3min read
By Claire Fauquier and Jacques Perreault
Artificial intelligence is moving rapidly from experimental tooling to production-critical infrastructure. AI agents are no longer confined to research labs—they're writing code, managing workflows, and making autonomous decisions across enterprise systems. This is an especially pressing opportunity for the developer/engineering community.
For our recent Spark Session, we invited 12 of Toronto’s early-stage CTOs for a candid conversation to talk about the concerns keeping them up at night. This session was led by Mike Kim of Mycroft, an agentic all-in-one cybersecurity platform.
The conversation explored the emergence of agentic tools and browsers, how this affects culture within their engineering organizations, and how we can take advantage of new tools while still ensuring rigour in output.
===
Agent Control: Tracking Agentic Behavior
While identity management is relatively straightforward with humans, defining and tracking agentic identities is entirely new territory. If an AI agent makes 1,000 code changes overnight, how do we audit that? How do we know which agent did what, and more importantly, why?
CTOs agreed that agentic oversight tools will become indispensable. Some form of “overwatch” system is needed to understand what actions agents take, on whose behalf, and for what purpose. The concern is not only about rogue agents but also about ensuring accountability and traceability in an increasingly automated world. For now, a human-in-the-loop feels critical, but there is plenty of opportunity to automate repetitive or straightforward tasks.
The Proactive Approach to QA Tools
Many leaders are actively exploring new solutions for QA and testing tools. While many have reservations about adopting unproven tools, the consensus was clear: it's better to be ahead in QA tooling, setting up sandboxes to fail safely and hedge risks, than to try catching up after quality issues emerge. The cost of prevention is often lower than the cost of fixing a problem after the fact.
A Good Pen Tester is More Important than Ever
A highly skilled pen tester can deliver a 5x ROI or more. The stories shared made it clear: no matter how good you think your security is, there are always vulnerabilities you have not yet considered. The cost of discovery in a controlled pen test is small compared to the cost of a real breach.
Scaling Security Culture: Beyond Tools to Behavior
With all the uncertainties in the adoption of new tools, the best defence is still proper process control and organizational culture.
As Mike said, “With cybersecurity, the imbalance is striking. On defense, you have to be right every time. On offense, you only need to be right once”. You can have the greatest antivirus, but if your employees do not follow good practices, it is worthless.”
What Mike’s seen work well is a carrot-type approach to build a strong security culture. Examples included creating leaderboards for security incident reporting and rewarding top reporters with merchandise, establishing public disclosure pages and a hall of fame for security researchers who find vulnerabilities, and making security wins visible across the organization.
===
The discussion revealed just how universal these challenges are, with every CTO in agreement that AI tooling will change how engineering teams work in the future, but there’s still a lot of unknown. They are embracing it with intention, building the frameworks, processes, and culture needed to use it responsibly while maintaining security, accountability, and quality. This balance will define the companies that thrive in the AI era.
At Brightspark, we love facilitating thoughtful conversations with real-world stakeholder implications. If these insights resonate, connect with our team or share your thoughts below.
More from Behind the Scenes
May 28, 2025