Walmart's AI Security Strategy: Key Enterprise Lessons on Risk, Identity, and Defense

VentureBeat recently conducted a virtual interview with Jerry R. Geisler III, Executive Vice President and Chief Information Security Officer at Walmart Inc., to explore the cybersecurity challenges confronting the world’s largest retailer as autonomous AI becomes more prevalent.

Our discussion centered on securing agentic AI systems, modernizing identity management, and the key takeaways from developing Element AI, Walmart’s centralized AI platform. Geisler offered a refreshingly frank perspective on how the company addresses unprecedented security threats, from countering AI-boosted cyberattacks to securing its massive hybrid multi-cloud infrastructure. His startup-oriented approach to reshaping identity and access management systems provides valuable insights for enterprises of every scale.

As the security lead for an organization of Walmart’s size, operating across Google Cloud, Azure, and private cloud environments, Geisler brings distinctive expertise to implementing Zero Trust architectures and fostering what he describes as “velocity with governance”—empowering rapid AI innovation within a trusted security environment. The architectural choices made during Element AI’s development have influenced Walmart’s overall strategy for consolidating emerging AI technologies.

Here are selected excerpts from our conversation:

VentureBeat: How are your current governance structures and security safeguards adapting to counter new threats and unintended model actions as generative and agentic AI grow more autonomous?

Jerry R. Geisler III: Adopting agentic AI introduces entirely new risks that bypass traditional defense mechanisms. These include data exfiltration, API misuse, and hidden collaboration between agents—any of which could disrupt business operations or breach regulatory requirements. Our approach centers on building proactive, resilient security through advanced AI Security Posture Management (AI-SPM), enabling ongoing risk oversight, data security, compliance, and trust.

VB: With conventional RBAC showing limitations in dynamic AI environments, how is Walmart refining its identity management and Zero Trust models to deliver fine-grained, context-aware data access?

Geisler: An organization of our scale requires a customized strategy—one that embraces a startup mentality. Our team frequently revisits what it would build from the ground up, asking: "If we began today, what would identity and access management (IAM) look like?" IAM has evolved significantly over the past three decades, and our emphasis lies in modernizing our IAM stack to streamline complexity. While distinct from Zero Trust, our adherence to the principle of least privilege remains firm.

We're optimistic about the evolution and adoption of protocols like MCP and A2A, as they address real security concerns and help us implement detailed, context-sensitive access controls. These protocols support real-time access decisions using short-lived, verifiable credentials—assessing identity, data classification, and risk continuously. This ensures every agent, tool, and request is consistently validated, fully embodying Zero Trust principles.

VB: How does Walmart’s hybrid multi-cloud setup—using Google, Azure, and private clouds—influence your Zero Trust segmentation and micro-segmentation tactics for AI workloads?

Geisler: Our segmentation strategy relies on identity, not network location. Access policies are consistently applied to workloads across cloud and on-premises environments. Thanks to advancements in protocols like MCP and A2A, service edge enforcement is becoming standardized, enabling uniform application of zero trust.

VB: With AI enabling more advanced attacks—like convincing phishing campaigns—what AI-driven defenses is Walmart deploying to identify and neutralize these evolving threats?

Geisler: At Walmart, we are dedicated to anticipating and countering emerging threats, especially as AI transforms the cybersecurity space. While malicious actors increasingly employ generative AI to launch highly persuasive phishing campaigns, we're using the same technologies to simulate adversarial attacks and build proactive resilience.

We have embedded advanced machine learning across our security systems to identify unusual behavior and flag phishing attempts. Beyond detection, we use generative AI to model attack scenarios and rigorously test our defenses through large-scale red teaming exercises.

By thoughtfully integrating people and AI, we help safeguard our associates and customers as the digital ecosystem evolves.

VB: Element AI makes extensive use of open-source AI models. What unique security risks has this posed, and how is your enterprise-level security approach adapting?

Geisler: We base our segmentation on identity, not network location. Access policies are consistently enforced across both cloud and on-premises environments. With protocols like MCP and A2A gaining traction, service edge enforcement is becoming standardized, ensuring that zero trust is uniformly implemented.

VB: Considering Walmart’s global, always-on operations, what automated or rapid-response systems do you have to manage concurrent cybersecurity incidents?

Geisler>Operating at Walmart’s scale demands security that is fast and seamless. We’ve embedded intelligent automation across multiple layers of our incident response program. By leveraging SOAR platforms, we orchestrate response workflows across regions—allowing swift threat containment.

We also rely heavily on automation for continuous risk evaluation and to prioritize responses based on severity. This ensures our resources are allocated where they are most needed.

By aligning skilled associates with swift automation and actionable context, we deliver effective security at the speed and scale Walmart requires.

VB: What strategies is Walmart using to attract, develop, and keep cybersecurity professionals capable of navigating the evolving AI and threat environment?

Geisler: Our Live Better U (LBU) program provides associates with affordable—often free—education, enabling them to earn degrees and certifications in cybersecurity and IT. This offers associates from various backgrounds a clear path to upskill. The curriculum emphasizes hands-on, practical learning that directly applies to Walmart’s security requirements.

We also organize our annual SparkCon (previously Sp4rkCon), featuring expert talks and Q&As with leading professionals. The event explores the latest developments, techniques, technologies, and threats in cybersecurity, creating networking and career-advancement opportunities for attendees.

VB>Looking back at Element AI’s development, what key cybersecurity or architectural insights have shaped your decisions about when and how to centralize emerging AI technologies?

Geisler: That’s an essential question—our architectural decisions today will define our risk profile for years. In developing a centralized AI platform, we’ve taken away two pivotal lessons that inform our future direction.

First, centralization greatly supports “velocity with governance.” By establishing a unified, streamlined path for AI development, we reduce complexity for data scientists. And from a security standpoint, it creates a single control plane. We embed security from the outset, ensuring uniform data practices, model reviews, and output monitoring. This lets innovation thrive quickly, within a framework we can trust.

Second, it enables “concentrated defense and expertise.” The AI threat environment is shifting rapidly. Rather than scattering our AI security specialists across multiple independent projects, centralizing allows us to pool our top talent and most effective defenses at a key point. We can implement and refine advanced security features such as context-sensitive access controls, prompt monitoring, and data loss prevention—extending that protection seamlessly across all use cases.