Securing AI Applications in the Cloud: Shadow AI, RAG & Real Risks | Mend.io

What does it take to secure AI-based applications in the cloud? In this episode, host Ashish Rajan sits down with Bar-el Tayouri, Head of Mend AI at Mend.io, to dive deep into the evolving world of AI security. From uncovering the hidden dangers of shadow AI to understanding the layers of an AI Bill of Materials (AIBOM), Bar-el breaks down the complexities of securing AI-driven systems. Learn about the risks of malicious models, the importance of red teaming, and how to balance innovation with security in a dynamic AI landscape. What is an AIBOM and why it matters The stages of AI adoption: experimentation to optimization Shadow AI: A factor of 10 more than you think Practical strategies for pre- and post-deployment security The future of AI security with agent swarms and beyond

Chapters:

00:00 Intro & why AI AppSec is different

01:08 What “securing AI apps in the cloud” really means

02:12 Guest intro (Barel, Mend AI)

03:20 AIBOM / AI SBOM—what to track and why

10:04 Stages of AI adoption: experimentation → production → optimization

13:24 RAG 101: embeddings vs. generation and security implications

16:41 Building an AI security strategy (components & risks)

20:38 LLM firewalls vs. application-level controls

24:59 CI/CD for AI: red teaming & policy in pull requests

32:54 Shadow AI: finding it and reducing attack surface

37:12 What’s next: agents, swarms & secure-by-design patterns

41:52 Fun Q&A

44:51 Wrap & resources

Are AI-powered apps “just” another AppSec problem—or something new? In this episode, we break down how to secure AI applications in the cloud (AWS Bedrock, Azure OpenAI, third-party inference) with Barel, Head of Mend AI (Mend.io). We cover AIBOM/AI SBOM, RAG leaks & poisoning, prompt injection, LLM firewalls vs. app-layer security, licenses & bias, and how to evolve your DevSecOps pipeline for AI.

You’ll learn:

• The layers of an AI app (model → fine-tune → embeddings/RAG → agents → app)
• AIBOM: why you need an inventory of models, datasets, providers & licenses
• Runtime vs. pre-deployment controls (guardrails, red teaming, CI/CD checks)
• Shadow AI: how to discover and shut it down without killing innovation
• OWASP Top 10 for LLMs and what maps to real incidents

🔔 Subscribe for more practical AppSec insights:
https://www.youtube.com/channel/UCLgzXoXJ-TGO-y7Eh9quDUQ

📺 Watch Next:

• ️ Secrets of AppSec Champions Podcast: https://www.youtube.com/playlist
• ️ Our Customers’ Success Stories & Reviews: https://youtube.com/playlist
• ️ OWASP Top 10 LLM is Dead: Here's Why: https://youtu.be/Wet1tkt1eAw
• ️ Mend.io Product Overview Demo: https://youtu.be/HfZ3uK-Eg5c
• ️ The Truth Behind Successful Security Operations Centers (SOC): https://youtu.be/XMlrxoIJVXg

🌐 Connect with Us:
🔗 Website: https://www.mend.io
🐦 Twitter: https://twitter.com/mend_io
📘 Facebook: https://www.facebook.com/mendappsec
💼 LinkedIn: https://www.linkedin.com/company/2440656

📜 Disclaimer:
This video is for educational purposes only. Mend.io is not responsible for any security decisions made based on this content.

#appsecurity #cybersecurity #techpodcast