The Role of AI and Compliance in Modern Risk Management: ShowMeCon 2025
When people think of St. Louis, it’s often the Gateway Arch or the Cardinals that come to mind. Just across the Missouri River is one of the "Show Me" state's oldest European settlements, dating back to 1769, St. Charles. Front just a stone's throw from where Lewis and Clark set off on their famous expedition, something more than baseball statistics, historical trivia, or architectural wonders was being discussed in early June: security, compliance, and risk, at ShowMeCon 2025.
Around 400 practitioners gathered for two full days of sessions, villages, and a CTF run by MetaCTF. There was much discussion of the industry's distinction between controls, policies, and security. A general theme emerged that real security demands context, rigor, and adaptive posture, not just checking the box.Here are just a few highlights from the 2025 edition of ShowMeCon.
Compliance as Catalyst: How PCI Sparked a Security Industry
In the riveting opening keynote, "Compliance EQUALS Security," security legend Jeff Man, currently Sr. Information Security Evangelist at Online Business Systems, unpacked PCI’s evolution since 2004, when it was barely a 12‑page set of common-sense policies addressing basics like network topology and encryption. Now it’s a sprawling 397‑page document, with six goals, 12 requirements, and near-endless sub-requirements. Jeff reminded us that PCI was born out of necessity, to protect against the theft of credit cardholder data. Scandals like the TJX breach in 2007 and the Heartland Payment Systems incident in 2009 severely damaged trust and compelled the industry to "build teeth into compliance."
Yet PCI’s maturation revealed friction. Requirements for segmentation, scanning, antivirus, patching, logging, and penetration testing, while useful, were implemented in isolation. Organizations treated network scans like fire drills: done once a quarter, filed away, and forgotten. Qualified Security Assessors (QSA) reports became “pass/fail” grade-getting rituals rather than operational hygiene.
Jeff said PCI compliance is necessary, but insufficient. It created markets and tools, but scanning became a checkbox instead of an ongoing defense. QSAs became grade-posters, not risk consultants. Until compliance is translated into continuous, context-aware security operations, we continue to relive breaches instead of preventing them.
Jeff closed by reminding us that it was only when there was real money on the line, in terms of business and fines, that we started taking the underlying issues around data security seriously. We need to ensure our organizations are doing the right thing to meet the spirit of these regulations, not just checking boxes.
When policy meets AI: Automation’s double‑edged blade
Dan Yarger, Principal at Parameter Security and also a QSA, took us inside his successes and learnings in his session, "Leveraging AI for Policy: Insights into Strengths and Weaknesses." He said AI can whip up a first draft faster than any human. That’s great for generating general templates around incident response, uptime, privacy, and acceptable use. When we need to get into details and specifics, we must remember that AI is not a lawyer or CISO.
AI will hallucinate definitions or roles, meaning we need thorough checks of anything it produces by people who are familiar with the policy themselves. He demoed using Copilot to generate a PCI policy baseline, then layered it with organization-specific context. The key is always oversight: prompt smart, validate rigorously, iterate often. Use AI as a co-author, not as a decider. It is good to keep in mind that policies are ultimately about operational risk, reputational exposure, and legal liability, which you are going to be responsible for.
Dan’s framing here rings true for developers, DevSecOps engineers, and CISOs. In environments where policy compliance is as critical as secure code, relying on black‑box AI can create more risk than it manages. The future is hybrid, AI scaffolding paired with expert scrutiny. Dan says he can foresee a use case of contextual policy review that suggests new policies where gaps might have been otherwise overlooked.
Insider threats and AI‑augmented adversaries: Align fundamentals
In a one-time-only performance of a very ambitious and very well-executed session format, Tim Malcolm‑Vetter, CEO of Wirespeed, brought us “Choose Your Own Cyber Adventure." The talk consisted of five sections, and the audience decided on the order in which to cover them. Each section was highly interactive, asking us to pick which answer to real-world security elevation questions. The results of each response point to being honest, rather than trying to check every box, which leads to a better security posture for all.
Tim emphasized the importance of fundamentals: PAM, authentication hygiene, telemetry, and anomaly detection, over flashy new AI models. He said, unfortunately, there are no magic cures. If we want to tackle supply‑chain compromises, we need to focus on reachability and detection. Attackers aren’t using fully autonomous AI to pull off novel attacks, but they are leveraging it to probe and summarize what they find faster than ever. The heavy lifting, the lateral movement, exfiltration, and impact decision-making still happen via human intelligence backed by infrastructure control. Additionally, AI requires exponentially more electricity to accomplish its tasks compared to traditional scripting, which makes the situation feel even worse.
His conclusion is crisp: strip security to its five core vectors, public-facing app vulnerabilities, authentication abuse, phishing, physical access, supply‑chain compromise. Apply layered defenses. AI helps, but it doesn’t replace your fundamentals. And AI adversaries will weaponize the same mental model tactics, they just do it faster.
Compliance Is Your Security Scaffold, Not The Whole Building
Taken together, the sessions at ShowMeCon delivered a pointed message: compliance frameworks and governance models all give form and structure, but it’s on practitioners to build the defenses that stand up. Treat compliance as a starting point and build continuous, adaptive security around it. Let me unpack that in three core dimensions:
Structural Rigor vs. Operational Reality
PCI taught us that if you enforce segmentation and patching quarterly, but don’t validate them daily, you’re papering over cracks. QSAs will review network diagrams, but won’t monitor if permissions escalate tomorrow or if a service is misconfigured after deployment.
The fix isn’t more documentation, it’s operationalizing controls. You need posture-aware detection, robust telemetry (EASM, CSPM, SIEM), and real-world verification. We need to practice with our real-world stakeholders through tabletop drills, red-team simulations, and chaos engineering.
You can generate a policy that looks PCI‑aligned, but if you don’t map that policy to real roles, workflows, enforcement gates, and exceptions, your org still lives in reactive mode. AI gives you the skeleton; you give it muscle and power.
Outside-In Mindset, Inside-Out Execution
Horror stories like those from TJX and Target still resonate because they feel familiar; external adversaries using new tricks against old gaps. Yes, Magecart commerce compromises still loom, but today’s most pressing issue is credential and identity misuse. The Verizon DBIR now ranks credentials over card data in terms of high-value targets. If identity is the new perimeter, that’s where security scaffolding must be anchored.
SaaS proliferation, a jumble of legacy applications, and shadow IT make identity and privilege escalation critical. We must build scaffolding around Identity Threat Detection and Response (ITDR), Zero Trust, and continuous authentication posture assessments. Compliance may demand MFA, but your scaffold needs to enforce, monitor, and respond in real time.
AI As A Partner And A Threat
AI can scaffold policy, triage alerts, or inform your team's threat-hunting, but it can also serve adversaries. It can be a tool for crafting spear-phishing campaigns and for scanning repos for misconfigurations and vulnerabilities. AI lowers the barrier for entry, but doesn’t eliminate human orchestration.
That means your scaffold needs two-way AI. One AI that aids defenders in decision-making and one that surveils adversary automation, flagging anomalies. This requires model tuning, prompt hygiene, training data management, and output-review processes. It’s about AI risk posture.
Lowering Risk Takes Teamwork
From an operational-risk perspective, we need to elevate CISOs and their teams from checkbox reporters to continuous threat‑aware gatekeepers. This means driving accountability into tool pipelines, policy generation workflows, and privilege management systems. It means merging human oversight and continuous enforcement into our policies.
If this sounds like extra friction, it is. The benefit, though, is when you move from “we’re PCI compliant” to “we can detect, verify, and respond without waiting for the next review,” you are transforming operational risk into operational resilience.
Driving Policy And Security Forward Together
Compliance matters, as it gave us segmented networks, encryption controls, and pentesting budgets. It birthed markets, disciplines, and a shared vocabulary for risk. However, if we stop there, adversaries will continue to exploit compliance gaps to get into our systems and steal our data.
The path forward is to treat compliance as your scaffold, not your fortress. This is true for all of security. For example, your author was able to give a talk about secret security and how we need to approach it pragmatically, not just to replace one long-lived secret with another. Instead, we need to see frequent rotation of NHI secrets as the baseline, as we think through long-term strategies around identity.
Where compliance asks “has this control been documented?”, your enforcement layer asks “is the control working, today, in production, under attack?” That’s operational cybersecurity maturity. That’s what will win in the post-TJX, AI-augmented threat landscape.
Let's shift our point of view from asking “Are we compliant?” to asking “Are we secure, right now?”