Apr 09 2025
Security

Google Cloud Next 25: How Artificial Intelligence Supports Security Compliance at Carvana

It’s difficult to ensure everyone is following complex security rules. Here’s how agentic AI can help.
Bob Keaveney
by

Bob is the managing editor of BizTech magazine. 

Carvana is hardly a small business. In fact, it’s a Fortune 500 company that had revenues of almost $14 billion last year selling used vehicles online and via its unique “car vending machines.”

But it does have a small cybersecurity staff that CISO Dina Mathers describes as scrappy and resourceful. As a result, she told attendees of Google Cloud Next 25, she knows a thing or two about security strategies for small teams.

And one of her biggest pieces of advice is to make judicious use of artificial intelligence. “We created an AI agent internally that’s trained on our security policies, and employees can ask it questions,” Mathers said.

Google Cloud Next in Las Vegas is the company’s gathering of analysts, customers, journalists and others to compare notes and share best practices on how best to leverage the Google Cloud Platform’s tools, especially when it comes to AI.

Click the banner below to read the 2025 CDW AI Research Report.

XS_Q225_AI_cta_desktop01.gif XS_Q225_AI_cta_mobile01.gif

 

An AI Agent That Knows Company Policy

The purpose of the AI agent was to make it easier for workers to comply with Carvana’s security policies by removing the need to wade through large volumes of policy documents.

“How many of us have so many policies and standards that no one actually looks at it all?” she asked. The agent would do the reading for employees, then just summarize the information and answer their questions. “Who wants to read a 16-page policy document when you can just ask the AI a question?”

RELATED:  Agentic AI is revolutionizing everyday life. 

Carvana’s compliance officer quickly recognized the benefits of the AI agent. She is charged with answering detailed questionnaires from the financial services companies with which Carvana works about the car seller’s security policies and service-level agreements. Each financer has unique concerns about partner security and asks questions in its own way.

As a result, the compliance officer would frequently quiz Mathers or members of her team about security policy nuances. Filling out one such questionnaire could take 40 hours of work, Mathers said.

But when the officer realized that the AI agent was almost as knowledgeable about those policies as any human colleague and was able to answer complicated, detailed questions — and never too busy to do so — she had a new best friend.

“So, what used to take 40 hours now takes one hour,” Mathers said.

Click the banner below to receive related insights after our event coverage. 

bt-googlenext-main cta-q125-static-desktop.jpg bt-googlenext-main-cta-q125-static-Mobile.jpg

 

Humans Work Behind AI, and Vice Versa

In response to a question about the reliability of such a process, and the risk involved in relying too much on an AI tool, Mathers noted that Carvana doesn’t depend exclusively on the technology. The compliance officer doublechecks its responses for accuracy and consistency.

That approach — where an AI agent does the bulk of a tedious work process, while humans check in to make sure it’s getting done correctly — is part of an emerging process in organizations’ AI workflows, according to Phil Davis, vice president of global specialty sales for Google Cloud, who moderated the session.

“You often have companies working with AI where the AI works behind the human,” providing prompts, answering questions and filling in details, Davis said. “You’re starting to see that flip, where the agent does the work, and the human works behind the agent.”

Security continues to operate on the human-first model, for the most part, Davis said, but that’s starting to change: “I think we’ll get there in security, but I think it will take some time.”

The compliance tool is only one of the AI agents that Carvana created to boost its security. Another is designed to ease the burden on its security operations staff, who typically spent a lot of time discovering security policy violations and addressing them with workers. Now, an AI agent does most of that while the security staff focuses on higher-level work.

“It’s not fun triaging those” policy violations, Mathers said. “No one wants to spend all day saying, ‘No, you can’t forward that work email to your personal email.’”

For continuing coverage from the event, follow us on the social platform X @BizTechMagazine and the official conference feed, #GoogleCloudNext.

bt-googlenext-q125-static-desktop.jpg bt-googlenext-q125-static-mobile.jpg
Photo by Bob Keaveney

More On

Related Articles

Close

See How Your Peers Are Moving Forward in the Cloud

New research from CDW can help you build on your success and take the next step.

Click Here to Read the Report