At Postman's scale of 40 million developers generating billions of API requests, Sam Chehab, Head of Security & IT, centers on three enforcement domains: authenticated and encrypted data paths, zero-trust inter-service communication, and runtime instrumentation. His vendor evaluation is just as precise, cutting past feature lists to one demand: show me the architecture diagram and walk through exactly how your solution addresses my threat models.

Sam identifies why generative AI creates fundamentally new risk: the combination of private data access, untrusted content processing, and external communication capability. This trifecta explains why browser-based AI is nearly impossible to contain; it touches local machines, queries the open web, and executes actions on your behalf. Sam also covers how he screens for three traits he can't train: initiative to self-direct research, attitude to absorb constant setbacks, and aptitude to process how rapidly this field moves.

Topics discussed:

• Implementing data path integrity, zero-trust inter-service authentication, and runtime instrumentation with immutable logs

• Evaluating cybersecurity vendors by demanding architecture diagrams and specific threat model solutions rather than feature lists

• Managing freemium platform security with anomaly detection, rate limiting, and abuse prevention across 40 million developers

• Identifying AI security's dangerous trifecta: private data access, untrusted content processing, and external communication capabilities 

• Building MCP generators that enable least-privilege API servers by allowing developers to select only required methods before deployment

• Using AI agents to generate security tests during development, shifting validation from security teams to automated testing

• Applying security hygiene fundamentals before adopting specialized vendor solutions

• Hiring security teams based on three unteachable traits: initiative, attitude, and aptitude