An Open Letter on AI Security

Your AI Vendor Has a SOC 2. That's Not Enough.

Most AI vendors will hand you a SOC 2 report and call it a complete security conversation. As the Chief Information Security Officer at Whirl AI, I refuse to settle for that.

Sunny Bedi
Mario Duarte
Whirl AI CISO

I've sat on your side of the table. I helped build security at Snowflake, where our whole business revolved around securely holding other companies' data, so protecting enterprise systems at scale is the job I have been living and breathing for much longer than I care to admit. I've reviewed hundreds of vendors, signed the approvals, and had to frustratingly turn down great proposals after having a look under the hood. Having your SOC 2 Type II is table stakes. The Whirl AI team earned ours because it's the least you should expect. But if a security cert is the only thing an AI vendor puts in front of you, you're not asking hard enough questions.

Here is what worries me: LLM models and the planned benefits are getting all the attention, meanwhile, companies are pointing AI agents at the systems that run your business faster than anyone is securing (or even talking about) how those agents connect, prove who they are, or behave once they are inside.

Let me give you a real example. A startup CEO kept the key to a production environment — the one storing customer data — right on his personal laptop. He got compromised, and the hackers used that key to walk right into his customers' systems. I hear about scenarios like this constantly, especially when vendors never stop to ask whether they were setting up their processes naively.

"If a security cert is the only thing an AI vendor puts in front of you, you're not asking hard enough questions."
Mario Duarte, CISO

We built Whirl to make it less likely to tell that kind of cautionary security story about us.

That starts with who builds the thing. When we hire, we don't bring in security people to sit off to the side and check everyone else's work. We hire engineers who came out of the security world and put them on the product. Why?

Because we want it built securely from the start, not cleaned up in a panic when something goes wrong.

With that vision, we avoided taking security shortcuts on purpose.

  • We said "no" to putting two customers in the same environment, so that if one customer gets compromised, the others simply cannot be impacted.
  • We said "no" to allowing any system access other than on corporate devices with hardware-bound auth, to help reduce the impact of stolen credentials.
  • We said "no" to sharing the same agent credentials across the enterprise. Instead, we ensure that every credential an agent uses is issued, tightly scoped, and then killed the second its job is done.
  • We said "no" to training on your data or running a model of our own.

Less convenient for us? Possibly — but that's why we had all of these things in mind when we started to build security from the ground up.

We are very fortunate at Whirl because our team has the experience to make those calls — knowing that convenience and security don't have to be a mutually exclusive decision.

But let's be direct: we are not setting an impossibly high bar here. This is the actual floor of what we should expect before letting any software near our own systems.

Here is the crux for any security team: none of this is static. Nobody — especially me — gets to pat their back and call things forever secured. Threats will keep changing. The protection against them needs to evolve too. That is the goal.

So take this as an invitation: if you're looking at AI, hold every vendor — including us — to this standard. Bring your security team and ask those hard questions.

We would rather earn your trust by showing you behind the curtain than ask you to take any of it on blind faith.

— Mario Duarte, CISO, Whirl AI