The Future is Now with Michael Grinich (WorkOS)

Michael Grinich: “I think we'll need something for the AI world. There'll be something around vibe coding applications where the frameworks need to have that tightly defined security boundary. So, the vibe code, whatever you generate, doesn't matter if it has bugs in it, because there's sort of a limit as to what it can actually do or impact. We'll need to move around those boundaries of where the security layer is, because historically, we didn't really need them. We had deterministic code, things were reviewed and checked in. So, just like the frameworks will change, but it'll be the same thing we did in the browser. Obviously, that choice we made with the browser was great, like the impact of that was incredible. We got tons of more stuff getting built and tons of more apps and websites and experiences, and people connecting. But in the interim, they'll probably be a period where it's pretty shaky.”

[INTRODUCTION]

[0:00:44] Guy Podjarny: You are listening to The Secure Developer, where we speak to industry leaders and experts about the past, present, and future of DevSecOps and AI security. We aim to help you bring developers and security together to build secure applications while moving fast and having fun.

This podcast is brought to you by Snyk. Snyk's developer security platform helps to build secure applications without slowing down. Snyk makes it easy to find and fix vulnerabilities in code, open source dependencies, containers, and infrastructure as code, all while providing actionable security insights in administration capabilities. To learn more, visit snyk.io/tsd.

[EPISODE]

[0:01:41] Danny Allan: Hello, and welcome to another episode of The Secure Developer. I'm Danny Allan, CTO at Snyk, and I'm very excited to have with me today the founder and CEO of WorkOS, and that is Michael Grinich. Michael, you've been in the development space and building really cool things for a very long time, but maybe you can introduce yourself for our audience.

[0:01:43] Michael Grinich: Yes, absolutely. Well, first of all, thanks for having me on the podcast. I'm excited to connect. As Danny said, I'm the founder and CEO of WorkOS, which is a company I've been building for a bit over six years. We help developers with enterprise features in their app. So, we talk about it in terms of making your app enterprise-ready. A lot of this has to do with things like authentication, how people login, user management, how they're provisioned, access control, permission, security, logging. But we do a lot of stuff around encryption as well and generally just helping increase your posture as a developer so you can take your app up market and get bigger customers and grow.

Like I said, we've been at it for six years and change. And today we power over a thousand different applications in the market, like in production, lots of start-ups and then lots of bigger start-ups you might have heard of like OpenAI, Anthropic, Perplexity, Cursor, which are probably a lot of people here listening to the podcast are familiar with. We power off an identity for them. And then folks like Webflow and Vercel and Netlify and Plaid kind of fan favourite developer product companies.

So, we are sort of the enterprise features platform for those companies and helping them grow and scale at market. We care a lot about building stuff for developers and providing really safe and secure infrastructure for them to build their products.

[0:03:03] Danny Allan: Well, in that way, WorkOS and Snyk, Michael, seem to have a lot in common in that we're very developer-centric and focused on developer workflows. But for you, what does it mean, or for WorkOS, what does it mean to have a developer-friendly experience? What are the problems that they run into and what are the problems they're trying to solve?

[0:03:23] Michael Grinich: Yes. We centre our whole company around the developer experience. Our number one operating principle is developer joy that we talk about. What that means to us is to allow someone who's building something who's in that creative state of making the thing to really stay in that creative mindset and not get distracted by needing to go build things that otherwise other people have already done or might just slow them down. So, we like to take care of all the things that are kind of the table-stakes features in a SaaS product. And that usually is things around authentication and logging security, specifically for building one of these B2B apps.

WorkOS, we don't really focus on consumer products or social things or games. We really focus on B2B applications where there's a lot of kind of gnarly stuff under the hood you have to deal with if you're going to go serve a big customer. So, we like to solve all that in a way with really crisp and easy-to-understand APIs that are really predictable, that integrate everywhere, that plug into all the different systems. So, you kind of just read the API docs once, or you can even kind of guess what the thing does, plug it in, and then you're done. That whole surface area is completely solved for you, and you can stay in that creative flow state.

I think building software like engineering is an extremely creative pursuit in my mind. It's very similar to writing or making music or something like that. Every time a developer gets distracted by that or has to go debug something, it just slows them down. It slows down that creative spirit and the ability to actually make something really magical. A number one operating principle around that is developer joy. But really think about trying to keep people in that flow state with great docs, great experience and just generally a product that does what it says, it does, and delivers it was like really, really high uptime and robustness. So, you don't really have to think about it ever.

[0:05:10] Danny Allan: Yes, I always say as soon as you increase cognitive load or switch context state, you're already losing the battle and so if you can keep them within flow state and not distracted from what they're trying to do, that's the best possible outcome as they're building software. We're living in an interesting time right now where AI though is, I've heard at least, is going to replace developers in a very significant way. What is your response to that? Do you think developers go away when AI becomes more prevalent or no, they just become more creative and have freedom to do more innovative things going forward?

[0:05:45] Michael Grinich: Yes, it's a really good question. I think it's just going to change. I don't think there's a way that we can say they're going to go away or stay or be the same or different. I think what it means to write software is going to change dramatically. Also, the impact of software in our lives is changing dramatically. As a corollary to this, if you think back historically for things like music, I mentioned making music earlier, it used to be the case that every family had a piano in their home because there wasn't recorded music. The technology did not exist to record and playback music. This is before you know the phonograph. It was common that like somebody in your family or somebody in your neighbourhood, would like learn how to play music and you would have sheet music. And after dinner, what you would do is stand around the piano and sing and play music together. And that was entertainment for you, before the radio, before the phonograph.

I think about software engineering is kind of like that today. There's usually just like one 1 of 20 people or 1 out of 100 people that kind of knows how to write code and build stuff and you have to go to school to learn it or spend a lot of time to learn this really kind of esoteric complex way of thinking where historically we've had to go to the machine. We have to learn how the computer thinks, how the computer represents data and information, and then you can have control over it and build stuff. But only a small number of people have ever had that technique or ability, and everyone else has been like listening to music that just they played.

It's switching, where in the music sense, obviously, we got recorded music and we got more instruments and became easier to make stuff. Now, anybody can make music with a Guitar Hero, as a game or GarageBand on their phone or something or Ableton. It's so much easier to make music than ever before. If you would take what we have today in terms of instruments and gone back and shown it to those people with those pianos in their homes, it would be completely foreign to them, right? They wouldn't even associate that with making music and what music was.

I think it's going to be the same type of thing with actually building software where we're enabling more people to do it. But we're enabling them to do it in a way that's totally different than how historically we have done it and we'll go through that that transition. There will always be room for software engineers thinking about systems engineering and application structure and frameworks and tools in the same way we still have people that play piano today. We still have pianos on stage. The piano is still a key element in, you know, music that we have today. Many people still have them in their homes, right? But the role has totally, totally shifted.

So, I don't know what that's actually going to turn into. It's changing literally week to week or month to month, which is just absolutely thrilling to watch and be part of. But the only thing I know is that it's going to be significantly different in the future and I'm very optimistic about it, because if you think about the music we have today, I think the music we have today is a lot better than back then when everyone was playing off the sheet music. We just have so much more stuff, so the music is so much better, and I think we're going to go through a similar transformation with software and just generally the technology industry.

[0:08:40] Danny Allan: I love that analogy of the piano and I'm going to steal it going forward mostly because I have two pianos in my own home and people that play the piano. But I also love music. And I agree with you, by the way, we're still going to have software engineers that are building and designing, but we're just kind of a whole lot more app creators, whatever that looks like. I always say, I still create applications, even though I probably shouldn't, but in my free time, I still do that. And I think what we'll end up with is everyone being able to create applications, but some people focused on based on the back-end engineering side of it.

[0:09:13] Michael Grinich: Yes, I think we'll have a lot more platforms creating components. The interfacing between those things will be a lot more seamless. There'll be a lot more choice integrations. It should be easier to make stuff, but it's really hard to guess. If you think about the piano, the well-tempered clavier, like the old-style instrument that people would have. And then you go to something say the 1980s, the keytar, have you ever seen one of those? It's like a guitar, it's a keyboard, they play on stage with like hair metal and stuff. That changed from the piano to that, I think that's what's going to happen around software development and engineering and nobody could have anticipated that, going back to that time.

So, we're just honestly trying to keep up with it in terms of us at WorkOS with all the stuff that we're building. I mentioned some of the companies like we're powering a lot of these like AI products as they're scaling and growing so we get really sort of a front row seat at what's changing and what they're thinking about what's evolving. The most compelling part of it to me is just like the democratisation of it. It makes technology more accessible, easier to use, easier to think about, faster to get from idea to like something that's actually working, and that's always been the most exciting to me about software is the immediacy of it and closing that speed of that feedback cycle. With these AI products or vibe coding or platforms, whatever you want to call it, call this whole thing, it has that at the root of it, which I'm just so glad that that's the centre of everything happening.

[0:10:38] Danny Allan: Do you expect to see more hybrid applications and software going forward? In other words, where agents are creating some other code and humans are creating the code. And do you envision a world where it's just in-time composable applications. In other words, you're not composing it for a point in time and everyone gets it, but it's more personalised? How do you see AI changing the world of software delivery?

[0:11:00] Michael Grinich: Yes, I mean, it's pretty weird when you can just describe the type of app that you want and it can just be generated and made right in front of you. It's the difference between going to a restaurant and then having a set menu and just order off the menu, that's all that's there versus describing what you're feeling like eating, what mood you're in or something like that. There's a cocktail bar in San Francisco I used to go two years ago where they had no menu and you would just kind of talk with a bartender about how you're feeling that day and based on what was in season and kind of what they thought, they would just kind of make something for you, make it up.

I think it'll be kind of like that where that will be a big component of how we use these systems. I don't know if we call it vibe coding, but it's more like just in time created or user-created software. For internal applications, and certainly in the business case, it's just going to be transformative for that. Nobody loves their internal tools. Nobody loves their internal app builders. They've been this clunky, hard-to-use, bad ergonomics type of experiences. That's one area where there's just enormous potential to make something easier for people to use, just like real people at their jobs versus like software engineers.

We've had those transformations and things like Microsoft Excel is incredibly easy to use and Lotus Notes and there's Acalc before that. And democratisation tools like Notion, have been really easy to use too on kind of the wiki side information sharing. But there's still things that are really complicated to do in terms of generating applications with real complex transformations need to happen or data visualisation, those haven't been something you could just put in a wiki tool.

So, what we're seeing is this like rapid change around how easy it is to author those things, and there's definitely going to be places where there's entire new categories of software that are like opened up because of those generative capabilities. I think we're literally just seeing like the very beginnings of it right now.

[0:12:52] Danny Allan: How do you think that impacts – I mean, this is called The Secure Developer, the podcast, the security, or the performance, or the drudgery, I'll say, of application development going forward. In other words, I can't imagine you would say, “Hey, you should vibe code your own cryptography, or your own IDP, or identity systems. Do you think it makes things better or worse? How do you see it impacting a lot of the governance around the software?”

[0:13:17] Michael Grinich: Yes. It's a great question. It's something worth about a ton and talking with customers about. You certainly don't want to vibe code, generate your security code, your security infrastructure. There was a reason, I think I read about company that had done this, in their application, and vibe coded their auth piece. It works. They logged in and they tested it. But what they found, they went in production, was actually all the validation was done on client side. It’s completely easy to bypass, right? It’s kind of a true example, but to the LLM, that's secure, right? That's actually defined as secure.

So, I think we'll see something where the way that applications are built will change a bit. We'll go in a different direction from kind of like the monolithic apps. I mean, that's already changing. We're taking monolithic apps and deconstructing them into different components that we tied together. I think it used to be called Microservices. I think there won't be as micro as they maybe were in the past, tiny, tiny services. But components, service-oriented architecture of these things together. Some of those will have different security pieces. Some of them might be untrusted, and some of them might be trusted where it's much more secure and it's much harder to change the code and that.

To kind of predict the future or anticipate the future, I always like to look at the past, what have we done historically. There's a very good parallel to this actually in terms of how we built browsers. So, the early days of the browser is like Netscape and then later Internet Explorer, which was kind of my browser I grew up on, in the late nineties, early 2000s, there were tons of vulnerabilities in it. I mean the thing like every week, you talk about like viruses getting downloaded and worms and stuff, and a lot of that came from the extensibility of the platform that Microsoft added things like ActiveX. I’m kind of dating myself here, but that that was an enormous source of vulnerabilities or Java servlets, applets that are running actually inside the browser and plugins and extensions and flash and all of the stuff.

The browser was actually a huge attack factor. It made the entire operating system insecure once you had this stuff. Don't click the executable that just got downloaded or don't do whatever. In the moment when the Internet was blowing up and the whole value of the OS was connecting it to these external things. We eventually figured it out through sandboxing. Eventually the browser we sandboxed, I think Chrome was the first one where they actually did sandboxing per process, so you could have this tight isolation between these different systems where it really wasn't possible to break out from the run time, the JavaScript run time externally. Defining that is like the security boundary actually lets users run more untrusted code on their machines, not less, because we can have that defined sandbox where it can exist. And the browser itself is doing the enforcement.

I think we'll need something for the AI world. There'll be something around vibe coding applications where the frameworks need to have that tightly defined security boundary. So, the vibe code, whatever you generate, doesn't matter if it has bugs in it, because there's sort of a limit as to what it can actually do or impact, and we'll need to move around those boundaries of where the security layer is, because historically we didn't really need them, we had deterministic code, things were reviewed and checked in. So, just like the frameworks will change, but it'll be the same thing we did in the browser. Obviously, that choice we made with the browser was great. The impact of that was incredible. We have tons and more stuff getting built and tons of more apps and websites and experiences and people connecting.

But in the interim, they'll probably be a period where it's pretty shaky. In the same way we had lots of browser exploits during that that era before we kind of figured out the right boundaries and semantics. I wouldn't be surprised if there's similar things that are going to happen around AI-based systems. And there's a lot of interesting start-ups and interesting work happening with people that are trying to figure out how to sandbox LLMs or how to like have evals that look at the prompt output, or a company I met with recently that's doing kind of cyber insurance for LLM behaviour, because you don't want the chat bot like acting racist or something like that for your customers.

So, history doesn't repeat, but it definitely rhymes, and there's a lot of this from the browser era. I think, just look 20, 30 years back, we can kind of learn from it then.

[0:17:27] Danny Allan: What do you equate to the – so I remember the Browser Wars well. In fact, I started before there was browsers, so I'm really dating myself to TIN. I used TIN on Unix systems, and I remember it was able to radically change my life, and the email was Pine –

[0:17:43] Michael Grinich: Pine is not Elm. I think that's the recursive acronym, right? Absolutely. Yes. Browser ideas.

[0:17:52] Danny Allan: But then we get to the Browser Wars, and there was a clear winner of the Browser Wars is what I'll say. Like, there's Netscape and Opera and Internet Explorers, there's a clear winner. What is the equivalent of that in the AI era? Is it the models? Is it the software in conjunction with the models, like the libraries and frameworks? What do you see as the parallel to the browsers?

[0:18:14] Michael Grinich: Yes. It's another great question. I don't know. If you would have asked me maybe two years ago, who is going to win? I would probably have just said OpenAI. OpenAI, the talent density they have, the financing they have. It's so hard to build and train these foundation models, at least historically, you looked at it and you're like, how is anyone going to catch these guys? It costs so much money to build these things and scrape the data and they're just so far ahead.

A couple of things have happened since then in the last two years that has actually convinced me that it maybe won't be a winner-takes-all all. I mean, OpenAI is doing great. It's not a dig against them. The first thing is actually what xAI did. If you look at how fast they were able to build and train the Grok model, and they threw lots of money at it, right? It wasn't efficient. They built this enormous data centre extremely fast and just like raw, brute-forced it. But the results are, you can't argue with them in terms of the quality and impact of that model and what they've built.

So, to me, that says actually, it's actually relatively easy to reproduce these models if you have capital. Certainly, there's kind of infinite capital in the world going towards productivity and enhancements like AI. So, there's not going to be one company that has the Uber model that beats everyone. It's a neck-and-neck race. We've seen that with Anthropic and others as well too, recently. That's the first thing.

The second thing is actually more recent, and this is around MCP. So, MCP is a protocol if you're going to live on, kind of, terminally online like I am on Twitter. Everybody talks about it, it's this new standard for actually having LLM-based chat applications interface with the big model providers. So, you can take your Claude desktop and connect it to all these third-party apps and services. It's sort of an extension to what we previously did with like REST APIs and JSON, but built around this text-based tool calling in the LLM world. That's something that Anthropic introduced last fall, in the 10 years since January, it feels like.

[0:20:16] Danny Allan: It's going faster than anything I've seen in the past.

[0:20:19] Michael Grinich: Yes, let's say six months, something like that six months ago. What's really cool is they introduced this concept, and it was just the beginnings of a standard. And since then, there's been actually an enormous amount of collaboration between Anthropic’s MCP team and other people in the ecosystem and a bunch of different start-ups like we've done some stuff with them, but also with OpenAI. Also, Block built their goose, their open source client that's like an MCP client that can work in this way. Postman's doing cool stuff for this. Century is building cool stuff. Cloudflare and Vercel and Netlify, it’s like the one area they're actually kind of thinking about collaborating around. Even OpenAI announced that they're going to adopt MCP for ChatGPT. I just saw today, literally today, that they're doing the same for Copilot. Microsoft is announcing MCP support for Windows with Copilot.

So, this is another area where standards are starting to actually like very quickly emerge and companies are kind of collectively building around this. That also gives me a lot of hope and promise that it's not just this one single winner takes all, we only build into a single ecosystem. We need something kind of like Unix for AI platform development. It existed in the web era. We got stuff like HTML and HTTP from, thankfully, from Tim Berners-Lee and folks like that working on the web and Mosaic and Netscape and it started consolidate. At the time, Chrome did win the Browser Wars today, you could say, Chromium and WebKit and stuff like that. But the web is still an open standard.

There's still open standards bodies. In many ways, it's still open. In the mobile era, that did not happen, right? We have Android and iOS and there's choice in that there's two, but they're kind of both locked ecosystems. You could say Android's more open, but it's kind of still locked down. You're still in the Play Store. There's a very interesting moment right now, exactly right now in AI space, where we're going to decide whether these are open platforms and open standards or closed platforms and closed standards. Optimistically, I think that they're trending towards being open ones and that the people working at these companies understand actually for the actual promise of these AI products to be as magically impactful in the world as we hope, they need to be open. They need to be open from the beginning. And I'm just really, really optimistic based on – if fingers cross is actually going to happen, I'm just kind of observing this. But all signs look good so far.

[0:22:40] Danny Allan: Yes, completely agree. Fingers crossed, knock on wood kind of thing. One of the things that encouraged me in the MCP front, I've been very worried about authentication authorisation. But the good news is, Anthropic, when they designed it, it's very similar to a language server protocol, LSP, and are using similar data structures, JSON, RPC, but they're applying the same principles from those old platforms in a very open, extensible way. So, I think there's lots of opportunities.

In fact, correct me if I'm wrong, but you just hosted recently an MCP night in the Bay Area. What were some of the interesting projects that you saw come out of that?

[0:23:17] Michael Grinich: Yes, we did this event last week in NSF at the Exploratorium, which is a great venue. So, it was kind of an experiment. We wanted to bring together a bunch of people building stuff around MCP. What you were mentioning around authorisation, there's a recent change to the MCP spec that adds the ability for third-party systems to act as authorisation servers in an OAuth sense for an MCP servers. You can kind of separate out the authorisation to resource server, and we'll get into details around how the actual OAuth stuff is implemented. But the short version is like now we actually have auth for MCP. If you're using WorkOS, it's like enterprise-grade auth for MCP. Very exciting, because all these huge companies want to use MCP, and they don't know what to do around auth. You've got to have auth, these things.

So, we're like, okay, we're going to demo some of this stuff. We're going to bring some people together, throw this event. I was texting friends of mine at different companies. We have people from Cloudflare come talk about their MCP hosting. Dave Cramer, who's one of the co-founders of Sentry came and talked about his MCP stuff that they built, which is just totally wizard. From Vercel, some people came, we had a great panel, including some people that were previously at Okta working on identity stuff. We had like 500 people show up to this event. It was crazy. It was completely packed. We threw this great party afterward.

I think in addition to there just being so many cool things that are getting built right now, there's just this like electric energy and enthusiasm for it amongst people that like building stuff. They like making things. I have always found that if you want to figure out where the future is going, go look where the developers are spending time, what they're hacking on, what they do after five o'clock. Who do they hang out with? What do they talk about? What events do they go to? It was a good party afterward. But I think the reason people came wasn't like they're just the free food. It was because they're just enthusiastic and excited about this as the direction things are going and that feels like it's a compounding force that's going to have a lot of energy throughout the rest of this year and beyond.

[0:25:09] Danny Allan: Yes. I know there's been similar meetups I'll say here in the Boston area and based on the east coast of course, but at MIT, and there is an energy that I have not seen in the past even 20 years and I attribute it to the possibilities around AI and some of the things that are happening. I think developers are just getting excited by the possibility of the future. So, I guess to that point, Michael, what makes you most exciting? So, obviously, WorkOS is doing some really cool things in helping the B2B space. But what do you think are the big things that we can solve as a technology industry over the next decade?

[0:25:45] Michael Grinich: Yes, I mean, a decade is, I'll just try it for the next months.

[0:25:49] Danny Allan: Or two years, two years.

[0:25:50] Michael Grinich: In six months probably, yes. It seriously feels like a decade since January because there's so much stuff happening. Yes, one of my favourite quotes is that the future is already here. It's just not evenly distributed. I live in San Francisco. I love the Bay Area. I like go skiing in the winter and surfing and stuff. But another benefit of living here is you're really in the centre of the Silicon Valley kind of technology industry. These evening events that people are hacking stuff together, you just get a glimmer into where things are going and into the future.

With WorkOS, we've always lived at this boundary in between developers building stuff, apps, whatever, new design tools, recruiting tools, things for lawyers, and doctors, and whatever, engineers, between them and enterprises. Enterprise customers, big companies that want to adopt these products. WorkOS sits in between the two of those things. We help those developers with all those enterprise features in their app.

In the last year, these AI companies have grown insanely fast, and they've grown insanely fast on WorkOS. We've had people integrate and just blow out the growth numbers that we previously see from companies. I don't think it's a coincidence. What I'm seeing is that these big companies, the enterprises are actually realising that there's an enormous opportunity to transform their organisation how they operate by using AI. It truly is like the dream of technology to automate things to allow people to do things more efficiently. It's not robots are coming for our jobs, it's that we can actually stay in that creative flow state.

In the example I gave earlier around engineers writing code and maybe people listening to this that are developers, every job has a version of that. People that are accountants have a version of flow state for accounting. And people that are designers have the version of that for designers. People that are recruiters have the version of that for recruiters. And there's an opportunity for us to build something like a Cursor for every job, that's out there powered by AI to enable people to be more creative and be more thoughtful and for it to be really personalised around their work. AI, I think, is the ticket to that.

The challenge is going to be actually how do we roll it out? So, that So that future is here. We see it today. I'm living in San Francisco. I'm using Cursor. I can write code a thousand times faster than I ever had before and I can build crazy stuff. How do we get that into the hands of everybody else that's not writing code in their jobs? I think that's going to be the next 10 or 20 years, honestly. Maybe it'll happen a lot faster. It certainly seems to be accelerating, but distributing that feature into every job and building products and services that people can use. And specifically, that enterprises can adopt in a way that's like safe and secure, that's going to be the hard part. That's the real challenge. Because they're not just going to vibe code their way to doing their taxes or their corporate finances. They're not going to vibe code their way into HR systems or medical stuff for doctors, right? There's real consequences of things to go wrong. In the software world, we kind of got it easy. If the thing doesn't work, it crashes. We just say, “Cursor, you made a mistake.” And it's like, “Oh, I'm sorry. Let me go fix that.” That doesn't work if you're doing surgery on someone. So, it'll be slower in certain areas to get adopted.

But I think the area that I'm most interested in is actually how do we take this ground-breaking, kind of breath-taking new technology, this new way of interfacing with machines and apply it out in the world and do it in a way that's actually kind of safe and exciting and not in a way that has disastrous consequences in some cases. I hope that WorkOS can play a small part in that.

[0:29:18] Danny Allan: Well, I'm sure you will be able to do that. I mean, you've been doing amazing things. I always say that technology, and in this case AI, can't realise its full potential unless people trust the technology itself. Are there KPIs or things that you would point to that enable organisations to take that cultural leap or to take that shift that has to take place in order to adopt it? Is it just a time thing that people become more comfortable with it? Or are there specific tangible things that we can do to help people become more comfortable that this is the way forward?

[0:29:50] Michael Grinich: I think there's a technology bit, which is actually how you practically use these things or roll them out to your team or actually get people's hands on it. We see this a lot with companies putting budget towards AI saying, “Hey, we know this is going to change the way we work. We don't know exactly how, but we know we need to go figure it out.”

Back when I was a student, I actually built a lot of iPhone apps when I was an undergrad. When I was an undergrad, actually at MIT, there was a lot of mobile app development, and I did it for walking around money, essentially building apps for local companies in Boston. I met with all these companies, and they said, “We don't really know much about the iPhone, the platform, but we know we got to do something. We know we got to start figuring it out. I got to build something and try to understand how these fits into our business because we can tell it's going to be really disruptive. We know there's going to be a change.”

There's a ton of that happening right now with companies where they're earmarking budget for it and expanding and building stuff. But I'm not really sure actually how it's going to come out. I think there's a cultural shift. Some companies I think will just wake up one day and say, “Oh man, we've been sleeping on this. We've got to urgently jump after it.” I think that's probably already happened. Most people have had their own personal ChatGPT moment where they start talking to the thing and they're like, “Oh, my God.” And then it happens like 10 more times. You're like, “It can do what? It can do what? It can do what? What can't this thing do?” If you think about a business as kind of a collection of people, all having that moment together collectively as a business, I think we're going through that right now, and that's why you're seeing these tools get adopted so fast.

The people that are saying hit the brakes are the security folks. They're the ones saying like, “Oh, hold on guys, let's not roll this out, and connect it to everything.” These AI systems are only, they're really only valuable if they have context, so they have to be connected to stuff, and if they can do actions. Those both are super sensitive things, giving data access and giving data, having it allowed to make changes and mutations. That's where a lot of these start-ups are working, but it'll just take us a while to figure out what the right controls and primitives are around that for these systems, whether they're agents or MCP servers or LLM bots or whatever. They'll be a cultural change and then they'll also be a technology change. Typically, they happen kind of in tandem.

[0:32:00] Danny Allan: Well, I've noted that we will reach there. We've always as an industry been able to on the challenges that are in front of us and WorkOS has proved that over and over again. Well, Michael, thank you for joining us today on The Secure Developer. Always exciting to have someone who has a great perspective on the grail and swell of what's happening and pulse on the industry. So, to everyone in the audience, thank you for joining us today on The Secure Developer. We look forward to speaking with you next time. Thank you.

[OUTRO]

[0:32:31] Guy Podjarny: Thanks for tuning in to The Secure Developer, brought to you by Snyk. We hope this episode gave you new insights and strategies to help you champion security in your organisation. If you like these conversations, please leave us a review on iTunes, Spotify, or wherever you get your podcasts and share the episode with fellow security leaders who might benefit from our discussions. We'd love to hear your recommendations for future guests, topics, or any feedback you might have to help us get better.

Please contact us by connecting with us on LinkedIn under our Snyk account, or by emailing us at thesecuredev@snyk.io. That's it for now. I hope you join us for the next one.