EP 15 — Morgan Stanley's Faith Rotimi-Ajayi on AI as Security's "Double Agent"

The security landscape has radically shifted from "if you get breached" to "when you get breached" — and Morgan Stanley's approach to data protection reflects this fundamental change in mindset. In this episode of The Future of Data Security, Faith Rotimi-Ajayi, AVP of Operational Risk, discusses how sophisticated attackers are now researching and targeting specific financial institutions rather than relying on opportunistic attacks. 

Faith tells Jean why social engineering attacks have evolved to target entire family units, including compromising newborns' Social Security numbers for future fraud, and why third-party risk management demands rigorous new approaches as vendors increasingly implement AI without adequate security governance. She also shares her experience implementing dedicated AI governance committees, using risk-based authentication that adjusts friction based on user behavior analysis, and how the pandemic accelerated zero trust implementation by eliminating location-based security models.

Topics discussed:

• The challenges of maintaining operational resilience against increasingly sophisticated targeted attacks rather than merely opportunistic ones in the financial sector.
• The evolution of third-party risk management as attackers now strategically target trusted vendors to gain backdoor access to financial environments.
• How AI functions as a "double agent" in security, enhancing defensive capabilities while simultaneously enabling sophisticated deep fakes and voice cloning attacks.
• The emergence of shadow AI and strategies to mitigate risks through dedicated AI governance committees and internal alternative applications.
• Why regulatory compliance is an innovation driver rather than an obstacle, using frameworks like GDPR, GLBA, and DORA as baselines for robust security programs.
• Implementing security-by-design principles and risk-based authentication that adjusts friction based on context rather than applying uniform controls.
• Using user behavior analysis (UBA) and indications of compromise (IOCs) to create security measures that don't interrupt legitimate user activities.
• How the pandemic accelerated zero trust implementation by eliminating location-based security models and forcing more sophisticated endpoint security approaches.
• The importance of creating business-aligned data security frameworks that prioritize based on risk exposure rather than applying uniform protection.
• Why Faith emphasizes continuous monitoring and testing alongside preventative controls to maintain 24/7 visibility across distributed environments.