WEBVTT 00:00.240 --> 00:05.920 Cybersecurity is, of course, a massive topic, and there are entire courses devoted to nothing else. 00:05.920 --> 00:09.960 And my MLOps AI and production course covers a bunch of it. 00:10.760 --> 00:18.400 I just wanted to cover one super important point with you, and it's specifically about Agentic AI. 00:18.680 --> 00:24.720 A lot of cybersecurity topics apply to any software and are very similar when working with AI or any 00:24.720 --> 00:28.720 other times when you're running software and interacting with third parties. 00:28.720 --> 00:37.120 But there is one particular vulnerability with Agentic AI that is different, that is unique, a particular 00:37.120 --> 00:38.280 vulnerability. 00:38.280 --> 00:45.960 And it was it was popularized by an incredible writer, Simon Willison, who's a combination of a of 00:46.000 --> 00:49.800 an engineer, a journalist, a speaker, and his blog is incredible. 00:49.800 --> 00:54.160 And I will put a post to this, a link to this in the course resources as well. 00:54.160 --> 01:00.860 And he coined the term the Lethal trifecta for the particular vulnerability that is opened up by an 01:00.900 --> 01:06.620 Agentic AI platform, such as the ones that we work on in, and such as the one that we'll be working 01:06.620 --> 01:08.500 on for the capstone project too. 01:08.540 --> 01:11.580 So it's something that is important to be aware of. 01:11.620 --> 01:21.100 And in particular, the lethal trifecta is a scenario that happens when your AI agent has three characteristics. 01:21.300 --> 01:22.220 Hence trifecta. 01:22.420 --> 01:27.500 And if your AI agent only has two of the three or only one of the three, then whilst it might have 01:27.500 --> 01:34.020 all sorts of vulnerabilities, as with any other piece of code, there isn't necessarily this one big 01:34.140 --> 01:38.500 extra vulnerability that applies specifically to Agentic AI. 01:38.700 --> 01:40.020 And here are the three. 01:40.420 --> 01:47.980 The first of them is if you build an agentic platform that has access to data that is private, something 01:47.980 --> 01:55.220 like your bank account or your sales numbers or anything that is secret data that you wouldn't want 01:55.220 --> 01:55.900 out there. 01:55.940 --> 02:01.730 That is the first of the of the pieces, first of the pillars or whatever, the first bubble of this 02:01.730 --> 02:06.610 diagram of the lethal trifecta on its own, that needn't be a problem. 02:06.610 --> 02:11.330 If you have an NLM with access to private data, then it's just going to generate some tokens. 02:11.370 --> 02:12.930 Tell you about the private data. 02:12.930 --> 02:15.010 That in itself is not considered a problem. 02:15.090 --> 02:20.250 OpenAI could leak the data for sure, but then you they are a Soc2 compliant company. 02:20.250 --> 02:22.050 You have a relationship with them. 02:22.090 --> 02:26.330 They they have very tight information security policies. 02:26.530 --> 02:30.850 And by the way, you have a relationship with Google for your Gmail as well, which has got nothing 02:30.850 --> 02:31.610 to do with AI. 02:31.770 --> 02:35.330 So having third party dependencies is something that we're very familiar with. 02:35.370 --> 02:37.930 It's not in itself a new vulnerability. 02:38.170 --> 02:38.770 Okay. 02:38.810 --> 02:41.250 That is the first of the of the three. 02:41.290 --> 02:41.690 All right. 02:41.690 --> 02:46.730 And the second one is the ability to communicate externally. 02:46.730 --> 02:53.130 So is this agent able to give information to someone other than you. 02:53.890 --> 02:55.130 Is it able to give it to me. 02:55.690 --> 03:00.990 So does it have access to your private data like your Pin code of your of your, of your bank, of your 03:01.030 --> 03:02.510 cashpoint ATM card. 03:02.830 --> 03:04.670 And it has the ability to talk to me. 03:05.070 --> 03:06.230 That's the second thing. 03:06.270 --> 03:09.270 Now, you might think that already sounds like really bad news. 03:09.550 --> 03:13.630 If there's something which has access to my Pin number and can talk to it. 03:13.830 --> 03:19.990 Uh, devious as I am, I no doubt I'll want to get access to that, but but bear in mind that in itself 03:19.990 --> 03:21.510 that needn't be a problem. 03:21.550 --> 03:27.590 There are many, many systems that handle private data and have multiple users and deal with it just 03:27.590 --> 03:28.070 fine. 03:28.070 --> 03:33.710 And if you wrote this software and you were responsible for all of it, then you know what this LM call 03:33.710 --> 03:34.390 is doing. 03:34.430 --> 03:40.390 And you can make sure that it's not going to be revealing that your Pin code to me, because that's 03:40.390 --> 03:42.270 not how you'd be setting up the prompts. 03:42.270 --> 03:43.750 It's not what it would do. 03:43.830 --> 03:50.190 So in of itself, this this blue and purple bubble needn't be a particularly grave problem. 03:50.190 --> 03:55.590 And then we add in the third one exposure to untrusted content. 03:55.990 --> 03:56.990 What does that mean? 03:57.230 --> 04:04.260 Well, I just mean that this Agentic platform, some of its input, some of what goes in that input 04:04.260 --> 04:06.700 context didn't come from you. 04:06.980 --> 04:09.260 It came from somewhere that could be completely harmless. 04:09.260 --> 04:13.980 Maybe there's an MCP tool in there that it's using where it's getting the natural language descriptions 04:13.980 --> 04:14.780 of what to do. 04:15.060 --> 04:22.060 Maybe it's something which is scraping the web for extra information, but somehow it has access to 04:22.100 --> 04:24.940 stuff that didn't originate from you. 04:24.940 --> 04:30.540 And it's not necessarily content that you trust that you know, you can guarantee is what you want it 04:30.540 --> 04:31.020 to be. 04:31.100 --> 04:33.980 That is the third piece of the puzzle. 04:34.220 --> 04:38.060 And if all three pieces apply, then potentially you could have a problem. 04:38.060 --> 04:39.380 You have a vulnerability. 04:39.420 --> 04:46.100 The lethal trifecta, as Simon calls it, because it's possible that that untrusted content could contain 04:46.100 --> 04:53.900 something which could deceive your LLM into exposing that private data to a third party. 04:54.140 --> 04:56.340 And that is the gotcha here. 04:56.340 --> 04:57.420 And there've been a few. 04:57.800 --> 05:03.560 well, well publicized a genetic AI issues in the last year or so. 05:03.600 --> 05:07.280 And I think one of them that's quite, quite well known was from GitHub. 05:07.520 --> 05:14.040 And the GitHub is the place where people manage their code, the software that's been written and GitHub 05:14.080 --> 05:19.600 had built an MCP server, a set of tools that would allow you to write agents that could that could 05:19.600 --> 05:22.240 read and write from your your code, your repos. 05:22.600 --> 05:29.280 And there was, uh, it could have access both to your public repos and to your private repos, so that 05:29.280 --> 05:34.240 if you wished you could you could use it to dig into your private repos and also your public repos, 05:34.240 --> 05:37.320 but only you had access, so it seemed completely fine. 05:37.600 --> 05:44.240 Um, but but it did tick all three boxes of this because the public repos could contain any information 05:44.280 --> 05:48.200 put in there, and external users could do these things called PR reviews. 05:48.200 --> 05:49.080 They could, they could. 05:49.080 --> 05:54.240 There was a route where they could just put stuff in comments that would be read by the LLM. 05:54.600 --> 05:59.380 It had access to private data because it had your private code, which might include things like your 05:59.380 --> 06:03.980 API keys in various places linked to your credit card, that kind of stuff. 06:04.340 --> 06:10.260 And it had an ability to communicate externally that no one thought of, because it could also respond 06:10.260 --> 06:13.460 to comments written in the public repo. 06:13.780 --> 06:15.740 And this may, you may or may not be following me. 06:15.780 --> 06:16.740 It's not that important. 06:16.740 --> 06:23.140 But maybe if you do, you can see you can connect the dots and see how that could result in problems. 06:23.140 --> 06:26.860 And you can Google it and read about what actually happened and see more. 06:26.900 --> 06:31.860 And there are there are other examples of where the lethal trifecta has has come to light. 06:31.860 --> 06:33.580 And you can read Simon's original. 06:33.620 --> 06:36.660 He's got a presentation on it, which is a great read as well. 06:37.060 --> 06:38.620 So that is the Lethal Trifecta. 06:38.660 --> 06:41.340 It's something to watch for when you build out your workflows. 06:41.380 --> 06:46.060 We'll be watching for this carefully in the next two days as we build out the capstone project. 06:46.180 --> 06:46.740 There it is. 06:46.740 --> 06:47.580 Just a market. 06:47.580 --> 06:49.620 There is the skull and crossbones. 06:49.620 --> 06:51.820 That is the thing you want to avoid. 06:52.060 --> 06:54.060 Okay, enough. 06:54.100 --> 06:55.260 Enough of the worrying. 06:55.540 --> 07:01.570 Let's talk about what it takes to make a great agentic AI solution. 07:01.570 --> 07:07.730 And in some ways, this section is like the main takeaway for the whole all of the all the purple days, 07:07.730 --> 07:10.850 all of the core learning comes comes to this. 07:10.890 --> 07:16.450 What makes a strong agentic solution, particularly building it in Nan. 07:16.730 --> 07:21.890 I'm going to start with what doesn't make a strong agentic solution the Anti-patterns. 07:22.090 --> 07:28.810 And the first of them is the thing I called the human trap, the anthropomorphizing the time when you 07:28.810 --> 07:35.170 see people just coming up with agents because they sound like that's a great agent to make. 07:35.330 --> 07:36.130 Don't do it. 07:36.370 --> 07:40.850 Uh, and the other red flag is when people are too solution focused. 07:40.890 --> 07:43.930 They say, I want an agent to do x. 07:44.290 --> 07:47.930 I don't mean x, as in the thing formerly known as Twitter. 07:47.970 --> 07:50.530 I mean x where x is something that you want. 07:50.530 --> 07:52.170 I want an agent for X. 07:52.170 --> 07:54.330 Don't tell me that you want that solution. 07:54.330 --> 07:58.670 Tell me what the business problem is you're trying to solve, and then we'll see if agents are right 07:58.670 --> 08:00.310 for it or something completely different. 08:00.310 --> 08:06.950 And the third red flag is a bit harder to explain, but it's when when people see that the the end goal, 08:06.990 --> 08:13.190 what they're what they're trying to achieve is simply having an agent that generates content in some 08:13.190 --> 08:17.510 way, like like you have an agent that's called a strategy agent. 08:17.710 --> 08:21.350 And what it does is it generates company strategy. 08:21.510 --> 08:24.750 And as a result, they say, great, I built my strategy agent. 08:24.790 --> 08:29.270 I prompted it to make a company strategy, and it's creating a company strategy. 08:29.310 --> 08:30.230 We're done here. 08:30.630 --> 08:32.750 And that I also see a lot. 08:32.830 --> 08:36.270 Uh, maybe not with company strategy, but but with with other things. 08:36.470 --> 08:37.870 Our sales numbers aren't good enough. 08:37.870 --> 08:44.190 We need a sales strategy agent that's going to read in all the information and produce a sales strategy. 08:44.190 --> 08:46.670 And that output is is the the result. 08:46.670 --> 08:49.910 And then we will we'll deploy it and show people our sales strategies. 08:50.190 --> 08:57.500 That's that's not going to work because llms are designed to generate plausible content. 08:57.500 --> 08:58.300 That's what they do. 08:58.300 --> 08:59.700 That's what they're trained for. 08:59.740 --> 09:02.500 They are trained to generate plausible content. 09:02.500 --> 09:06.140 That doesn't mean that the content is necessarily correct. 09:06.140 --> 09:08.260 It just means it's plausible. 09:08.260 --> 09:09.100 It looks good. 09:09.100 --> 09:10.420 It feels right. 09:10.420 --> 09:11.620 That's what they're trained to. 09:11.660 --> 09:17.620 And it's okay for AI users to complain that an LLM is hallucinating coming up with with things that 09:17.620 --> 09:18.500 are incorrect. 09:18.500 --> 09:22.940 But it's not okay for you and me to complain about that because we know better. 09:23.060 --> 09:25.860 We know that llms aren't built to be accurate. 09:25.900 --> 09:27.540 They're built to be plausible. 09:27.660 --> 09:30.020 Making them accurate is our job. 09:30.020 --> 09:31.020 That's what we do. 09:31.060 --> 09:36.380 That's what the AI engineer or the or the AI builder is designed to do. 09:36.420 --> 09:41.340 We are designed to make this this product achieve our business goal. 09:41.580 --> 09:45.020 The LLM is there just to generate plausible outputs. 09:45.700 --> 09:46.380 Okay. 09:46.420 --> 09:50.340 So after saying what doesn't work, what am I saying does work. 09:50.380 --> 09:54.420 It is of course largely the flip of the Anti-patterns. 09:54.480 --> 09:58.280 First up, a clearly identifiable business problem. 09:58.320 --> 10:00.720 Don't say we need a sales strategy. 10:00.760 --> 10:03.440 Say we need more revenue. 10:03.600 --> 10:05.400 Something that is revenue is too low. 10:05.440 --> 10:07.560 That is a problem that needs to be fixed. 10:07.600 --> 10:08.960 We need more sales. 10:09.080 --> 10:12.040 Uh, something that's very concrete and specific. 10:12.600 --> 10:20.840 And then you need a metric, a way or multiple metrics, ways to evaluate whether or not your agentic 10:20.840 --> 10:22.840 AI is achieving your goal. 10:23.040 --> 10:28.080 And with criteria that you establish in advance, you say, this is what we're shooting for. 10:28.120 --> 10:29.920 This is what we would call success. 10:30.160 --> 10:32.960 And so you have that clearly identified upfront. 10:33.000 --> 10:37.080 You know how you will measure success and you know what success looks like. 10:37.120 --> 10:39.000 We need our sales figures to be here. 10:39.000 --> 10:40.120 And they are here. 10:40.360 --> 10:47.440 And, uh, all we need are head of sales to be approving all of the plans that, that come out of, 10:47.440 --> 10:48.280 of our group. 10:48.320 --> 10:53.520 Something that's a bit more immediate and direct, but a bunch of these metrics that are very clear 10:53.520 --> 10:54.710 and measurable. 10:54.710 --> 10:59.710 And finally, you need to test to make sure that you've actually achieved your success criteria and 10:59.710 --> 11:01.670 that you evaluate well. 11:02.230 --> 11:05.990 And this ties to the to the points I made before the last of the Reds. 11:06.230 --> 11:11.590 So we know that LMS are built to generate plausible content. 11:11.590 --> 11:12.550 That's what they do. 11:12.590 --> 11:13.830 That's what they're built for. 11:14.110 --> 11:19.990 Our job is to go from plausible content to accurate content, and the way that we do that is by having 11:19.990 --> 11:24.990 a metric, by testing and proving that we achieve it, and then if not putting in place the kinds of 11:24.990 --> 11:31.350 controls, the extra tools, the extra checks and balances and extra agentic loop whatever it takes 11:31.390 --> 11:36.150 until we're not just generating plausible content, we're generating accurate content. 11:36.670 --> 11:38.270 And that is our job. 11:38.270 --> 11:41.310 Our job is going from plausible to accurate. 11:41.350 --> 11:47.670 It's through developing the metric and testing it that we get from just a plausible agentic solution 11:47.670 --> 11:53.830 to a strong, high performance, agentic solution that actually achieves the business goals.