AI Everywhere: Infrastructure, Governance, and Shadow AI with Draeger Valencia (Singulr AI)

In this episode of PodMagic, Bruce Kornfeld sits down with Draeger Valencia, Head of Go-To-Market at Singulr AI, for a candid, deeply practical conversation about what’s really happening as enterprises race to adopt AI.

Transcript

Bruce Kornfeld

Welcome to PodMagic, real conversations about solving real IT challenges. I’m your host, Bruce Kornfeld, the Chief Product Officer at StorMagic. And we’re always exploring how simple, reliable technology can benefit you and the people you serve, whether that’s retail stores, manufacturing sites, or just customers on the front line. My goal is to bring interesting guests, deliver some value, and have fun along the way.

Let’s dig in. I’m excited about today’s episode with Draeger Valencia from Singulr AI. Draeger, good to see you. Why don’t you do a quick intro of yourself and what you do.

Draeger Valencia

Great to be here. Thanks for having me. I run go-to-market for Singulr AI. We are a company that’s focused on helping large organizations really balance the need to be agile and how they adopt AI with risk management. Ultimately, for those companies that are looking to really lean in with AI and drive meaningful business impact, but to do so safely and mitigate risks such as data leak and compliance violations.

Bruce Kornfeld

I know that you and your company are focused on the governance side of AI, but let’s start on some of the other fun parts of it because AI is everywhere. Usually on these podcasts, AI comes up as one of the questions, but I think we’re going to talk about it the whole time today, which is awesome. Let’s just talk about infrastructure for a second because there’s always an intersection between what we do and what you guys do. Traditional IT infrastructure that we’ve all been dealing with for decades is being impacted by AI. How do you see these two things coming together, pros and cons, or just your general thoughts on how AI is impacting overall infrastructure planning?

Draeger Valencia

Having come from VMware prior to this and having had some experience in the IT infrastructure side of the house, I think it’s getting impacted in multiple ways. Both how IT manages that infrastructure and how opportunities to leverage AI to manage and operate even traditional infrastructure in a more efficient way.

Also, considerations around what infrastructure should they prepare for to enable the adoption of various forms of AI. The discussion around, should I build out my own infrastructure or maybe lease it has been a hot topic in my world at least for the better part of a decade. It’s largely been around, should I invest in my own private data centers or should I move to the cloud? I think we see customers in various phases of rolling out certain AI initiatives. We see one early trend, which is many customers are very much in an experimental phase related to some of their AI initiatives where they’re really just validating use cases and trying to determine the best approach to driving the outcomes that are intended. By and large, most of the AI consumption that we see is in the cloud. And for the most part, it appears as if there’s some sensitivities around investing too heavily in their own infrastructure, before they validate some of these business cases and then move these projects from test or pilot phase into production. We are seeing an uptick in private infrastructure, private AI as it’s commonly referred to, especially for those that are highly regulated and who have had some success moving projects into production at scale and are now looking to achieve better economies of scale by kind of moving that infrastructure on premises instead of the traditional cloud rental model.

Bruce Kornfeld

You bring up a couple of points here that I thought we might get to eventually, but I think we might have to hit them straight on. One of them is success rate. You’re closer to how end users are using AI and deploying AI than we are, because we’re at the infrastructure layer. What are you seeing for success rate? There must be so many tests and pilots and proof of concepts going on. Talk about how many of them are you seeing make it to production? Do you have a stat? Do you have a percentage?

Draeger Valencia

No, not really. I don’t think we have a stat. I think it’s because it really depends on the type of customer. Actually, this reminded me a lot of the early cloud days where there was general consensus at the leadership level, sometimes the board level that there should be some value in adopting cloud. But there wasn’t a lot of definition around what that meant from business to business. So some took an approach of, let’s go check a box so we can say that we’re adopting. But there wasn’t as much time and effort put into a strategy around, why would we adopt? What problems are we trying to solve? And what’s the best way to solve the problems? Some similar behaviors, I’d say, where AI was a hot topic and some were feeling pressure from the board and their executives to have an answer. What are we doing with AI? What’s our plan to get ahead of this thing? Some took the approach of going out and establishing enterprise license agreements with something like chatGPT or Microsoft CoPilot across the entire company. I think many of those organizations quickly found out that although the general GPTs do yield value, depending on the use case or the domain in which an individual may use some of these technologies, there’s a lot of purpose built, domain specific AI that started proliferating into the market and I think it’s for good reason. I think many of those that just standardized on more of a general-purpose model early on, saw this immediate uptake as soon as they made it publicly available to the enterprise. They saw a huge spike in adoption for a few weeks. And then over time, it started falling quickly. Many of them started interviewing their employees to try to understand what was driving the trends. Some of the trends we heard the most was, individual struggle to really understand how to take this general-purpose tool and apply it to their day-to-day work that would drive impact. Some of it was a lack of training. Some of it was just a lack of targeted use for whatever workflow needed to be enhanced. I think the organizations we’ve seen be most success in driving material impact were the ones that really started by saying, okay, what problem are we trying to solve and for whom? AI aside, what do we feel are some of the biggest gaps that we need to fill in order to solve that problem? And then they started looking at, okay, what’s available from an AI perspective that could start to solve some of these issues.

Bruce Kornfeld

It sounds like a more purpose-built, very focused approach wins out over the general approach. That’s what it’s like.

Draeger Valencia

Also, any business or IT transformation likely comes with a degree of proper planning to get it right. It’s not just the tech, but it’s also the people and processes that go into it. Those that I think invest in that, in a more holistic approach upfront tend to see the success a little faster.

Bruce Kornfeld

The other thing that you mentioned earlier that I want to dive into is the whole cloud versus on-prem thing. I’m sure there’s no one answer for any one organization. But we live at the edge, so our solutions are targeting customers that are either small enterprises that have one or two sites, or they’re large enterprises where they have data centers and clouds somewhere else. They have 1,000 stores or they have 1,000 locations. We’re in those small locations. If you put your brain around the small sites of big companies, what advice do you have? Cloud makes a lot of sense for early on and proof of concepting, but at some point, does it make sense to bring the AI tech on-prem as well?

Draeger Valencia

I’m certainly not the best resource to give advice on the topic. But I can tell you what I’m hearing from clients, and I’ve had the benefit of working with likely some mutual customers of StorMagic, in the retail space specifically. At a high level, a lot of folks are looking at this. We saw a significant pendulum swing, which is, cloud and data center before AI, where there was cloud, cloud, cloud. Then over time, even as recent as the last few years with large organizations, we saw a lot of money being pushed back into on-prem data center away from the cloud. I think as enterprises learned how to manage and operate these data centers in a more scalable fashion, the economic value of running them on-prem began to go back up. I think that’s probably carried through into AI and the way businesses are looking at, or I should say projecting the future. A lot of what we’re hearing from customers is really what you were just referring to. While they’re in POC phase and until they validate business cases behind these investments, they like the rental model. It’s one that if it doesn’t work out, then they’re not on the hook. As some of these projects move into production, we’re already seeing this, especially in some of the large financial services providers, as well as healthcare and large patient care providers, where there are specific projects that are fully baked. In many cases, it’s a combination of third-party AI technology and in-house development and they’ve started moving those on premise based on just the economics behind it. If I’m a betting man, my guess is over time, we’ll start to see a similar trend, particularly with larger organizations who already have the means to manage and operate their own on-premise infrastructure.

Bruce Kornfeld

How would you react to this concept? We hear from some customers, leave the models in the cloud, but because of the need for fast real-time answers, do the inferencing at the small sites. Does that sound like something that you’ve run into as well in your trials and working with customers?

Draeger Valencia

It does. It also just sounds like an evolution of, even prior to AI, the buzz was around edge computing for the same purpose. I would imagine both performance and cost will continue to drive decisions around infrastructure. Over time depending on the nature of the project, performance may out win cost. That’s certainly what we’re seeing now, where cost is an afterthought. Also, this may sound familiar for those that went through the early days of the cloud where it was like, okay, we’re going to jump towards performance for the sake of performance. Then over time, as people started getting hit with surprise bills or unexpected bills, then cost became an element. Right now, especially here in the States, there just seems to be such a gold rush to get to AI, to be less behind than your closest competitor. We haven’t seen cost be a significant decision point over performance. But at some point businesses will look to strike the balance.

Bruce Kornfeld

There’s no lack of investment going around the industry in terms of data center and build outs, that’s for sure. There’s a lot of attention there.

Let’s move to something that I’m sure you’re opinionated about. Let’s talk about AI governance. This is an area that I don’t have a lot of experience in. Why don’t you tell me about how it works? You talk to your end users about AI governance, do you find that it’s possible for there to be a perception with AI governance that could slow down deployments or is there a way to add the right governance and not slow down progress?

Draeger Valencia

I think governance, especially if you’re talking to the builders, the folks that are focused on innovating, governance has been a bit of a four-letter word in years past and not too dissimilar to cybersecurity, where even in security it’s always been this trade-off. If you want performance, then you must concede or make sacrifices related to security. I see lot of parallels between the two. We had one of our customers use this analogy with us the other day that I figured I would adopt. AI without proper governance and oversight and control is like a Formula One car without brakes. It’s dangerous and it’s impossible to finish a winner. We see the exact same thing, and I can give a few examples that validate this point.

We have worked with a number of customers that, prior to utilizing a platform like ours, they were leaning on traditional IT security-based technology and like a security and IT stack to handle certain elements of governance, and one would be access control. Even some DLP to kind of better determine when maybe sensitive information might be getting exposed to a model or an application. But by and large there was a significant lack of context that was important for the business to understand. One is AI operating as we intended, and it’s not just human and non-human. Now we’ve got quite a bit of examples within our customer base of agents being deployed out into the enterprise, accessing enterprise systems.

So examples of where the lack of governance created, effectively a false start, was projects that were released without much oversight to access and the type of data that was getting exchanged. As a result, unintended consequences proliferated and set those projects back. A common example that we’ve seen in the news a few times is employees that accidentally leaked intellectual property or some form of sensitive information, which creates a costly scenario as it relates to fines, especially for those that are in a regulatory space.

But it also creates a competence issue amongst their customers, and even in internal shareholders around their ability to deliver on these projects effectively. Where the desire to move faster forced a scenario where thinking about controls and oversight and governance was an afterthought. The lack effectively created this trial and error that increased the total cost of those projects and delayed the time in which those projects delivered any real value. Some of them are still back to square one or they’re now approaching it from that more methodical viewpoint, which is, what problem I’m trying to solve and what outcome am I trying to deliver and how do I protect this investment to ensure that I’m driving that outcome as effectively as possible.

Bruce Kornfeld

I’ve got a question about your solution, because it’s something that we struggle with as well. We have plans. We’re implementing AI. And there’s always that nervousness, we’re cautious about our IP. How do we make sure that we have the right governance in place to prevent our team from doing something accidentally wrong? How does your solution help end users solve that or prevent that from happening?

Draeger Valencia

It’s a good question. Our approach is by enabling our customers with complete awareness of what’s happening in their environment. It really starts at just understanding from an AI asset or inventory perspective, what LLMs, what agents, what third party services are being utilized. Where are they being used? Because not all AI presents a risk.

If you have an enterprise license agreement of Grammarly, where you have control to turn model training off and you’ve negotiated data privacy terms that protect you contractually, in addition to the controls that they provide, the concern or risk around your data leaking is much lower than if an employee accidentally logs into their free account of Grammarly, which is catching every keystroke on your laptop and is training on the data. There’s no free in AI. You become the product at that point and they’re utilizing the data to train those models. And we’ve seen examples of how those models can be exploited by bad actors to pull that information out. Once it’s gone, it’s gone for good.

Our approach is very much around ensuring that there are no blind spots for central IT, central security teams understand what is in your environment, validate what you believe you know, and also ensure that any unknowns are thoroughly vetted and you have the context to say, wait a minute, I did know that we had 800 seats of Grammarly, but now I see there’s 200 examples of employees using a free account. How do you prevent that for the future? And it doesn’t just go for these third-party services. It could be models. We’ve seen examples in which central IT teams approved a specific model for an in-house developed application. Then six months down the road, that line of business who owns that application, decided to update to a new model.

Innovation’s happening fast, and if these applications aren’t keeping pace with innovation, then they risk the likelihood of not delivering the business impact that was intended. But how do you ensure the new model that didn’t necessarily go through your governance process, that there was a security scan run and that it came in clean? It didn’t become effectively a Trojan horse.

So our approach is by making sure that whether it’s a homegrown agent or LLM or any third-party type service or application that the business may be using, that central IT and security teams know about it and understand what risks they may pose, whether it’s compliance, security, privacy, or even just a risk of opportunity costs because somebody’s using a type of service that could be a free account, when the business has already invested in something else. So, they’re not getting the same ROI that they would have expected out of what they invested.

Bruce Kornfeld

It sounds like your technology has a way of assessing what’s out there on the corporate network and doing a risk assessment. You understand the models that exist. You actually can go find private ones or homegrown models as well, and you can help them make assessments on risk around that. That sounds pretty cool.

Are you seeing your clients building their own applications? Are people using off the shelf? Are you seeing a lot of homegrown? What do you see working the best these days?

Draeger Valencia

It’s a mixed bag, but I can share some examples of what we’ve seen that could be interesting for some. One that relates to productivity-focused use cases. We’ve seen some customers be fairly successful in buying something off the shelf that was purpose-built for that particular use case. Simply for the purpose of validating the use case itself. So, they buy something that was already built for, let’s say code generation, and then run some initial tests to determine, do we feel like this is something we could really scale out and drive some material impact? Then once they got through that initial validation phase, many of them started looking at, how could I do some of my own internal development to make this type of service more specific to my business and my business needs? I think a lot of enterprises have started hiring some talent that has the ability to build some of this stuff in-house. I still think one of the big problems outside of just power and energy, one of the big problems that will still likely be an issue through this year and maybe even years to come is a skill set shortage. There are not enough experts to support all the business demand out there. But when businesses were fortunate enough to grab a few key players that understand how to develop in this space, I think we’ve seen them be fairly successful taking a third-party that’s already built effectively a prototype that they’ve been able to validate the use case internally, and then turn that around and go build something on their own that more precisely meets their specific business needs and scale.

Most of our client interactions are in the larger enterprise market. So I’m not trying to signal that there will be some big pullback related to third-party across all markets. I think there will be plenty of demand in some large enterprise and then quite a bit of mid-market and even smaller companies, to still just buy something off the shelf that was purpose built.

Bruce Kornfeld

AWS and Oracle and everyone building these big data centers for AI, unless they’re all wrong, there’s going to be opportunity for a lot of innovation over the coming years. I’m sure there’s no one right answer.

What about shadow AI? I assume it exists. What advice does your company have on, does it matter? How do you deal with it? How do you define it? Is shadow AI a big problem these days, or could it get worse?

Draeger Valencia

I alluded to this and effectively our elevator pitch earlier. We see shadow AI quite often. What we found is it’s taken on a lot more meaning in the past 12 months. I think most people, when they hear the term, shadow on its own has become a negative, has a negative connotation. Depending on the organization, the idea of, the workforce out experimenting for the purpose of innovation isn’t necessarily a negative on its own. Typically, there are good intentions behind some of this activity, that maybe it’s not formally sanctioned by IT or security teams. The issue is businesses, by and large, most leaders are expected to have an answer for how they’re leveraging AI to drive impact to their customers, their internal customers, their external customers, top line revenue, improve margin, et cetera. One or all of those areas are a top 10, if not top three initiative for most leaders on the IT side, security side, privacy side, lines of business, et cetera. Not having visibility of what AI is in use and how it’s being used is in direct conflict with the need to go back and explain to shareholders or whomever it may be, how you’re maximizing the impact of the usage. So, one is having a clear understanding of, using it in the best way possible and is it driving the impact expected? If you’re not monitoring that usage, it’s a complete blind spot.

The other issues that I think are most commonly talked about are, it’s almost like the old cybersecurity adage, you can’t protect what you don’t know about, what you don’t see. It’s probably overused but it is true. If you don’t know that an autonomous agent has gone rogue and is now accessing a system and over accessing information, then how do you maintain a level of awareness of your risk posture? If you are aware of that risk, you’re in a much better position to remediate that risk.

The only other thing I would add is, it’s so common for people to associate the term shadow AI with just, whether or not there’s a known or sanctioned AI service, or LLM agent. There’s a whole world of shadow activity that happens within sanctioned services and projects. I’ll give you a really good example where we had a large financial services customer who had approved one service for a very specific department within the business and for a use case that was internal facing only. And six months later, they found out through a help desk ticket that another department had indirectly exposed a prompt to an external customer that fundamentally changed the risk posture of that entire exchange. nothing about that specific service was shadow on its own, but the scope of who was using it and how they were using it, that was completely unknown to the central IT privacy and security team.

Bruce Kornfeld

I remember hearing shadow IT referred to back in the early days of cloud and SaaS. Where departments weren’t dependent on their IT department. They just went off and found applications. I wonder if shadow AI is even a bigger problem because shadow IT usually meant you have to purchase something. You had to buy a SaaS application, whereas Chat GPT can be free, Gemini can be free. There’s probably all sorts of projects going on that didn’t cost the company any money, except for the time that people are spending. It’s an area that I’m sure will evolve over the coming years.

I have one last one for you, just an opportunity for you to say whatever the heck you want, a prediction. Pick one thing that you think is going to happen in the next year, two years, three years around AI. You can’t be wrong. It’s all your prediction.

Draeger Valencia

This is a trap in the context of AI. This is probably an easy way out, my prediction is we will look back a year from now, two years from now, three years from now, and all feel like we underestimated just how transformational this moment in time is. I don’t know exactly what that means related to the job market or innovation in certain areas, we are already seeing some really promising, amazing things through AI, healthcare, for example, and better assessing when someone may have an illness that you would want to catch as early as possible. Diagnostics in general is showing some really positive early signs, regardless of the forms of diagnostics. We’re also seeing some pretty impressive and scary enhancements in cybersecurity threats as a result. I think there’s both a lot of positive and some potentially dangerous outcomes that could come out of all of this innovation. But I think regardless of what 12 or 24 or 36 months look like, almost all of us will look back and say, wow, I knew it was big. I didn’t realize it would be this transformation. So that’s my bet.

Bruce Kornfeld

You’ve got my support. I agree. I see it happening already. Draeger, thank you so much for joining PodMagic. It’s been great having you, great conversation. I learned a lot and appreciate you educating me about governance and AI. That was awesome. I hope to have you back someday, maybe for a demo.

Draeger Valencia

Thank you for having me. We’d love to do it. Thanks so much, Bruce.

Bruce Kornfeld

Thanks to everyone for joining. This is PodMagic. My name is Bruce Kornfeld. Real conversations about solving real IT challenges. So come again, watch all the previous versions we’ve had, hit the like button, the share button, tell your family and friends. We’d love to have you back. Thanks for joining.