Exclusive: Reco COO on securing the AI inside your SaaS stack

As enterprises rush to adopt AI tools embedded inside the software they already use, a new class of security risk is emerging that most organisations have barely begun to quantify.

Reco, an agentic security platform focused on third-party SaaS ecosystems, said the problem is more acute than most chief security officers realise and that the arrival of advanced offensive AI models has made the window to act considerably shorter.

Zoe Hillenmeyer, Chief Operating Officer of Reco, joined the company approximately one month ago from Protect AI, where she served as Chief Marketing Officer and Head of Strategic Alliances. Protect AI, which focused on security for internally developed AI systems, was acquired by Palo Alto Networks last summer.

"You can't do anything about what you don't know is there, so ground zero is visibility," said Hillenmeyer. "People are really not sure what they have in the agent and AI space ... What we see is typically they're off by about an order of magnitude, so they might think they have 100 agents. We plug in one connector, and we're able to see that they have at least 1000."

The company's platform is built around two core capabilities. The first, the Reco Saas App Factory, allows the company to rapidly build deep connectors to third-party software applications, with an existing catalogue it describes as the largest and deepest in the market. The second is the Reco Knowledge Graph, an AI-powered tool that maps identity, access, permissions, and configurations across a customer's entire SaaS ecosystem.

Hillenmeyer said the graph was designed by a team of AI researchers in a way that has made it well-suited for the current wave of agent adoption, even though the platform was originally built to address more traditional SaaS sprawl.

What began as an app sprawl problem has evolved in stages. Hillenmeyer describes an arc from traditional SaaS proliferation, through AI feature adoption embedded within existing applications, to the current challenge of non-human identities operating autonomously across connected systems.

"Every SaaS vendor is getting pressured to become an AI company. All these SaaS vendors are launching new AI capabilities every single day ... so you're not just getting one or two features - you're getting one or two features from each of these applications every single day," added Hillenmeyer. "You have to do that with some kind of drawbridge visibility and kill switches in place."

Recent deployments, which Reco declined to name, illustrate the range of use cases.

A large international telecommunications company cited the depth of Reco's connector catalogue and its ability to keep pace with the velocity of the third-party market as the deciding factors in its selection. Another company, a Fortune 50 U.S. enterprise, found itself with too much visibility and too little direction. As an AI-forward organisation that had deliberately loosened the reins on internal development, the company was experiencing what many large enterprises now describe as an "agentic explosion." With Reco, Hillenmeyer said the enterprise was able to perform rigorous risk profiling to understand not just what was happening across its SaaS environment but also where to look first.

The agent security concern is distinct from broader AI risk because agents do not passively use permissions; they inherit access from individuals and then act independently, creating SaaS-to-SaaS connections that are difficult for enterprises to track. Hillenmeyer placed this alongside the offensive threat landscape, noting that the current release of advanced models has prompted board-level attention and, in some cases, government interest in how organisations achieve readiness.

Reco categorises its market across three solution areas: a modern SaaS security posture management layer built for an AI-driven environment; AI governance, covering the models embedded within third-party tools; and agent security, which Hillenmeyer describes as having seen significant growth in the past three months.

She described the "Mythos era" class of models, stemming from Anthropic's highly powerful, restricted Claude Mythos model. The release enables autonomous discovery, proofing, and chaining of software exploits at scale. 

"Two or three years ago, you'd meet with security teams, and they'd be like, 'We don't even think we're really using AI now.' That wasn't always true, but that was the perception. Now, when we sit down with security teams, they know that part of their job is to make it safe and secure to adopt AI, particularly in the third-party universe, and they want to lean in."