Legacy Vulnerabilities, Machine Speed Attacks, and Routing AI Safely with Mike Hiltz - Ep 225

Mike Hiltz IMAGEMike Hiltz is the VP and CISO of Nference, a biomedical AI company that works with academic medical centers including Mayo Clinic and Duke University to make millions of patient records, from structured electronic health data to unstructured physician notes, searchable and computable for clinical research. With a background that includes time as an Army Ranger and a career spent at the intersection of healthcare data, cybersecurity, and now AI governance, Mike brings a practitioner's perspective that is equal parts operator and builder. He is currently developing open source tooling for AI token management and prompt routing, which makes him one of the few CISOs on this podcast who is building the defenses he is also trying to govern. 

 

apple
spotify
stitcher
google podcast
Deezer
iheartradio
tunein
partner-share-lg

Here’s a glimpse of what you’ll learn: 

 

  • How Nference deploys inside academic medical center environments to de-identify patient data using AI and make it available for clinical research without it ever leaving the institution
  • Why Mike believes the defenders will ultimately win the AI security battle and the specific condition that has to be true before that happens
  • Why the industry's decades of unexploited legacy vulnerabilities created a false sense of security that machine-speed attacks are now dismantling
  • Why small organizations are not safer because attackers ignore them, and how they become the supply chain liability that puts large organizations at risk
  • How Mike built Memforge, an open source memory management system for AI agents, specifically because Claude kept putting him in timeout while vibe coding an Android app
  • Why AI token budgeting and smart model routing matter as much to security governance as they do to cost, and what Mike is building to solve both simultaneously
  • Why security awareness training may become unnecessary as AI-powered real-time protection matures, and why we are not there yet for the populations that need it most

 

In this episode…

Mike opens with a description of Nference that reframes what healthcare AI actually means in practice. The challenge is not just digitizing patient records. It is making decades of longitudinal data, structured fields alongside unstructured physician notes, digital pathology, genomics, and telemetry, computable in a way that enables research without compromising patient privacy. Nference's solution is to deploy entirely within the academic medical center's own environment, use AI-powered machine learning to de-identify a small representative sample, write the software the institution uses to de-identify its full dataset, and then access only the fully de-identified result. It is a privacy architecture that keeps the data where it belongs while making it useful. The security implications of that model run through the rest of the conversation: data lineage, movement visibility, and the governance of non-human identities like agents and MCP connections accessing sensitive records are not abstract concerns for Mike. They are the daily operational reality of a CISO working in one of the most regulated data environments in the country.

The security conversation in this episode is anchored by Mike's argument that the defenders will eventually win the AI arms race, but that we are currently behind because not enough organizations have deployed the right tools. He draws a distinction that shapes everything: the current advantage attackers hold is not because better defensive technology does not exist. It is because the technology exists and is not yet ubiquitous. Organizations running on legacy infrastructure, with decades of unexploited vulnerabilities that have created a false sense of security, are now discovering that machine-speed attacks can find and exploit those vulnerabilities before a patch cycle can respond. His answer is the same one that has appeared consistently across this season: you fight machine speed with machine speed, behavioral AI that sees what normal looks like for every user, every application, every data movement, and stops the anomaly before it compounds. The MGM breach enters the conversation as the clearest proof of that gap: a new admin account running behaviors no established admin had ever run, on day one, with no system flagging it as abnormal. Mike is an optimist about where this ends. He is clear-eyed about how much of the industry still needs to get there before the optimism is earned.

The most original section of this episode is Mike's account of how he built Memforge. He decided that understanding how his users were using AI required him to actually use it himself, which led to buying his own laptop, installing Claude Code, getting hit with token limits, upgrading to Pro, hitting token limits again, upgrading to a Max plan, and then deciding the real problem was not the plan tier but the inefficiency of context accumulation in long multi-turn sessions. Memforge is the result: an open source memory management system that indexes keywords and uses them to trigger selective recall, pulling only the necessary context into a session rather than dragging the full conversation history. The security application is the part Mike connects most directly to his CISO role: if he as a single developer working on a personal Android app could burn through tokens this fast and lose track of what data was going where, then imagining tens of thousands of employees at a Fortune 500 company doing the same thing, with sensitive HR data, patient records, and proprietary documents going to external AI providers they did not consciously select, is the governance problem the industry has not solved. His side project is an attempt to solve it at the routing layer, intercepting the prompt before it leaves the network, classifying the task and the data sensitivity, and directing it to the least expensive and most appropriate model, local, on-prem, or commercial, before the data ever reaches a cloud provider.

 

 

Resources mentioned in this episode

 

Matthew Connor on LinkedIn
CyberLynx Website
Mike Hiltz on LinkedIn
Nference Website
Darktrace Website
Sentinel One Website

 

Sponsor for this episode...

 

This episode is brought to you by CyberLynx.com  

CyberL-Y-N-X.com.

CyberLynx is a complete technology solution provider to ensure your business has the most reliable and professional IT service.

The bottom line is we help protect you from cyber attacks, malware attacks, and the dreaded Dark Web.

Our professional support includes managed IT services, IT help desk services, cybersecurity services, data backup and recovery, and VoIP services. Our reputable and experienced team, quick response time, and hassle-free process ensures that clients are 100% satisfied. 

To learn more, visit cyberlynx.com, email us at help@cyberlynx.com, or give us a call at 202-996-6600.

 

Check out previous episodes:

 

The Economics of Cybercrime and the AI Strategy Behind Getty with Isaac Straley - Ep 224

No Longer Exploratory: Building AI Governance for K12 with Desmond Grant - Ep 223

Building the School of the Future in Kansas with Rob Dickson - Ep 222 

 

 

Transcript: 

 

Mike Hiltz

VP & CISO

Nference


Matthew Connor: Matthew Connor here, host of the Cyber Business Podcast. Today we're joined by Mike Hiltz, VP and CISO at Nference. Mike, welcome to the show.

Mike Hiltz: Thanks for having me, Matthew. I appreciate it.

Matthew Connor: Thanks for coming on. Before we get too far in, a quick word from our sponsors. Hackers are getting smarter — is your security keeping up? Cyberlynx sells industry-leading, AI-powered cybersecurity solutions that detect threats in real time, so you know about an attack before the damage is done, not after. Learn more at cyberlynx.com. And now back to our show.

Mike, for those who aren't familiar, can you tell us about Nference and your role there as CISO?

Mike Hiltz: Sure. Nference works with academic medical centers to take patient data — there's enormous amounts of it out there, millions and millions of records, longitudinal data spanning multiple years, as well as structured and unstructured data. You have things easily obtainable from electronic health records in specific columns, but you also have things like doctor's notes, various types of telemetry, digital pathology, genomics. How do you make all of that computable and searchable? Nference helps academic medical centers — places like Mayo Clinic and Duke University — do exactly that. We make the data searchable and available for research, whether internal research or through customers who want to do this type of analysis on patient data. That's really how Nference generates revenue.

Matthew Connor: Walk me through that a bit more. Electronic medical records are notoriously siloed and don't talk to other systems well. How do you collect, secure, and then make that data searchable while protecting patient confidentiality?

Mike Hiltz: Nference had a novel approach: deploy our solution inside the partner's environment and help them de-identify the data there. For electronic health records, there are a couple of recognized methods of de-identification, and one is expert determination. What we do is use AI and machine learning to assist with de-identification. We get access to a very small subset of the data under agreement, and then we write software that our data partners use to de-identify their full dataset. After that expert determination process is complete, we get access to the fully de-identified dataset.

Matthew Connor: That's genuinely cool. And is this something that's become even more powerful with recent AI advances, or has Nference been doing this for a while and AI is just making it easier?

Mike Hiltz: They've been doing it for a while, but AI is absolutely making it easier. The additional models now available, the pre-built capabilities, and the ability to do things like agentic orchestration — taking multiple agents and orchestrating the de-identification or synthesis of data — it's continually growing. I think there's a huge opportunity to leverage that against this data to genuinely improve patient outcomes. Now that we have access to longitudinal patient history — what medications they've taken, how they've been treated — we can surface that information to help physicians make better future treatment decisions. The AI isn't making the decision. It's enabling the physician to make a more informed one.

Matthew Connor: And as CISO, you're sitting on top of all of that. Let's talk about AI in security, because I think this is where it gets really exciting. I love what Darktrace is doing — not just bolting an LLM onto a traditional security product, but using machine learning the right way to understand what's normal and stop what isn't. I think products like that give us a genuine glimpse of where security is headed. What are you seeing and doing today when it comes to AI in your security stack?

Mike Hiltz: I think vendors are increasingly including meaningful AI features in their products now — Darktrace being a solid example. And where I see the real value coming is in data lineage and telemetry. We started with basic classifiers — can you classify this data, can you see data movement or configuration issues? But the more interesting question is: can you see the lineage? Where did the data start, where did it move, how did it move? With AI, we can start to answer those questions at a scale and speed that wasn't possible before. And when you layer in things like AI agents operating as non-human identities, MCP servers, agent-to-agent interactions — you need that full telemetry to make meaningful risk determinations about data movement. That's where AI is going to accelerate our detection capabilities significantly.

Matthew Connor: And that machine-speed attack problem is real. The bad guys are finding vulnerabilities that have existed for decades and exploiting them before we can respond. Traditionally, patch management was the defense — but that's like an encyclopedia: by the time it's printed, it's out of date. You have to fight fire with fire. If something blows through your perimeter, you need something operating at machine speed to see it and respond. What's your take on where we are in that fight?

Mike Hiltz: I completely agree. You need AI to defend against AI. If you're only responding in minutes, you're already too late in many scenarios. And what I love about the behavioral analysis approach — and this has been evolving for a long time — is that AI is just going to be dramatically better at end-to-end heuristics than the algorithms we were writing before. Is this user doing something they normally do? AI can analyze that pattern across every dimension simultaneously, and it's all mathematics at the end of the day — AI just does it better.

The DocuSign example is a perfect illustration. Everybody's using DocuSign. It's a legitimate domain with a clean reputation. A traditional security gateway looks at it and says: legitimate sender, legitimate domain, passes. But the email is clearly a threat. How do you tell a traditional rule-based system to catch that when the signals it's been given all check out? You can't. AI can. It reads context, behavioral signals, timing, content, and can flag that something is wrong even when all the individual components look clean. That's the difference between machine learning done right and just taping an LLM onto an existing security product.

Matthew Connor: And the end goal — the thing I really want to see — is that the end user doesn't have to think about any of this. If Jane is great at accounting, she shouldn't also have to be great at cybersecurity. That's not her job. Success for IT and security is when the end user can do their job full-time without ever having to worry about security. And I think AI starts to get us there — slowly but surely. I look forward to the day when Siri is listening locally to a phone call and tells Grandpa Matt that this is not Microsoft calling, this is a scam, and offers to hang up. That's the future I see coming.

Mike Hiltz: I agree with most of that, but I'll push back slightly — I still think education matters. I think we do a disservice by not investing more in security awareness, especially for older and more vulnerable populations. Technology isn't infallible. Even AI can't catch 100% of AI-driven threats. It's the same as situational awareness in the military — you have to have some awareness of your environment to protect yourself, because the tools alone won't always save you. I hate using the phrase "security awareness training," but the concept matters. That said — I think the technology is headed in the right direction, and I do believe we'll eventually get to a point where the end user genuinely never has to think about it. The self-driving car is the right analogy: years ago it was a drunk toddler. Now it's legitimately impressive. I've been in the car twice where autopilot reacted to a situation faster than I ever could have. When that happens, you understand viscerally that humans are not going to be the right choice behind the wheel for much longer. Security will get there too.

Matthew Connor: And right now we're in this in-between period where the bad guys have organized into full enterprises — marketing departments, HR departments, KPIs around successful attacks. They're well-funded and they've got the tools. But I do think we get there. As products like Darktrace become more ubiquitously deployed across organizations of all sizes, the defensive surface becomes so hardened that the math stops working for the bad guys. The problem right now isn't that the technology doesn't exist — it's that too many organizations haven't deployed it yet. Too much legacy infrastructure, too many unpatched vulnerabilities. The moment enough organizations are using the right AI security tools, the economics of cybercrime start to collapse.

Mike Hiltz: That's exactly right. And the cost argument — "we can't afford it" — I think that's simply not true anymore. If you're not spending what's needed to properly defend the organization, the question is whether you can afford to be in business at all. And if CISOs can't make that case to business leaders, that's on us. We have to get better at tying security investment to business outcomes.

Now, one thing I've been thinking about a lot is the AI budget problem from the other direction — organizations burning through their AI token budgets much faster than expected. I've actually been working on a side project around this. There are companies like Open Router starting to do auto-routing — using the best model for the specific task rather than sending everything to a flagship model. What I've been building is a routing matrix that also incorporates data sensitivity. The idea is: classify the task, classify the sensitivity of what's being sent, and then route appropriately. If a member of the HR team uploads a document for analysis that contains employee information, you don't need to send that to Claude or OpenAI's API. You send it to an on-premises or private model where the data stays inside your perimeter. If someone asks a simple coding question, you don't need a flagship model — route it to a capable open-weight model locally. Use the flagship models for the tasks that genuinely require them.

I went down this path personally because as a CISO, I wanted to understand exactly how my developers and users were actually working with AI — what they were sending, what was coming back. So I bought my own laptop and started experimenting. I started using Claude Code and burned through tokens constantly. I'd get put in time-out: "Come back in three hours." I upgraded to Pro, kept burning through it. Eventually I got a Max plan. But through that process, I built something I call Memforge — I've open-sourced it — which is a memory management system for AI sessions. The basic problem is that as a conversation with an AI model grows, the context window fills up with the full back-and-forth, and you're paying for all of that token usage even when most of it is irrelevant to what you're currently working on.

Memforge takes an index of keywords and triggers selective memory recall. If I say I want to work on something related to my architecture, it pulls in the relevant architecture context rather than the entire conversation history. Now the agent is working in a tight bubble with only the necessary context to complete the current task. For agentic orchestration — which is where I'm spending a lot of time now — you can give your orchestrator broader context so it can coordinate agents and verify their work isn't conflicting, while keeping each individual agent working efficiently with a minimal context footprint. Combined with smart model routing, it dramatically reduces token costs.

Matthew Connor: And the data security angle of that is what's really interesting — if you can intercept the prompt before it leaves your network, classify it by task type and data sensitivity, and route it to the appropriate model, you've essentially built an AI security gateway. Perplexity is doing something similar in terms of model routing, but without the sensitivity layer. I think that sensitivity-aware routing is where things get really enterprise-ready.

Mike Hiltz: Exactly. And that's the piece that's missing broadly right now. If you imagine thousands of developers at a Fortune 500 company all doing what I was doing on my own — where is that data going? What's being sent to which cloud provider? What MCP servers are involved? That's the challenge. The solution I've been building tries to address that by catching it at the agent level before anything leaves the network, routing based on task complexity and data sensitivity, and making the whole thing auditable and traceable. Data loss prevention, PHI and PII detection, policy enforcement — all of that needs to happen before the data touches an external model. That's the future of enterprise AI governance, and we're still in the early stages of figuring it out.

Matthew Connor: Mike, this has been an absolute blast. I think we could do this all day. Before we go, can you tell everyone where they can find out more about you and Nference?

Mike Hiltz: Sure. Nference is at nference.ai or nference.com — NFERENCE, just like it sounds. I'd also mention Anumana — anumana.ai — another company I support that's doing great work in ECG analysis and heart disease detection using machine learning. Worth checking out. Thanks for having me — this was a ton of fun.

Matthew Connor: It really was. Mike, until next time.

Mike Hiltz: Thank you very much.

Read On

From 45-Year Mainframe to AI Campus: Loyola's CIO on What Works with Alan Schomaker - Ep 221

From 45-Year Mainframe to AI Campus: Loyola's CIO on What Works with Alan Schomaker - Ep 221

Alan Schomaker is the CIO of Loyola University New Orleans, a Jesuit-based institution of...

Read more
You Can't Outrun a Script: AI Security in a Law Firm with Michael Massey - Ep 220

You Can't Outrun a Script: AI Security in a Law Firm with Michael Massey - Ep 220

Michael Massey is the CISO at Reminger Co LPA, a defense-focused law firm handling medical...

Read more
AI Is Draining the Grid: Behind-the-Meter Power Solutions with Tony Uttley - Ep 215

AI Is Draining the Grid: Behind-the-Meter Power Solutions with Tony Uttley - Ep 215

Tony Uttley is the CEO of Enginuity Power Systems, a behind-the-meter cogeneration company...

Read more