Tag: data governance

Turning Community Noise into Action: My Product Lessons from Zencity’s AI That Listens

I’m constantly looking for ways to turn messy, multi-source signals into decisions leaders can trust. Recently, I dug into how Zencity powers government decision-making with community voices—and it’s a masterclass in building AI products that are both responsible and useful.

Noa Reikhav, Head of Product, Zencity; Andrew Therriault, VP of Data Science, Zencity; and Shota Papiashvili, SVP of R&D, Zencity share a comprehensive view of how they designed an AI that listens and acts without sacrificing rigor.

How do you use AI to help city leaders truly hear their residents?

I was struck by the clarity of their platform vision—“They share how Zencity brings together survey data, 311 calls, social media, and local news into a unified platform that helps cities understand what people care about—and act on it.” That single line captures the essence of a unified analytics platform done right.

You’ll hear how the team built their AI assistant and workflow engine by being thoughtful about their data layers, how they combined deterministic systems with LLM-driven synthesis, and how they keep accuracy and trust at the core of every AI decision.

It’s a fascinating look at how modern AI infrastructure can turn noisy, messy civic data into clear, actionable insight.

Here are the takeaways that resonated with me most, and they align closely with how I approach AI Strategy and product management leadership. Data architecture defines what AI can do. Guardrails and transparency matter more than flashy outputs. Agentic systems become powerful when grounded in real, multi-tenant data. AI in the public sector can make democracy more responsive—if built responsibly.

The team’s layered data model is the backbone that enables trustworthy synthesis: raw data → elements → highlights → insights → briefs. As a product leader, I love how each layer introduces meaning and structure while preserving traceability. It’s the difference between a demo-friendly prototype and a durable platform.

Why context is everything when building AI for civic use. That’s not a platitude—it’s a requirement. Community conversations are hyper-local, emotionally charged, and policy-laden. Without context and rigorous data governance, you risk misclassification, bias, and broken trust.

How the team designed their AI assistant using MCP servers to safely negotiate data access. This is a smart pattern for privacy-by-design: let the assistant request access, let the system adjudicate, and make the boundary explicit and auditable. In multi-tenant environments, that clarity is the difference between scaling confidently and shipping risk.

Balancing agentic flexibility with deterministic trust. I’ve found this to be the most practical framing for real-world agentic AI: give the system room to explore, but bind its outputs to deterministic rails where it matters—taxonomy, citations, permissions, and evaluation criteria.

Evaluating accuracy when latency matters: how they think about evals, citations, and model-as-judge systems. I appreciate the pragmatism here. In production, you don’t have the luxury of slow truth-finding. You need tight feedback loops, interpretable citations, and layered evals to keep both precision and speed.

Using workflows like annual budgeting or crisis communication to deliver AI-generated briefs to the right people at the right time. This is where product-market fit shows up: not in features, but in end-to-end workflows aligned to real decision cycles and stakeholders.

Why government workflows are the ultimate “jobs to be done” framework. When the job is a public process—with deadlines, accountability, and high scrutiny—you don’t just need insights; you need timely, contextualized briefs that match the cadence of the work.

From my lens, the magic isn’t any single model. It’s the orchestration: deterministic systems with LLM-driven synthesis, strong guardrails, transparent citations, and an orchestration layer that routes the right brief to the right role at the right moment. That’s how you turn community noise into legitimate signal—and signal into action.

If you’re building AI for regulated, high-stakes environments, take note: invest in your data layers, make context a first-class citizen, embrace privacy-by-design with clear access negotiation, and treat evaluation as a living system. Do that, and you’ll earn the trust that makes your AI assistant—and your organization—indispensable.

Inspired by this post on Product Talk.

October 25, 2025
Urgent Alert: Spot Fraudulent Job Offers Impersonating Pendo—and Protect Your Career

In my role leading product management, I take brand trust and cybersecurity seriously—especially when it affects people’s livelihoods. Over the past few weeks, I’ve seen a troubling uptick in brand impersonation and social engineering targeting candidates. It’s a reminder that protecting our community isn’t just a technical problem; it’s a product management leadership and stakeholder management responsibility.

We want to warn you about recent instances of fraudulent job offers purporting to be from Pendo and/or its affiliate companies.

If you receive an unexpected outreach claiming to be from Pendo with a fast-track offer, requests for payment, or a push to move conversations to informal channels, treat it as a red flag. Scammers often spoof logos, clone profiles, and use vague role descriptions to create urgency. Their goal is to extract personal data, money, or access—classic social engineering tactics that undermine data governance and privacy-by-design principles.

Here’s how I advise candidates to protect themselves while keeping their job search momentum. Validate every opportunity through the company’s official careers page and confirm the recruiter’s identity through corporate channels. Check that email addresses and domains match publicly listed corporate information, and be wary of communication conducted exclusively through messaging apps. Never pay fees, buy equipment up front, or share sensitive data like Social Security numbers or banking information before a formal, verified offer is in place.

If something feels off, pause and verify. Contact the company via the channels listed on its website, ask for a video meeting with the recruiter using an official corporate account, and request written details on the role and interview process. If it’s fraudulent, report it to the company, the platform where the outreach occurred, and—when appropriate—local authorities. Acting quickly helps with threat detection and response and protects other candidates from harm.

From a product and security perspective, this is a cross-functional issue that benefits from AI risk management discipline. Strong signals include clear public guidance on recruiting practices, a dedicated reporting mailbox for suspected scams, and hardened email authentication (SPF, DKIM, DMARC). Pair these with privacy-by-design reviews for hiring workflows, recruiter verification checklists, and ongoing education for talent teams. These measures reduce attack surface while reinforcing brand integrity.

If you believe you’ve shared information with a fraudulent recruiter, take immediate steps: change any reused passwords, enable two-factor authentication, place fraud alerts or freezes with credit bureaus as appropriate, and monitor accounts for suspicious activity. Document all communications; they can help security teams and platforms act faster.

Recruitment fraud is emotionally taxing and can erode confidence in the process. Don’t let scammers slow your momentum. Stay vigilant, verify before you trust, and share this warning so others can avoid similar traps. If you’re ever unsure about a message that appears to come from Pendo, pause, validate through official channels, and prioritize your safety first.

Inspired by this post on Pendo – Best Practices.

October 25, 2025
Build the Cake, Then the Frosting: 3 Elements of a High‑Performing AI Strategy That Wins

Over the past few years leading product at HighLevel, I’ve watched too many teams rush to demo flashy agents before they’ve built a reliable foundation. The metaphor I use in every AI roadmap review still hits home: “Think of AI readiness as a three-layer cake. Most companies are trying to build the fancy frosting (the agent interface) without bothering to bake the actual cake underneath.” If we want durable impact, we have to bake first, frost later.

When I design an AI Strategy, I anchor on three elements that map directly to that cake: a data and instrumentation foundation, a governance and risk layer, and finally the agent experience itself. This sequence isn’t theory—it’s how we de-risk delivery, accelerate product-market fit, and create competitive differentiation without compromising trust.

Layer 1 — Data and instrumentation: The base of the cake is clean, well-instrumented data flowing through a unified analytics platform. I start with a clear event schema, rigorous data quality checks, and tight CRM integration so we can connect outcomes to users, accounts, and journeys. Privacy-by-design is nonnegotiable: we minimize PII, define retention, and ensure consent flows are explicit. With this in place, gen ai features have the context they need—retrieval works, grounding holds, and feedback loops from production inform continuous improvement.

On top of that, I build measurement in from day one: activation, retention, task success, latency, and satisfaction. Every AI interaction is observable. We run A/B testing with a well-defined minimum detectable effect, pair quant with qualitative review, and feed human-in-the-loop judgments back into ranking and prompt libraries. This is how we avoid “demo-ware” and deliver real, repeatable value.

Layer 2 — Governance and risk: Before scaling, I formalize AI risk management and data governance. That includes model evaluation against safety and quality thresholds, red-teaming for jailbreaks, and threat detection and response for prompt injection and data exfiltration. We establish policy for model and provider selection, versioning, and rollback; we log prompts, responses, and decisions for auditability; and we define escalation paths when the system is unsure. These controls don’t slow us down—they create the confidence needed for faster iteration and board management alignment.

I also align legal, security, and product early on a taxonomy of risks—bias, hallucinations, privacy, IP leakage—so we can write tests and guardrails once and reuse them across features. The result is fewer surprises in customer pilots and a far smoother path through enterprise procurement.

Layer 3 — The agent experience: Only now do we invest in the frosting—the agent interface and workflows. Here I focus on clear jobs-to-be-done, crisp UX writing, and transparent system behavior. We design agentic AI flows that show reasoning steps when helpful, ask for clarification when confidence is low, and gracefully hand off to humans in customer support scenarios. Product tours, in-app guides, and tooltips reduce the learning curve and accelerate user activation.

Crucially, we measure the interface, not just the model. Agent Analytics tracks intents, tool use, fallbacks, and user corrections so we can tune prompts, tools, and policies. This closes the loop from experience back to data and governance, and it directly informs product roadmapping and sprint planning. When the cake is baked this way, go-to-market becomes easier: we can prove ROI with hard numbers, fine-tune pricing, and scale adoption with product-led growth tactics.

If your AI roadmap feels stuck, start with an honest readiness audit against these three elements. Shore up instrumentation and data pipelines, codify governance, then refine the agent interface with real user telemetry. Bake first. Frost last. That’s how we ship AI that customers trust—and keep winning after the first demo high fades.

Inspired by this post on Pendo – Best Practices.

October 25, 2025
Urgent Alert: Spot Fraudulent Job Offers Impersonating Pendo—and Protect Your Career

In my role leading product management, I take brand trust and cybersecurity seriously—especially when it affects people’s livelihoods. Over the past few weeks, I’ve seen a troubling uptick in brand impersonation and social engineering targeting candidates. It’s a reminder that protecting our community isn’t just a technical problem; it’s a product management leadership and stakeholder management responsibility.

We want to warn you about recent instances of fraudulent job offers purporting to be from Pendo and/or its affiliate companies.

If you receive an unexpected outreach claiming to be from Pendo with a fast-track offer, requests for payment, or a push to move conversations to informal channels, treat it as a red flag. Scammers often spoof logos, clone profiles, and use vague role descriptions to create urgency. Their goal is to extract personal data, money, or access—classic social engineering tactics that undermine data governance and privacy-by-design principles.

Here’s how I advise candidates to protect themselves while keeping their job search momentum. Validate every opportunity through the company’s official careers page and confirm the recruiter’s identity through corporate channels. Check that email addresses and domains match publicly listed corporate information, and be wary of communication conducted exclusively through messaging apps. Never pay fees, buy equipment up front, or share sensitive data like Social Security numbers or banking information before a formal, verified offer is in place.

If something feels off, pause and verify. Contact the company via the channels listed on its website, ask for a video meeting with the recruiter using an official corporate account, and request written details on the role and interview process. If it’s fraudulent, report it to the company, the platform where the outreach occurred, and—when appropriate—local authorities. Acting quickly helps with threat detection and response and protects other candidates from harm.

From a product and security perspective, this is a cross-functional issue that benefits from AI risk management discipline. Strong signals include clear public guidance on recruiting practices, a dedicated reporting mailbox for suspected scams, and hardened email authentication (SPF, DKIM, DMARC). Pair these with privacy-by-design reviews for hiring workflows, recruiter verification checklists, and ongoing education for talent teams. These measures reduce attack surface while reinforcing brand integrity.

If you believe you’ve shared information with a fraudulent recruiter, take immediate steps: change any reused passwords, enable two-factor authentication, place fraud alerts or freezes with credit bureaus as appropriate, and monitor accounts for suspicious activity. Document all communications; they can help security teams and platforms act faster.

Recruitment fraud is emotionally taxing and can erode confidence in the process. Don’t let scammers slow your momentum. Stay vigilant, verify before you trust, and share this warning so others can avoid similar traps. If you’re ever unsure about a message that appears to come from Pendo, pause, validate through official channels, and prioritize your safety first.

Inspired by this post on Pendo – Perspectives.

October 25, 2025
4 Costly Misconceptions About AI Agents—and What Product Leaders Must Do Instead

Building AI agents looks deceptively simple right now. After leading multiple agentic AI initiatives, I’ve learned that the difference between a demo and a dependable product comes down to disciplined product discovery, ruthless scoping, and a clear AI Strategy that aligns with business outcomes. Here are four common misconceptions I correct early with stakeholders—and the practices I use to avoid expensive detours.

Misconception 1: “An LLM plus a few prompts is a production-ready agent.” In reality, production-grade agents require orchestration and rigor: tool-use and retrieval, memory design, state management, deterministic fallbacks, and continuous evaluation. I instrument Agent Analytics from day one to trace tool calls, latency, error codes, and cost per task; then I use A/B testing with a clear minimum detectable effect (MDE) to validate improvements before broad rollout. This is where product roadmapping and sprint planning matter—sequencing capabilities so we avoid building speculative features that don’t move outcomes.

Misconception 2: “More autonomy is always better.” The right autonomy level is contextual and risk-adjusted. For high-stakes workflows, I design for human-in-the-loop and role-based guardrails, grounded in privacy-by-design and data governance. Policies like least-privilege access, audit logs, and reversible actions reduce operational risk while still delivering leverage. In practice, this hybrid approach also controls cost: narrower scopes, clearer prompts, and bounded tool access reduce hallucination surface area and improve reliability—key to AI risk management.

Misconception 3: “If we build it, users will adopt it.” Adoption is earned with thoughtful onboarding and in-app guidance, not promised by a feature launch. I pair agent launches with targeted product tours, contextual tooltips, and progressive disclosure to drive user activation and product-led growth. Increase revenue, cut costs, and reduce risk with Pendo’s Software Experience Management platform. Optimize the entire software experience to drive adoption and improve engagement. Whether you use Pendo or a comparable solution, the principle stands: instrument the experience, run experiments, and iterate quickly based on evidence, not intuition.

Misconception 4: “Security, compliance, and governance can wait.” Deferring controls is a false economy. I embed AI risk management from day zero: prompt injection defenses, PII redaction, DLP, grounding and citation strategies, and threat detection and response. Clear data retention policies, vendor diligence, and model evaluation standards keep leadership, security, and legal aligned. This is the crux of building trust—and it’s far easier to design up front than to retrofit under pressure.

How I execute in practice: start with a tightly framed use case tied to a measurable outcome; define outcomes vs output OKRs; build a slim vertical slice to validate feasibility; instrument Agent Analytics from the first commit; ship behind feature flags; and operationalize learning loops across support, success, and GTM. The result is a durable path to product-market fit for agentic AI—one that compounds learning while minimizing blast radius.

The leaders who win with AI agents won’t be the ones who move fastest in a demo. They’ll be the ones who manage risk transparently, learn in public with their users, and turn continuous insight into competitive differentiation. If you’re planning your next agent milestone, align the roadmap to outcomes, treat governance as a feature, and make adoption your North Star.

Inspired by this post on Pendo – Best Practices.

October 25, 2025
WTF is MCP? The powerful protocol giving enterprise AI agents real-world autonomy

I get asked this constantly by boards, CIOs, and product teams: WTF is MCP, and why does it matter for enterprise AI? Here’s my straightforward take from the trenches of rolling out agentic AI across complex, regulated environments—and why it changes how we design, govern, and scale autonomous capabilities.

“Model Control Protocol gives your AI agents arms and legs to go do stuff with your data.” That framing resonates because it’s both simple and accurate. MCP turns passive “chatbots” into active agents that can safely take action within defined guardrails.

In practice, MCP is the connective tissue between models and the tools, systems, and workflows we trust. It standardizes how agents request permissions, execute tasks, and report outcomes—so enterprises can move from demos to durable operations. The benefit isn’t just autonomy; it’s autonomy with accountability, aligned to our AI Strategy and data governance obligations.

When I pilot agentic AI in production, I start with a narrow scope: which systems the agent touches (for example, CRM integration via HubSpot), what actions it can take (read, write, or propose), and what evidence it must log (inputs, outputs, and approvals). That discipline keeps us compliant with privacy-by-design while unlocking real business impact.

Great MCP use cases emerge where read-write actions compress time-to-value. Think: pulling Amplitude analytics cohorts to personalize outreach, auto-generating Pendo in-app guides based on feature adoption, or triggering customer support workflows with predefined playbooks. Each action is observable, reversible, and measured—because in the enterprise, repeatability beats novelty.

From a product management leadership perspective, I treat MCP-enabled agents like any other product surface. We define clear outcomes, not outputs: success rate per task, mean time to resolution, quality score, and safety incidents. We validate uplift with A/B testing and a minimum detectable effect (MDE) before scaling. Then we feed results into an Agent Analytics dashboard, just as we would for product-led growth funnels.

Governance is where MCP earns trust. I enforce least privilege, time-boxed credentials, environment isolation, and tamper-evident audit logs. Every tool call is tied to a business purpose, owner, and SLA. We integrate with existing threat detection and response processes so cybersecurity teams see the same telemetry they’re used to—no shadow AI, no surprises.

There’s also an adoption playbook that works: start with a contained domain, ship a sandboxed agent, require human-in-the-loop approvals, then progressively relax controls as accuracy and alignment improve. Document the boundaries in plain language, and instrument everything from day one. This is how we de-risk AI risk management while accelerating impact.

The most exciting shift is cultural: teams move from asking “Can the model do this?” to “What outcomes should the agent own—and what guardrails make that safe?” That mindset unlocks empowered product teams, clearer ownership, and faster iteration. MCP is simply the operational backbone that lets those choices stick.

If you’re evaluating where to start, pick one workflow with high frequency, clear rules, and measurable outcomes. Wire it to MCP with tight scopes, ship it to a friendly cohort, and learn aggressively. Autonomy isn’t the end goal—reliable, governed value is. MCP just makes that scalable.

Inspired by this post on Pendo – Best Practices.

October 25, 2025
Pendo Admin Power Checklist: 4 Proven Practices to Drive Adoption, Clarity, and Trust

Overseeing complex platforms like Pendo is where product leadership comes to life. I rely on four disciplined practices to keep our instrumentation clean, our in-app experiences on-brand, and our analytics credible enough to guide high-stakes decisions. If you’re setting up or tuning your instance, this checklist will help you build trust with stakeholders and accelerate product-led growth.

Learn best practices that every Pendo admin should know.

1) Standardize tagging and taxonomy. I start by defining a clear naming convention for feature tags, page tags, and track events (for example, feat:[area]:[action]). This taxonomy lives in a shared document, aligns to our product roadmapping and sprint planning, and includes ownership, definitions, and “do/don’t” examples. In practice, this reduces duplicates, improves segment reliability, and makes funnels, paths, and retention analysis far more actionable. I also schedule quarterly hygiene to retire stale tags and revalidate critical measures tied to OKRs.

2) Segment deliberately and manage access with intention. Meaningful segments—role, lifecycle stage, plan tier, and account health—unlock precise targeting for in-app guides and stronger insights. On the admin side, I enforce least-privilege access with SSO/SCIM, audit changes to tags and guides, and keep visitor and account ID strategies consistent across environments. This combination strengthens data governance and privacy-by-design while reducing operational risk.

3) Operationalize a guide lifecycle. In-app guides are powerful, but only when they’re coherent and governed. I maintain a style system and reusable templates for tooltips, walkthroughs, onboarding checklists, and the Resource Center so the UX feels intentional, not noisy. Every guide goes through QA in staging, frequency capping, sunset dates, and an owner accountable for outcomes. I measure impact with clear success metrics—adoption lift, funnel completion, or onboarding time—to ensure guides serve the product strategy, not just add UI clutter.

4) Build an analytics cadence that leaders can trust. I treat Pendo as a decision system, not just a dashboard. That means SDK updates are part of our release checklist, known key events are smoke-tested after deployments, and weekly insight reviews turn funnels, paths, and retention analysis into clear actions. Where appropriate, I pair experiments with A/B testing guardrails and tie findings back to outcomes vs output OKRs. Finally, I publish a simple “what we learned” summary to keep stakeholders aligned and focused on the next best move.

Your 5‑minute checklist: confirm a shared tagging taxonomy; align segments to roles, lifecycle, and plans; apply least-privilege access and SSO/SCIM; standardize guide templates and QA; set metrics for every guide; and establish a recurring analytics review tied to OKRs. With these four practices in place, your Pendo instance becomes a flywheel for onboarding, product adoption, and continuous discovery—without sacrificing governance or customer trust.

If you’re scaling quickly, start small: pick one product area, instrument it cleanly, launch a targeted in-app guide, and run a focused funnel review the following week. Momentum builds when teams see crisp insights and customers feel helpful guidance at just the right moment.

Inspired by this post on Pendo – Best Practices.

October 25, 2025
6 Hard Questions Your AI Agents Must Answer to Win: Performance, Risk, and Real ROI

“Do you know how your AI agents are performing?” I ask this question in every review because it exposes whether we’re managing by outcomes or by anecdotes. Too often, teams point to latency, token counts, or completion rates and call it a day—useful signals, but not the story.

In my role, shipping agentic AI into production means I need decision-quality evidence, not vibes. That starts with Agent Analytics built on a unified analytics platform and instrumentation that lets me trace behavior, quantify value, and manage risk. Below are the six questions I use to separate novelty from durable impact.

1) What outcome are we optimizing for—and how do we measure it? If we can’t map the agent’s work to outcomes vs output OKRs, we’re optimizing noise. I anchor on task success rate, time-to-resolution, containment rate (no human handoff), cost per successful outcome, and downstream business impact (retention, conversion, NPS/CSAT) to keep us honest.

2) Are the right guardrails in place for AI risk management and data governance? I expect documented policies for prompt injection defenses, PII redaction, access control, and auditability. Every tool call should be permissioned, every data boundary explicit, and every failure mode observable. If we can’t demonstrate compliance by design, we’re scaling risk instead of value.

3) Can I explain every decision the agent made? Agentic AI needs traceability: prompts, intermediate reasoning, tool calls, retrieved context, and final outputs. I route key events into Amplitude analytics so product, engineering, and risk can slice behavior end to end. If we can’t reconstruct the path to an answer, we can’t debug, improve, or trust it.

4) What is the true cost per successful outcome? Raw token spend is misleading. I model total cost of ownership across retries, tool usage, escalations, and human review time—then benchmark against a consumption SaaS pricing lens. If cost per resolution trends up as volume grows, we haven’t built a scalable system; we’ve built a demo.

5) How does the agent learn without breaking what already works? My bar is a disciplined experimentation loop: offline evals, online A/B testing with clear guardrails, and a rollback plan. We predefine a minimum threshold for improvement before rollout and track regressions by persona, task type, and channel so we can localize fixes quickly.

6) Where is this agent creating durable differentiation? I look for capabilities competitors can’t easily copy: unique data advantages, superior tool orchestration, or workflows that compound learning. If the edge is just a base model prompt, the moat will evaporate; if it’s embedded in product workflows and proprietary signals, we’re building advantage.

Answering these six questions turns agentic AI from a novelty into a managed system. With Agent Analytics feeding a unified analytics platform, we can tie behavior to business outcomes, enforce governance, and make portfolio trade-offs grounded in evidence. The result is a product management leadership motion that prioritizes real ROI over vanity metrics—and scales with confidence.

If you’re not satisfied with the answers today, start by instrumenting the journey end to end, aligning metrics to OKRs, and setting clear risk thresholds. The compounding effects show up quickly when every iteration is measurable, explainable, and accountable.

Inspired by this post on Pendo – Best Practices.

October 24, 2025
SaaS + AI Is Here: How Our Summer 2025 Release Builds an Intelligent Foundation to Win

Leading product at HighLevel, I’m watching the convergence of SaaS + AI reshape how we build, price, and scale software. The winners will combine a sharp AI Strategy with disciplined product management leadership to ship real outcomes, not just demos. That’s why my team and I have been focused on giving you pragmatic ways to move fast without breaking trust. Give your company an intelligent foundation for the SaaS + AI era with our Summer 2025 Release. When I set priorities for this release, I optimized for three things: speed with quality, responsible AI, and measurable business impact. Practically, that means enabling agentic AI and gen ai workflows where they actually create leverage, unifying analytics so teams can make decisions from a single source of truth, and hardwiring data governance and privacy-by-design into every layer. If you’re wondering how to keep up, here’s what’s working for us and our customers: tighten product roadmapping and sprint planning around clear outcomes, not outputs; align teams with simple, observable OKRs; and empower product trios to run lean product discovery loops. These practices reduce cycle time while raising confidence, especially when introducing AI into core experiences. On the go-to-market side, I’m doubling down on product-led growth—shipping value into the product with in-app guides, thoughtful product tours, and frictionless onboarding. Pair that with rigorous retention analysis and A/B testing, and you’ll see which AI-powered moments actually move activation, adoption, and expansion. Don’t overlook the fundamentals either: smart SaaS pricing (including consumption models where it fits) can unlock the economics that sustain AI investments. My goal is to give you a foundation that is both ambitious and accountable—a platform you can trust to scale responsibly while your teams iterate quickly. If you’re planning your 2H roadmap, this release is built to help you ship faster, de-risk AI, and create outsized customer value in the moments that matter most.

Inspired by this post on Pendo – Perspectives.

October 24, 2025
Prioritize, Build, and Measure AI with Confidence: Lessons I Apply from PendomoniumX NYC

AI is moving faster than any product wave I’ve seen in my career, and that urgency demands rigor. At HighLevel, I anchor our AI Strategy around measurable outcomes, responsible delivery, and pragmatic execution—principles that a recent PendomoniumX NYC customer discussion reinforced for me. “Three product leaders sat down with Pendo to discuss how they’re balancing AI investments, building their AI roadmap, and measuring success.” When I decide what to fund, I start with outcomes vs output OKRs. If an initiative cannot tie to a defensible customer outcome—time-to-value reduction, revenue expansion, retention lift, or cost-to-serve efficiency—it doesn’t make the cut. From there, I pressure-test feasibility and risk through data governance and AI risk management lenses: model choice, training data readiness, privacy-by-design, security posture, and responsible use guardrails. Building the roadmap is where discipline meets speed. I use empowered product teams—product trios across PM, design, and engineering—to run tight discovery sprints. We validate desirability and viability with gen ai for product prototyping, then graduate concepts into delivery using product roadmapping and sprint planning habits that prioritize smallest shippable value. I’ve found the try do consider framework helpful to stage bets from low-risk utilities to higher-impact, agentic AI workflows. Measuring impact is nonnegotiable. I define success up front with a minimum detectable effect (MDE), then instrument adoption and behavioral change via Pendo and Amplitude analytics. A/B testing gives me causal confidence, while retention analysis tells me if AI features are durable value, not novelty. If we can’t attribute improvement to a metric that matters, we iterate or retire. Governance is a product requirement, not an afterthought. We maintain data governance standards, threat detection and response controls, and clear model evaluation criteria before anything reaches customers. That operating model helps us move quickly without compromising trust—a cornerstone in any product-led growth motion. For go-to-market and adoption, I rely on in-app guides, product tours, and contextual tooltips to shorten the learning curve. We measure feature discovery, task completion, and ongoing engagement to ensure the experience is intuitive. The goal is to make AI feel like a natural extension of the workflow, not a science project bolted onto the product. My simple playbook: prioritize by customer outcomes and risk posture, build with validated learning and smallest shippable value, and measure with rigorous analytics and OKRs. Repeat that loop, and AI stops being a buzzword—it becomes a compounding advantage.

Inspired by this post on Pendo – Perspectives.

October 24, 2025
3 Powerful Ways AI Is Reshaping Cybersecurity—from Ruthless Attacks to Rapid Defense

Every week, I watch the cybersecurity landscape bend under the pressure of AI. The pace isn’t linear—it’s compounding. What worked for IT teams last quarter often needs a rethink today, and the difference between merely coping and truly competing lies in how quickly we adapt our strategy, tooling, and operating rhythms.

Learn the ways in which AI is transforming both cybersecurity offense and defense for IT teams.

From my vantage point leading product strategy, I see three shifts that matter most right now: AI is supercharging attackers, accelerating defenders, and reshaping governance. Together, they redefine how we prioritize investments, measure risk, and align product and security roadmaps.

First, AI has leveled up the offense. Large language models can industrialize social engineering—hyper-personalized spear-phishing at scale, deepfake voice notes that spoof executives, and highly convincing support chats that trick users into bypassing controls. Code-generation tools lower the barrier to crafting polymorphic malware and automating reconnaissance. The net effect is ruthless efficiency: more credible lures, faster campaigns, and broader reach with fewer human operators. I now assume adversaries have an AI co-pilot—and plan defenses accordingly.

Second, AI is accelerating the defense. Modern detection and response stacks are moving beyond rules to behavioral analytics—correlating identity signals, endpoint telemetry, and network events to spot subtle anomalies that signature-based tools miss. Copilot-style assistants are augmenting SecOps by summarizing incidents, explaining probable root cause, and proposing next steps. The aim isn’t blind automation; it’s decision acceleration—shrinking mean time to detect and respond while reducing analyst toil. On the build side, AI-assisted code scanning and dependency analysis help teams shift security left, catching vulnerabilities earlier and turning secure defaults into muscle memory.

Third, governance is being rewritten in real time. As AI models ingest sensitive data and generate code and content, data governance and privacy-by-design move from compliance checklists to active risk management. We’re formalizing AI risk management alongside traditional AppSec: model inventories, usage policies, red-teaming prompts, and guardrails against prompt injection and data leakage. Identity remains the control plane—zero trust principles, least privilege, and continuous verification become nonnegotiable. I’ve found that aligning security, product, and IT leadership on a single policy-as-code backbone prevents drift and keeps audits predictable.

Practically, I guide teams to start with a crown-jewel inventory: What data and systems would materially impact customers, revenue, or brand if compromised? Map data flows, instrument comprehensive telemetry, and prioritize detection coverage where it matters most. Choose AI to augment before you automate—prove the loop with humans in the middle, then graduate to higher autonomy levels with clear rollback paths and audit logs.

Culturally, this is a product problem as much as a security one. We bring empowered product teams and SecOps into the same room, set measurable objectives (signal-to-noise ratio, mean time to contain, escaped defect rate), and iterate with the same cadence we use for product features. When security outcomes are treated as customer outcomes, adoption soars and friction recedes.

The takeaway: AI has tilted the field, but not inevitably against defenders. With a clear AI strategy, disciplined data governance, and pragmatic automation, IT leaders can turn reactive security into a proactive advantage—meeting attackers’ speed with speed, and outlasting them with better judgment.

Inspired by this post on Pendo – Perspectives.

October 24, 2025
4 Hidden AI Risks Every CIO Must Tackle Now—and a Proven Playbook to Mitigate Them

Across enterprises, I’m watching AI sprint from lab experiments to business-critical workflows. That velocity is exciting—and it’s also where risk compounds. In my role partnering with CIOs and IT leadership, I’ve learned that winning with AI is as much about disciplined risk management as it is about breakthrough use cases.

Learn about the risks that AI poses to IT teams, and how they can mitigate them.

I frame the challenge as “4 AI risks for CIOs (and a guide to solve them)”: data governance and compliance, model reliability and bias, security and supply chain exposure, and operational cost/ROI drift. Below, I outline the risks I see most often and the concrete actions I take to de-risk them without slowing innovation.

Risk 1: Data governance and compliance. The fastest way to stall an AI Strategy is to overlook consent, lineage, and access controls. I establish privacy-by-design from day one: data minimization, clear retention policies, role-based access control, and auditable logs for training, inference, and feedback loops. I also insist on defensible vendor reviews (DPA, SOC2/ISO, regional data residency), PII classification, and internal model cards that document sources, sensitivities, and acceptable-use constraints. This makes IT leadership comfortable scaling from prototype to production.

Risk 2: Model reliability, hallucinations, and bias. AI that fabricates or skews output erodes trust and creates downstream risk. I operationalize quality with evaluation harnesses, golden datasets, human-in-the-loop review for high-impact actions, and red-teaming for safety. Retrieval-augmented generation with citations, content filters, and grounded prompts reduce error rates. To quantify progress, I define precision/recall targets and a minimum detectable effect (MDE) for experiments so we know when a change is truly better—not just different.

Risk 3: Security and AI supply chain. New surface area invites prompt injection, data exfiltration, and compromised dependencies. I apply zero-trust principles: strict allow/deny lists for tools and connectors, secrets isolation, egress controls, sandboxed environments for agents, and output validation before execution. Every model and plugin goes through threat modeling, dependency scanning, and vendor security reviews. For agentic AI patterns, I gate high-risk actions behind explicit approvals and granular scopes.

Risk 4: Operational cost and ROI drift. AI workloads can balloon with hidden inference costs, shadow IT, and duplicated platforms. I put governance around spend using consumption SaaS pricing guardrails, usage caps by environment, tagging by app/team, and a unified analytics platform to monitor latency, quality, and cost per transaction. This lets me reallocate budget toward the highest-impact use cases while sunsetting low-yield experiments.

Your 90-day playbook. Days 0–30: Inventory AI use cases, classify data sensitivity, choose one or two critical business workflows, and stand up core guardrails (access, audit, red-teaming). Days 31–60: Pilot with a cross-functional product trio (PM, design, engineering), define OKRs, instrument evaluations, and enable human-in-the-loop. Days 61–90: Productionize the winning flow, set usage and spend policies, enable observability dashboards, and roll out training for frontline teams with clear escalation paths.

The organizational layer matters as much as the technical one. I align stakeholders early, empower product trios to iterate quickly within boundaries, and deploy forward deployed engineers to embed with the business. This keeps trust high, reduces handoffs, and ensures that governance accelerates value rather than blocking it.

Done well, these practices turn AI risk into a competitive moat. By pairing disciplined governance with pragmatic experimentation, we capture the upside of gen ai while protecting customers, teams, and the business. That’s how I’ve helped enterprises move from scattered pilots to measurable, scalable impact—safely.

Inspired by this post on Pendo – Perspectives.

October 24, 2025