In this edition of Coffee with Calyptus, we sit down with Nick James, founder of WhitegloveAI, former Senior VP and CISO at Bank of America, and U.S. Marine Corps veteran turned AI security leader. He shares candid lessons on vendor risk, AI orchestration, and identity-first cloud defense, and how WhitegloveAI’s internal frameworks turn governance into real-time advantage.
Nick, from leading security ops in the U.S. Marine Corps to founding WhitegloveAI, has that military discipline influenced your entrepreneurial edge in AI consulting?
Yes. The Corps built three habits that I use daily. Set clear intent. Execute with discipline. Run an after action review on every engagement. At WhitegloveAI that means objectives with owners and clocks, playbooks that remove guesswork, and tight feedback loops that turn lessons into standards. This keeps deployments calm, secure, and measurable.
As Senior VP and CISO at Bank of America, you managed third party cyber risks. Could you share some takeaways from your experiences during those high stakes roles?
Vendor risk is business risk. Contracts must operate like controls with right to audit, clear data boundaries, and incident timelines. Annual questionnaires are not enough. Use continuous assurance that pulls evidence and tracks posture changes. Least privilege reduces blast radius more than any shiny tool. When the business owns the risk with security, the posture improves fast.
Transitioning from Deloitte’s global compliance audits to co founding Lucidis, what surprised you most about building AI tools?
Product work exposes reality. Enterprise data is messy and trustworthy labels are scarce. Human in the loop is essential for quality and accountability. Orchestration matters because outcomes come from how systems fetch, validate, and act on data. Evaluation is part of the product, so you need test harnesses, drift monitoring, and clean rollback paths. The unglamorous parts like auth, logging, governance, and privacy decide whether you earn a second sale.
As an AWS AI security advisor, you have seen enterprise challenges firsthand. What potential cyber threat in cloud environments should leaders prioritize, based on your VA contract experience?
Identity compromise and privilege escalation. Attackers target tokens, service roles, and build secrets because that path moves fast. Leaders should build identity threat detection and response with short lived credentials, conditional access, strong workload boundaries, and policy as code. Lock down egress and encrypt everything. Prove readiness with red and purple team drills and incident runbooks measured in minutes. Simplicity and visibility beat complexity.
Nick, how is WhitegloveAI internally using AI day to day for increased efficiency, improved decision making, or enhanced productivity across various departments?
We run our business on our own stack with guardrails. Governance copilots generate secure solution designs, risk assessments, and control mappings aligned to ISO 42001 and the NIST AI risk framework. The AI Adoption and Management Framework drives each project from intake to measured outcomes.
For sales operations, AI assembles first drafts from approved templates and case studies, tracks version history, and routes for human review. For knowledge and docs, retrieval surfaces prior work with source logging and lineage. Leadership gets a vCAIO rollup of OKRs, risks, and decisions that turns meetings into tasks with owners and due dates. HR and IT use internal agents for access requests, policy questions, and device steps with clean handoffs.
Security runs a model registry, evaluation harness, prompt red teaming, and immutable logs for every agent action. Support uses real time voice agents with safe escalation and SLAs. We track deflection, cycle time, accuracy, and dollar impact, and we keep what proves value.
We hope you enjoyed this edition of Coffee with Calyptus. Stay curious, stay inspired, and keep building what matters. Explore more editions and insightful articles at
