Q&A: Palo Alto’s Eric Trexler Urges Identity-First, AI-Secure, Platformized Cyberdefenses

FEDTECH: From your vantage point, where have federal agencies made the most progress in their effort to adopt zero-trust architectures and where do they still have work to do?

TREXLER: Every customer is on its own journey when it comes to securing its environment, and that journey is constantly changing. New attack mechanisms emerge, new attackers appear, and agencies have to pivot to address the challenges of today and tomorrow, not yesterday.

The government has spent a lot of time — and certainly a lot of money — on zero trust. Where we see the most progress is in identity. The FY 2025 proposed cybersecurity budget was about $27.5 billion for the federal government. It was never approved, but let’s call it $27 billion. Roughly $1.8 billion of that was in identity.

A number of organizations and agencies have made real strides in understanding who their workers are, what they do and what they should have access to. From our perspective, that’s one of the foundational components, if not the first stage, of a zero-trust strategy.

Beyond that, we’ve seen many organizations embark on the zero-trust journey and deploy technologies and capabilities that align with zero-trust principles. But there’s still a long way to go. These are the largest, most expansive organizations in the world. This is not a journey with a fixed destination, because the destination is constantly moving. The situation keeps evolving.

We’ve seen real progress — identity is a prime example, as are some SASE implementations and efforts to reduce permissions so people only see what they should see. But it remains an extremely complex, difficult journey that will take many more years.

FEDTECH: Identity is getting a lot of attention. What other challenges deserve more focus right now?

TREXLER: I’d actually start with identity again, because you have to get identity right.

The projections we’re seeing, and I think they may actually be conservative, are that for every human identity in an organization, you’ll have 10 or more machine identities by around 2027. Think about artificial intelligence: We’re rolling out agents that make decisions similar to humans’. How do we understand what that agent is and what it’s allowed to do? What are its swim lanes? What can it decide, and what is off-limits?

Before anything else, you have to understand that the agent exists and what its identity is. That’s fundamentally an identity problem. Because of AI and the speed and scale that comes with it, securing AI as we deploy it is absolutely critical.

To do that, you need to understand what systems are in place today and what they do. Then, you can bring to bear the security capabilities agencies already own.

The second big theme is simplicity. I’m not going to throw a specific technology at you first, because the core problem is not technology. It’s complexity.

Having 50, 70 or 100 different, disparate security technologies in an agency’s environment is incredibly challenging. When we broke down that $27.5 billion proposed federal cyber budget, about 81% went to systems integrators and salaries. A big portion of that work is just making security systems talk to other security systems so the agency can get a common operating picture of what’s happening on its networks. Most organizations still struggle with that.

Once you drive toward simplicity, then you can push toward automation and ultimately autonomous operations. You start with basic questions: Who is on the network and what are they doing? That’s identity. Then, you simplify and integrate systems so there are fewer contracts, fewer training classes and fewer disconnected consoles.

From there, you build toward automation, because humans are not fast enough to keep up in the age of AI — either with attackers or with the systems in the environment. We’ve been talking for a decade about not having enough human capital in cybersecurity. Even if we somehow solved the talent shortage, humans still don’t work at the speed of cyber. We must have automation.

The way to get there is through simplified, integrated systems. We call it platformization. You might think of it as consolidation — bringing together systems that, out of the factory, already work together and communicate at machine speed.

Click the banner below to keep up with the IT, cyber and AI experts making government efficiency a reality.

FEDTECH: Let’s dig deeper into AI. How is AI changing federal security operations? Is it simplifying things, or making them more complex?

TREXLER: It’s doing both.

We’re deploying AI applications across government — federal, state and local. At the federal level, with the latest administration guidance, agencies are being directed to leverage AI on behalf of U.S. constituents to the fullest extent possible. We believe that’s a great approach to supporting the needs of the American people.

But you have to deploy AI with AI security. Like any technology, if you deploy it without cybersecurity in mind, you’ve just created something that’s open and accessible to adversaries. That’s a recipe for real harm.

So AI security is critical as agencies roll out AI. We’re doing a lot of work with the U.S. government to help it deploy bravely, but securely.

If I simplify it, AI is about speed and scale. Whether it’s a constituent or government employee using a generative AI tool such as ChatGPT or Gemini to work faster, or an AI agent operating behind the scenes, everything comes back to speed and scale for whatever operation the organization is trying to accomplish.

With that, you need AI security to protect PII and other sensitive data. You don’t want information leaving the organization. You don’t want anyone poisoning your large language models so the result sets your people rely on are wrong. AI security has to be present at every level — at the point where the end user interacts with the system, within the systems themselves and in the agents and infrastructure.

Our adversaries are using AI the same way — to drive speed and scale. Our Unit 42 team has seen roughly a hundredfold increase in the speed of attack creation with AI. We’re seeing on the order of 31 billion attacks per day, and the fastest observed time to exfiltrate data is around 25 minutes. A few years ago, that timeline was measured in weeks. Now it’s minutes, because adversaries are using AI. And we expect that trend to continue.

Click the banner below for the latest federal IT and cybersecurity insights.

FEDTECH: Federal acquisition has a reputation for being slow and complex, even as agencies struggle with tool sprawl and integration. How do you see acquisition and platformization intersecting in the years ahead?

TREXLER: We’re in an environment where you see continuing resolutions and compressed buying cycles. With the advent of AI, adversaries are gaining significant advantages, and organizations are going to have to rapidly innovate, iterate and deploy new capabilities. It’s no longer acceptable to have siloed organizations moving at a traditional government pace.

We expect the organization of the future, public or private, to change because of the adversary’s speed and intent. Agencies will feel increasing urgency to execute mission-critical technology needs in real time, not on a multiyear schedule.

But there will be a lag from both an acquisition and cultural perspective. Federal acquisitions have taken months or years for decades. In cyberspace, you don’t have months. We’re measuring successful attacks in minutes now.

READ MORE: How AI can accelerate zero trust for agencies.

That’s where platformization comes in. If you deploy a security platform and then realize you need operational technology protection, you have two options. You can go through a full acquisition cycle and procure a stand-alone OT security solution — which, in our experience, is a 12- to 36-month process. Or, in a platform model, you can enable the capability on technology you already own. Your people are already trained, the contract is already in place and you can turn that on in weeks — or even minutes in the commercial world. That difference in speed is critical to keeping up with adversaries.

In the federal space, you may not see ransomware the way you do in SLED or commercial, but you see lost intellectual property and lost R&D. Those are major national concerns. A former NSA director has said the U.S. could be losing hundreds of billions of dollars a year in IP theft. When you compare that to the size of the Defense Department’s budget, that’s a staggering cost.

We need to move at the speed of AI in cybersecurity, just as adversaries are. Platformization and integrated capabilities are a big part of how you get there.