Key Highlights

  • Enterprises are over-indexed on access control and under-invested in data protection,  especially as agentic AI reshapes risk.
  • Skyhigh Security’s DSPM and DLP capabilities work in tandem to deliver visibility-first, policy-driven data protection across SaaS, web, AI, and private apps.
  • Skyhigh’s SSE Everywhere architecture allows the full SSE stack to run on-prem, in the cloud, or hybrid — a critical differentiator for regulated and sovereignty-sensitive industries.
  • Skyhigh’s patent-pending browser controls secure data at the point of origin without requiring an enterprise browser install.
  • Agentic AI has shifted the security conversation from ‘what data is going in’ to ‘what can these agents actually do,’ and most security architectures aren’t built for that yet.
  • Skyhigh’s programmable Policy Core is designed to retrofit into any enterprise environment rather than forcing architectural changes.
  • European sovereignty demands and AI-driven hybrid deployments are driving renewed interest in on-prem and regional-inspection flexibility.

The cybersecurity industry has spent decades optimizing for the front door: who gets in, what they can reach, how traffic flows. That problem, while far from solved, is at least well-understood. The harder, less-solved problem is what happens inside the house once access is granted. In this episode of Security Square, I sat down with Thyaga Vasudevan, EVP of Product at Skyhigh Security, to dig into exactly that, and the conversation covered a lot of ground.

Watch the full video:

From Shadow AI to Shadow Agents

Vasudevan frames 2022 as the ChatGPT moment, when enterprise security teams scrambled to understand what sensitive data users were feeding into generative AI tools. The focus then was on monitoring what went in and what came out — essentially a data moderation problem. By contrast, he frames 2025 as the agentic AI moment, and the risk calculus has fundamentally changed.

Agents don’t just consume data, they take actions. A compromised or unsanctioned agent can appear to the network as a fully authorized operator, moving through IAM controls, firewalls, and endpoint protections without triggering traditional detection. That breaks a core assumption embedded in most existing security architectures: that authorized-looking behavior is safe behavior.

The implication for security teams is significant. Visibility into what agents are running, built by sanctioned developer tools like Microsoft Copilot Studio or OpenAI Codex, or quietly assembled on a developer’s laptop, has become as urgent as visibility into what users are doing. And the risk of an agent escalates in direct proportion to the sensitivity of the data it can touch.

Visibility First, Policy Second

A theme that runs through Vasudevan’s entire approach is the primacy of visibility. His advice to security leaders: start with a Data Security Posture Management (DSPM) assessment before you build a single policy. Know where your sensitive data lives, who or what has access to it, where it has been shared, and what your compliance exposure looks like, across SaaS, web, private apps, and AI platforms.

From there, Skyhigh’s DLP capabilities translate that understanding into enforceable policies: blocking uploads of sensitive data to unsanctioned AI tools, preventing downloads to unmanaged devices, flagging risky sharing behaviors in cloud storage platforms. The key is that policies are built on knowledge, not assumptions.

The Case for SSE Everywhere

One of the most commercially interesting things Vasudevan discussed is Skyhigh’s SSE Everywhere model — the ability to run the full SSE stack, including SWG, CASB, DLP, RBI, and ZTNA, either on-prem, in Skyhigh’s cloud, or in a customer’s own hyperscaler environment, managed through a single console with consistent policy enforcement regardless of where traffic is inspected.

This matters more than it might sound. A growing cohort of regulated enterprise customers,  particularly in financial services, healthcare, and European markets, are not willing to route all traffic inspection through the cloud. Some are responding to sovereignty regulations that require in-country data processing. Others are reacting to cloud cost spirals that have made pure-cloud SSE economics increasingly hard to justify. And a newer driver is AI: organizations building internal AI applications often need on-prem ZTNA enforcement simply because the use case demands it.

Skyhigh’s ability to offer this flexibility isn’t just a deployment option, it’s a pricing disruption. When customers run part of the stack on their own infrastructure, the aggregate cost of the Skyhigh deployment decreases significantly compared to pure-cloud SSE alternatives. That’s a commercial wedge the cloud-only vendors can’t match.

Browser Controls: Securing Data at the Source

Perhaps the most technically distinctive element of Skyhigh’s current platform is its patent-pending browser controls, and notably, what they are not. They are not a proprietary enterprise browser. Vasudevan was direct about the failure of that model: no enterprise user wants to install and manage a separate browser for security purposes, and analyst coverage has consistently validated the absence of real client demand for it.

Instead, Skyhigh injects JavaScript-based controls directly into the browser session, supporting any browser, requiring no extension or dedicated client, and deploying in under five minutes. The result: clipboard protection, print disablement, screenshot blocking, watermarking, and copy-paste controls enforced at the point of origin, including for WebSocket-based traffic and encrypted applications like Microsoft Copilot and WhatsApp, which can’t be inspected at the cloud proxy level.

The Analyst Take

The conversation reinforced something I’ve been saying for a while: the cloud-only mandate that dominated enterprise thinking for the better part of a decade is giving way to a more pragmatic hybrid posture, driven by cost, control, sovereignty, and the specific requirements of AI workloads. Vendors who built flexibility into their architecture from the start are positioned well. Vendors who are retrofitting it are not.

What distinguishes Skyhigh’s position is that this flexibility isn’t an afterthought; it’s engineered into the core platform through a programmable Policy Core that executes the same policy language regardless of where traffic is inspected. That’s not a feature. That’s an architectural bet that is aging well.

For CISOs and enterprise architects evaluating SSE in regulated industries, the starting question shouldn’t be ‘which cloud-based SASE vendor has the best dashboard.’ It should be: ‘Do I actually know where my sensitive data is, what’s touching it, and does my security architecture give me the flexibility to protect it wherever inspection needs to happen?’ Skyhigh is building for that question.

 

This article was originally published on LinkedIn.

 

Read more of my coverage:

From Hype to Operational Reality: Mitel’s Vision for Enterprise Communications in the AI Era

From Backup to Resilience: How Commvault and Satori Are Redefining Data Security in the Age of AI