By Guest: Jeremy Epling
Company: Vanta
Show:Â The Agentic Enterprise
Topic: Agentic AI
Fifty-nine percent of security leaders admit AI threats are moving faster than their expertise. For large enterprises, that number jumps to 67%. Yet paradoxically, eight in 10 organizations are increasing their AI usage in security programs. This tension between risk and opportunity defines the current moment in enterprise security—and it’s exactly what Jeremy Epling, Chief Product Officer at Vanta, addresses in Vanta’s latest State of Trust report.
📹 Going on record for 2026? We're recording the TFiR Prediction Series through mid-February. If you have a bold take on where AI Infrastructure, Cloud Native, or Enterprise IT is heading—we want to hear it. [Reserve your slot
The AI Trust Gap: What Security Leaders Are Facing
Vanta’s State of Trust report, now in its third year, surveys security and compliance leaders worldwide to identify emerging risks and program priorities. This year’s findings reveal a sharp disconnect: organizations are racing to deploy agentic AI without fully understanding the implications.
“We see it in the security questionnaires we process,” Epling explains. “Customers are asking: Are you training on my data? How are you using AI? These questions are coming up in nearly every deal now.”
The concern isn’t theoretical. Recent attacks—including the nation-state incident documented by Anthropic—demonstrate how AI coding tools have lowered the barrier for sophisticated, autonomous attacks. “The attack wasn’t novel in terms of vulnerabilities,” Epling notes, “but the fact that it can be fully autonomous and scaled changes everything.”
The Trust Economy: From Compliance to Customer Confidence
According to the report, 82% of respondents now believe improving security and compliance directly boosts customer trust—up from 67% last year. This shift reflects a broader change in how security teams demonstrate value.
“It’s not just at deal time anymore,” Epling says. “Customers want ongoing proof that trust is maintained. They want to see real-time security status.”
Vanta addresses this through automated Trust Centers, continuous control monitoring, and a newly launched feature called Customer Commitments. This tool analyzes contracts to track security obligations—like breach notification windows or encryption requirements—across thousands of agreements.
“Security leaders can now show business stakeholders exactly which customers are asking for which controls,” Epling explains. “That’s how they make the case for more resources or new tools.”
Fighting Fire with Fire: AI as Defense Mechanism
Despite rising AI-related risks, organizations are increasing AI adoption in their security programs. Vanta’s approach centers on what Epling calls a “24/7 GRC engineer”—an AI agent with complete program awareness.
The Vanta AI Agent 2.0, announced at VantaCon, connects across compliance frameworks, vendor assessments, questionnaires, policies, and cloud assets. It can answer questions like: “How prepared are we for our upcoming audit?” or “Which vendors have unresolved security findings?”
“The agent knows everything—your controls, risks, vendors, policies,” Epling says. “It can flag inconsistencies across documents, suggest compensating controls, and prioritize work based on your audit timeline.”
The system operates with a human-in-the-loop model. Every answer includes citations, explains its reasoning, and requires human approval before sharing externally. “We’re building trust in the tool itself,” Epling notes.
Navigating Global Regulatory Complexity
Vanta supports over 40 compliance frameworks, including region-specific standards for the UK, EU, Australia, and New Zealand. The company also offers data sovereignty options, allowing customers to keep their Vanta instance and data in specific regions.
For AI specifically, Epling sees strong adoption of NIST AI RMF and ISO 42,001. “ISO 42,001 comes up in nearly every large customer conversation now,” he says. “It’s the bedrock for showing you’re using AI responsibly.”
Vanta was the first GRC platform to automate ISO 42,001 compliance—and went through the certification process itself.
What’s Next: Priorities for 2026
Looking ahead, Epling identifies two top priorities for security leaders: defending against persistent AI-powered attacks and demonstrating ROI to business stakeholders.
“Every CISO I meet has thousands of alerts,” he says. “The question is how to prioritize and communicate that value to the C-suite.”
Vanta’s integration with Salesforce and other CRM tools helps tie security programs directly to revenue impact, customer retention, and contract obligations.
“We’re not just helping them stay compliant,” Epling concludes. “We’re helping them prove why their program matters.”
With over 14,000 customers—from early-stage startups to enterprises like Atlassian, Snowflake, and Duolingo—Vanta’s growth reflects the urgency of this challenge. As AI threats evolve, so must the tools that defend against them.
