Exclusive: Walmart’s CISO is rebuilding identity security for AI age

VentureBeat recently sat down (virtually) with Jerry R. Geisler III, Executive Vice President and Chief Information Security Officer at Walmart Inc., to gain insights into the cybersecurity challenges the world’s largest retailer faces as AI becomes increasingly autonomous.

We talked about securing agentic AI systems, modernizing identity management and the critical lessons learned from building Element AI, Walmart’s centralized AI platform. Geisler provided a refreshingly candid view of how the company is tackling unprecedented security challenges, from defending against AI-enhanced cyber threats to managing security across a massive hybrid multi-cloud infrastructure. His startup mindset approach to rebuilding identity and access management systems offers valuable lessons for enterprises of all sizes.

Leading security for a company operating at Walmart’s scale across Google Cloud, Azure and private cloud environments, Geisler brings unique insights into implementing Zero Trust architectures and building what he calls “velocity with governance,” enabling rapid AI innovation within a trusted security framework. The architectural decisions made while developing Element AI have shaped Walmart’s entire approach to centralizing emerging AI technologies.

Presented below are excerpts from our interview:

VentureBeat: As generative and agentic AI become increasingly autonomous, how will your existing governance and security guardrails evolve to address emerging threats and unintended model behaviors?

Jerry R. Geisler III: The adoption of agentic AI introduces entirely new security threats that bypass traditional controls. These risks span data exfiltration, autonomous misuse of APIs, and covert cross-agent collusion, all of which could disrupt enterprise operations or violate regulatory mandates. Our strategy is to build robust, proactive security controls using advanced AI Security Posture Management (AI-SPM), ensuring continuous risk monitoring, data protection, regulatory compliance and operational trust.

VB: Given the limitations of traditional RBAC in dynamic AI settings, how is Walmart refining its identity management and Zero Trust architectures to provide granular, context-sensitive data access?

Geisler: An environment of our size requires a tailor-made approach, and interestingly enough, a startup mindset. Our team often takes a step back and asks, “If we were a new company and building from ground zero, what would we build?” Identity & access management (IAM) has gone through many iterations over the past 30+ years, and our main focus is how to modernize our IAM stack to simplify it. While related to yet different from Zero Trust, our principle of least privilege won’t change.

We’re encouraged by the major evolution and adoption of protocols like MCP and A2A, as they recognize the security challenges we face and are actively working on implementing granular, context-sensitive access controls. These protocols enable real-time access decisions based on identity, data sensitivity, and risk, using short-lived, verifiable credentials. This ensures that every agent, tool, and request is evaluated continuously, embodying the principles of Zero Trust.

VB: How specifically does Walmart’s extensive hybrid multi-cloud infrastructure (Google, Azure, private cloud) shape your approach to Zero Trust network segmentation and micro-segmentation for AI workloads?

Geisler: Segmentation is based on identity rather than network location. Access policies follow workloads consistently across both cloud and on-premises environments. With the advancement of protocols like MCP and A2A, service edge enforcement is becoming standardized, ensuring that zero trust principles are applied uniformly.

VB: With AI lowering barriers for advanced threats such as sophisticated phishing, what AI-driven defenses is Walmart actively deploying to detect and mitigate these evolving threats proactively?

Geisler: At Walmart, we’re deeply focused on staying ahead of the threat curve. This is especially true as AI reshapes the cybersecurity landscape. Adversaries are increasingly using generative AI to craft highly convincing phishing campaigns, but we’re leveraging the same class of technology in adversary simulation campaigns to proactively build resilience against that attack vector.

We’ve integrated advanced machine learning models across our security stack to identify behavioral anomalies and to detect phishing attempts. Beyond detection, we’re proactively using generative AI to simulate attack scenarios and pressure-test our defenses by integrating AI extensively as part of our red-teaming at scale.

By pairing people and technology together in these ways, we help ensure our associates and customers stay protected as the digital landscape evolves.

VB: Given Walmart’s extensive use of open-source AI models in Element AI, what unique cybersecurity challenges have you identified, and how is your security strategy evolving to address them at enterprise scale?

Geisler: Segmentation is based on identity rather than network location. Access policies follow workloads consistently across both cloud and on-premises environments. With the advancement of protocols like MCP and A2A, service edge enforcement is becoming standardized, ensuring that zero trust principles are applied uniformly.

VB: Considering Walmart’s scale and continuous operations, what advanced automation or rapid-response measures are you implementing to manage simultaneous cybersecurity incidents across your global infrastructure?

Geisler: Operating at Walmart’s scale means security must be both fast and frictionless. To achieve this, we’ve embedded intelligent automation into layers of our incident response program. Using SOAR platforms, we orchestrate rapid response workflows across geographies. This allows us to contain threats rapidly.

We also apply extensive automation to continuously assess risk and prioritize response actions based on risk. That lets us focus our resources where they matter most.

By bringing talented associates together with rapid automation and context to help make quick decisions, we are able to execute upon our commitment to delivering security at speed and scale for Walmart.

VB: What initiatives or strategic changes is Walmart pursuing to attract, train, and retain cybersecurity talent equipped for the rapidly evolving AI and threat landscape?

Geisler: Our Live Better U (LBU) program offers low- or no-cost education so associates can pursue degrees and certifications in cybersecurity and related IT fields, making it easier to associates from all backgrounds to upskill. Coursework is designed to provide hands-on, real-world skills that are directly applicable to Walmart’s infosecurity needs.

We host our annual SparkCon (formerly known as Sp4rkCon) that coordinates talks and Q&As with renowned professionals for sharing wisdom and proven strategies. This event also explores the latest trends, techniques, technologies and threats in cybersecurity while offering opportunities for attendees to connect and build valuable relationships to further their careers.

VB: Reflecting on your experiences developing Element AI, what critical cybersecurity or architectural lessons have emerged that will guide your future decisions about when and how extensively to centralize emerging AI technologies?

Geisler: That’s a critical question, as our architectural choices today will define our risk posture for years to come. Reflecting on our experience in developing a centralized AI platform, two major lessons have emerged that now guide our strategy.

First, we learned that centralization is a powerful enabler of ‘velocity with governance.’ By creating a single, paved road for AI development, we dramatically lower the complexity for our data scientists. More importantly, from a security standpoint, it gives us a unified control plane. We can embed security from the start, ensuring consistency in how data is handled, models are vetted, and outputs are monitored. It allows innovation to happen quickly, within a framework we trust.

Second, it allows for ‘concentrated defense and expertise.’ The threat landscape for AI is evolving at an incredible pace. Instead of diffusing our limited AI security talent across dozens of disparate projects, a centralized architecture allows us to focus our best people and our most robust controls at the most critical point. We can implement and fine-tune sophisticated defenses like context-aware access controls, advanced prompt monitoring and data exfiltration prevention, and have that protection instantly cover our use cases.

Daily insights on business use cases with VB Daily

If you want to impress your boss, VB Daily has you covered. We give you the inside scoop on what companies are doing with generative AI, from regulatory shifts to practical deployments, so you can share insights for maximum ROI.

Read our Privacy Policy

Thanks for subscribing. Check out more VB newsletters here.

An error occured.