details there, and through that, prompt injections have been made to similar agents. These agents are very susceptible to manipulating their context.

I'm very protective of my agent. I put guardrails in place to stop any context from unauthorised locations. So only myself and my EA can communicate with my AI agent, my OpenClaw. We also have a lot of rules in place that stop it from sending emails outside of the organisation, that stop it from running any Python code on my endpoint. We have a bunch of rules in place that mitigate a lot of the risk vectors that we see.

John Cranmer

So there's a lot that somebody can do themselves just to build up their own defences. That's very much my experience as well. It's about being savvy and thoughtful about what you allow it to do in your own personal environments.

What I'm finding, and I think it's a challenge that a lot of our portfolio companies are dealing with as well, is you mentioned the similarities between OpenClaw and Claude Code. It's clear that Claude Code is going to inherit and develop more and more of these functionalities that are in OpenClaw already, and move into that sort of general, "I can almost do anything for you" agent kind of space. In your personal life, that's fine. You can set the barriers and the blast radius is limited to yourself. But there's going to be increasing desire to enable this sort of experience internal to the enterprise.

That's where, I think, we start to get concerns. Firstly about visibility. What people are using, where they're using it, how they're using it. That's the first layer. But then the control aspect comes after it.

I don't feel as if a lot of companies have really good visibility of AI usage completely in their organisation. They know the big tools, but there's always the edge cases that they have less visibility of. With your time at Onyx, what sort of experience are you gaining about how well people actually understand AI usage?

Gil Elbaz

Yeah, I think it's a great question. Really what we've seen is that AI is super fragmented. It exists on the cloud, it exists on endpoints, it exists in the browser, it exists in SaaS, in no-code, low-code agent building platforms, and even in our own GitHub repositories. So it's quite fragmented today.

To your point, you can have one OpenClaw and manage it reasonably well. You know exactly what it's connected to. You personally created most of the cron jobs or the heartbeat of that agent. So you know what it's going to be running on a daily basis. But when you have hundreds or thousands of these, it suddenly becomes a pretty big challenge to understand what data it's touching, what tools it has access to, when it's running itself, even from a financial lens. These are things that are expensive. My own agent costs a few hundred dollars a day. So these are compounding challenges, especially as we grow with the number of agents in the organisation.

From a visibility perspective, what we've seen is a large field of shadow AI. In the browser, for example, there are thousands of AI-based websites. Many of them developed in various countries in the world. Some more trusted, some less. We have employees from every single organisation in the world accessing them. They don't have malicious intent per se, but they want to get the best tools and the most interesting tools.

Some of the best presentation building sites, some of the most interesting new SaaS sites, designer-focused websites, marketing-focused websites. A lot of these have been built and put out on the web and are accessible for $5. We see this massive adoption that is uncontrolled and not necessarily centralised in any way. This creates a large shadow AI footprint. And it's not only in the browser, it's also on the endpoint, and it's also in more developer-centric capabilities as well.

John Cranmer

But usually that shadow AI is driven out of that sort of enthusiasm to be able to use the latest and greatest, to be able to make your job easier and add value to the company. If you don't have the tools that you want available, people naturally gravitate towards solutions that can help fix those problems. "I don't want to have to spend all this time creating this presentation. I want some help. I'm going to go here and feed in information that perhaps I shouldn't, just to make that task a little bit easier."

It's usually not malicious, the process that drives this. It's actually this desire to do good, do better and move quicker. I think this is one of the key challenges that we're all facing at the moment.

Gil Elbaz

Yeah. And one more thing, you know, we talked a lot about the long tail of sites. But even ChatGPT, in organisations that don't have access to the right tools, we see that their employee base is using ChatGPT. But the personal version. Or even Claude personal version. This is a challenge, because essentially these companies train on the data that's used through the personal licence. So having visibility across what they're using and being able to put some guardrails in place to make sure that we are navigating them to the right toolset, I think, is super important.

John Cranmer

Yeah. It's a really interesting challenge. Moving on from there, because visibility is one thing, so you know what agents are out there. But the next question is, okay, what are people putting into it?

The way in the past, with traditional old-fashioned DLP, the way I always used to think about it is, okay, at a very basic level, if you set some flags on PII and other crown jewels information, you're not going to capture everything, but you're going to get a good indication if something untoward is happening. But now, when you've got legitimate use cases, you're actively encouraging your users to put most of the data up there. Maybe not all, but a good deal of it. It's about how do we get visibility of that, and how do we flag up when stuff we've said we don't want to go out actually goes out the door. That's, I think, one of the interesting problems that we're facing today.

Gil Elbaz

No, I agree. This is highlighted in every single domain we see. In finance, for example, buy-side and sell-side organisations where they're each using AI agents, and those AI agents can't communicate with each other, for obvious reasons. We're seeing this in technology, of course, with extremely sensitive IP. We're seeing this in manufacturing and energy, especially in HR and internal information that's sensitive that we don't want to get leaked out. This is really a problem that is across every single industry and every single space.

From a visibility perspective, the important aspect from our side is to look not only at what assets we have. So okay, we have a thousand instances of Claude Code, that's great. But also to look at how they're configured. So what the posture of those assets is, what tools they're connected to, what data sources they're connected to, who has access to them, what endpoints they're sitting on. Having that full, broad visibility first of all, and this includes agents, it includes MCPs, it includes skills, the whole ecosystem around these AI agents themselves.

After visibility, we can start putting governance in place. Most of the governance and policies that have been created are written down. They're text at the end of the day. They're meant to drive behaviour across organisations. But we see that now there are tools that can help implement that and automate those policies and put them into practice. Have them run over these AI agents and validate that they're configured in ways that are aligned with the policies. Have them look at what these AI agents are doing, the behaviours, the policies, and being able to apply controls and validate that they're behaving in ways that are aligned with the organisation as well.

For example, if we see an AI agent that is starting to delete databases, that might not be something that's good. We should probably stop that and ask a human, "Hey, is this meant to be happening?" Looking at these behaviours, we can raise flags. Not all of the flags are as obvious as that, but we raise those flags and surface them to the right people that are actually in charge and accountable for those AI agent behaviours.

John Cranmer

And I'm seeing a world, in the not-too-distant future, where the governance around agentic AI becomes really strong and really clear. But that's not a barrier and it's not friction. It will really just enable us to take the gloves off, allow people to have something like Claude Cowork running more broadly across their file system, accessing more things than we maybe allow it to do today, because we've got that assurance that we know what people are doing, we know where our data is. And we also know if anything really bad happens, the system is automatically going to step in, throw up a few barriers and basically allow us to sleep at night, knowing that things aren't going to get out of hand too quickly.

What do you think the journey for an organisation looks like, between where they are today, with policies in place and some guardrails, but without the real tools they need to deliver it? How do you see that progress?

Gil Elbaz

Yeah, I completely agree that the idea around creating these automated capabilities is all about acceleration. Having a seatbelt, you feel more comfortable driving a bit faster. Having the right structure in place from a control perspective, from a protection perspective, from the visibility perspective, really does allow organisations to adopt more AI and move quicker.

There are some organisations we've talked with that wouldn't adopt Claude Cowork, or wouldn't adopt OpenClaw. Most organisations won't adopt OpenClaw today. You ask them why, and they say, rightfully so, that they're afraid of what it might do. So we're going to see that friction continue.

There are more examples of this. Having agent-to-agent communication, most security orgs would not be super excited by the thought of having tens or dozens or hundreds of agents communicating with each other without the right structure in place. We're going to be seeing many levels of productivity and many potential amazing capabilities that are going to be coming out, and have already come out in the past year and in the upcoming years. Having the right security frameworks in place and the right partner in place, I think, will really help organisations adopt it much quicker.

John Cranmer

With agent-to-agent communication, just to zoom in on that a little bit, to a certain extent that's already happening, but there isn't perhaps the awareness that it's already there. Every time you spin up an instance of Claude Cowork, it is going off. There are multiple sub-agents going off and doing different tasks, and everything's been fragmented and broken down to that level. So I think it's important that people realise this stuff is already happening. It's not a case of, "We're just not going to deploy anything like that." You probably already do. And if you think you don't, you may have missed something in your stack.

Gil Elbaz

With sub-agents, there are very interesting dynamics. What sub-agents have shown us is that multiple agents is a good concept, and it works. It really does, because not every agent needs the entire context. You sometimes need an agent that will focus on something, do the job, and come back to the main agent.

But what we're seeing in many cases now is that you have multiple agents not built by the same person or the same agent, that are being used in various ways and are deployed, let's say, connected to the same Slack channel, for example. That type of multi-agent communication is one where the agents weren't spawned of the same process. I had something in mind when I put my agent in the Slack channel. You built your agent, you had something completely different in mind when you put it in that same Slack channel. And now they're effectively communicating with each other.

When we talk a lot about multi-agent communication, there's the direct agent-to-agent communication layer. But beyond that, there's so much more. Two agents that can send emails to each other, that can be in the same Slack channel, that can communicate over Teams. That suddenly means we have these agents sharing a lot of information.

John Cranmer

Yeah. And their objectives may not be aligned. You can very much see how that can cause problems if there isn't something giving a bit of oversight and just saying, "Oh, maybe these shouldn't be speaking together in this way." Quite often you might not even be aware that this backchannel, out-of-band communication is happening.

Gil Elbaz

Yeah. So for example, if you have an agent that is doing HR and answers questions for each person in the organisation about their own personal HR issues, and it's available through Slack. And then you have a separate agent for marketing that takes posts that people write in Slack and turns them into really nice marketing pieces with images, with everything, and can post on LinkedIn. Having those two agents in the same Slack area, that sounds like a risky thing to do, and something that could be manipulated or lead to exposed information.
So just as a small example, and we're seeing this across the board where people are trying to prepare for the agent-to-agent side of multi-agent communication. But in practice, we think that 99% of agent-to-agent communication will be done through existing channels and other channels.

John Cranmer

Interesting. So that feeds back into almost thinking about the actual digital persona of every agent. Almost as if they have an identity unique and specific to themselves, not related to the user that created them, or the people that orchestrate them or anything like that. You've got to almost treat each one as an individual person, almost, or entity that you need to apply those rules to. And to very much think through the prism, what does this role need to do? It just adds a whole new layer of complexity around a challenge that was already relatively difficult. You've probably already just got five times the number of people in your organisation than you did last year.

Gil Elbaz

Exactly. So agents, in many ways they are as capable as employees. And at the same time, they're not accountable for their own actions. If you yell at an agent, it will respond, "Oh, you're right. I'm sorry for deleting that database." So essentially, they are employees on one hand, and on the other hand, they're not accountable for their actions.

They require a different level of oversight to what we did with employees. With employees, we created bounds from an identity perspective, and those are still good tools to have in general for agents as well. But they're not enough.
With agents, and this is an opinionated observation, but with agents we do think that runtime protection is critical. Runtime protection means literally looking at any token, any text, any context that is hitting the level of the agent, the brain, and anything that is coming out of that LLM. Validating it before it hits our systems. So including thought process, tool calls, any context that it's creating. We want to validate that it's aligned with the policies.

On the inbound, validating it's not malicious. On the outbound, we could say things like we don't want it to be spewing out PII. We could say also that we don't want this specific agent to be talking about any financials. It could be your own policies, your own governance policies that we want to apply to these different agents. Essentially, the level of oversight that's needed, because they're not accountable for their actions, is much, much more granular.

John Cranmer

That makes perfect sense. I think in the early days of AI, there was this idea where you spin up an agent, it's your agent, you're accountable for its actions. But there's no way it's reasonable to expect any individual to be able to really thoroughly monitor even one agent, let alone hundreds that are at their disposal on any given day. It's a very different way of thinking about the problem than I think most organisations were quite well buttoned down on in the past.

Just to pivot back to a subject that we touched on earlier, the external attack surface. Everybody's talking about Mythos and its ability to go after vulnerabilities and craft attacks that were never really possible before, because no individual human would ever have the time to go through and string together all these disparate vulnerabilities to form a coherent attack. From where I'm sitting, it's a real threat to the way we think about security.

How are you thinking about that, and how will that affect the way we think about agent-to-agent security as they become more and more intelligent and have that ability to go and chase things down? If we've set them a general objective and they can't achieve it, are they going to go off and try and hack the system to achieve what they're out there to get?

Gil Elbaz

So Mythos, when it came out and we saw the abilities it had, it was able to find over a thousand zero-days in relatively no time. What it showed us is that AI today, so it exists today, AI today is essentially an expert offensive cybersecurity persona, with capabilities of an expert cybersecurity person.
It's not only an expert, it's better than anything we've ever seen in the past. I've heard from undisclosed sources, of course, that it has been able to find more bugs and more zero-days than some of these major companies have found in the last three years, with their own internal red teaming teams.

These capabilities, although they're not accessible to everyone today, will be in Opus 4.9 or Opus 5. It's going to be down the line a trivial part of the existing model set that is available. There will likely be nuances and guardrails and things in place. But effectively, it shows us that these foundational models can do extremely effective threat research and then apply it. And what's even more interesting is that they can also string together various bugs and various weaknesses into full-fledged attacks, based on the reports.

All of this I'm saying is to highlight one thing. Ideally, used for good, this will help us create much more secure software. In the time period until that does happen, there is going to be, in my take at least, an elevated level of threat, especially on every external surface of organisations.

John Cranmer

We've talked a lot about maybe the problems and the more scary side of this. But the way I see it, there are really clear pragmatic actions that companies can take to get their arms around this problem, start to get visibility of the risk and then start to reduce it. Are there sort of five or seven things you would pick to focus on in that area?

Gil Elbaz

Yeah. So the first thing I would focus on, and this is something we do with many organisations, is around visibility. First of all, getting visibility of your entire inventory. Having essentially a full understanding of what AI assets exist, what MCPs are being used, what skills are being used, where they are deployed, what they are essentially doing. So that visibility is the first piece and the first thing we always recommend organisations go for. That's half the battle, honestly. Right now, most organisations do not know how to answer questions around, "How many AI assets do I have? How many in each department? What are they doing? What are they not doing?"

John Cranmer

Does it not even run more fundamentally than that? Because I think there's sometimes a disconnect about what is actually an AI asset. Do people even know that there's AI in this specific product that they use?

Gil Elbaz

Yeah, sometimes they don't. They could have an existing SaaS tool that suddenly integrates new AI features, and you signed up for, for example, I can give a few examples. But for example, Notion. When we signed up to Notion, it didn't have an AI building platform. Now it does. It has a full agent AI building platform inside. These platforms are growing and everyone is creating these AI building capabilities. So yeah, we need to be aware of it and pick up on it and automatically inventory it. Having that visibility is one big aspect.

The second aspect is really around looking at these AI agents and understanding who's the owner of them, and having policies in place for when they do something that is problematic. Who, and what do we do about it? What is the playbook? From a policy perspective, what limitations do we want to put in place? Even in natural language. Putting this in place. And then having the tools to automate that. Once we have those policies, which is an important step, how do we now automate that and automatically pick up on when agents are not aligned with the policy?

So for example, if we have a policy around MCPs, around supply chain. We're saying MCP servers were fine, but they need to be from verified sources. So they need to be from Google, Facebook, Amazon, etcetera. They can't be from an indie developer just put on GitHub, because that creates supply chain risk. You can write that policy, but to have a tool that can then automatically enforce that across every endpoint, that's an important point.

John Cranmer

So if somebody was to spin up an MCP, and it falls out of policy, the tool says, "Okay, you've spun it up, it's there. But we're not going to let anything pass through it." And then we can flag up and get somebody to come and remove it.

Gil Elbaz

Yeah. And I'll give an example. A bit earlier when we were chatting, like if you go to Google and you search for Gmail MCP, you want to connect your agent to Gmail. The number one rated MCP there is essentially an indie developer based in Beijing. He has the most stars on GitHub. So if you ask your agent even to add an MCP, it could add that MCP.

That's fine for home projects. For an organisation, that's not necessarily code you'd want running and connected to your agents. The risk there is indirect prompt injection, or even someone updating that with the next version that has extremely malicious coding. So we want to be on top of that from a visibility and then from an automatic posture monitoring capability. The idea is that with these AI agent tools, you ideally want an AI agent powered solution to provide that.

The third part is really around the guardrails. So we talked about runtime protection. I think this is so important today, because as these AI agents are more and more capable, they're connected to more and more data sources, have all these tools. Just to give a number, we see coding agents like Claude Code connected to over 400 tools and dozens of data sources in our own environments. These are things that, and it's only growing, it's not slowing down. These tools are so powerful, and we need to make sure that what they're doing, the behaviours that they're doing, are aligned with the organisation.

At the same time, you don't want to stop your Claude Code from running. The developers wouldn't be so happy. One of the things that Onyx really takes care of is we focus on control, but we focus specifically on steering. Steering AI agents. That's one of the core principles and capabilities that we focus on. How do we maintain these agents as useful as possible, as successful as possible, ideally make them even more successful, but make sure that they're aligned with the policies at the same time? Steering them around these pitfalls. So that's also important.

John Cranmer

Absolutely. I mean, you know, in this context in particular, more so than ever before, cybersecurity is an enabler to AI adoption. If you do it right, you can give you could even give people one day in the future something like Open Claw because you've got assurance around how it works.

So Gil, it's been really great chatting to you today. Thank you so much for your time, and it's really going to be interesting to see how this whole area and the solutions to this problem evolve over the coming months and years. So thank you very much.

Gil Elbaz

Thank you, I appreciate it. And we talked a lot about solutions. And I think that it's not only just about the tooling in place, it's really about getting the right partner and working together on this. We agree, the CSOs and security organizations, they are now empowered to be the heroes of this story.

And essentially, AI adoption is going to impact companies in significant ways, hopefully for the better. Right. It's so central today. And putting the controls in the hand of leadership is absolutely vital. So thank you so much for inviting me and I appreciate it.

The views and opinions expressed in this podcast and transcript are those of the contributor and should not be taken to represent the views or positions of Hg or its affiliates.

Statements contained in this podcast and transcript are based on current expectations or estimates and are subject to a number of risks and uncertainties. Actual results, performance, prospects or opportunities could differ materially from those expressed in or implied by these statements and you should not place any undue reliance on these statements.