Interviews

Bo Li, CEO, Virtue AI – Interview Series

mm
Published

Bo Li, CEO of Virtue AI, is a prominent researcher and entrepreneur specializing in the safety and security of artificial intelligence systems. She leads Virtue AI while also serving as a Professor at the University of Illinois Urbana-Champaign, where her research focuses on machine learning security, trustworthy AI, and adversarial robustness. Her career spans both academia and industry, allowing her to translate advanced AI research into practical applications that help organizations build safer and more resilient AI technologies.

Virtue AI is a company focused on protecting and governing AI systems used in enterprise environments. Its platform provides capabilities such as automated red-teaming, real-time guardrails, and continuous monitoring to identify vulnerabilities like prompt injection, hallucinations, and data leakage. By integrating directly into AI development and deployment workflows, the company helps organizations safely scale the use of large language models and AI-powered applications while maintaining strong security and governance standards.

What motivated you to move from a purely academic career into founding and leading Virtue AI, and what problem did you feel industry was failing to address at scale?

Traditional security tools were built for predictable applications with fixed paths. They were never designed for systems that reason, adapt, and act autonomously. My co-founders and I saw a gap between what foundational AI security research had produced and what enterprises actually had available to them. The research existed. The production reality didn’t. That’s what we set out to change.

Virtue AI focuses on safety, security, and compliance for large language models and autonomous agents. Which of these areas do you believe enterprises underestimate the most today?

Enterprises understand all of these areas to some extent, especially security, but there is still a big gap.

Enterprises have started to take model security seriously, at least at the surface level. But agents are a different problem. They’re being handed access to the most sensitive parts of enterprise infrastructure: executing code, calling APIs, browsing the web, and making chained decisions that touch data, finances, and operations. Most security teams aren’t set up to reason about that kind of system. The tooling they have wasn’t built for it.

The risk isn’t theoretical. Without security built specifically for agentic systems, small failures compound fast. An unexpected tool call, an ambiguous instruction, a prompt that slips past guardrails—any of those can escalate into unauthorized actions or data exposure before anyone notices something went wrong.

Continuous red-teaming is central to Virtue AI’s approach. What types of failures or risks tend to surface only once systems are live in production?

Most of the serious ones.

In a controlled environment, you’re testing the model and agents. In production, you’re testing the system—and those are different things. Once a model is connected to tools, retrieval pipelines, user inputs, and other agents, the behavior space expands in ways that pre-deployment testing doesn’t capture. A “safely configured” agent can act very differently when it’s connected to real databases, new MCP servers, or other agents. The system becomes non-deterministic. It starts making decisions based on context that didn’t exist during evaluation.

That’s when you find the failures that actually matter.

How do you think about measuring “AI safety” in practice, especially when systems evolve through fine-tuning, retrieval, and tool use?

In practice, AI safety cannot be measured through a single static benchmark because modern AI systems continuously evolve through fine-tuning, retrieval augmentation, and tool or agent interactions. Instead, safety needs to be evaluated as a system-level property across the entire lifecycle of an AI application. This includes stress-testing models and agents with diverse red-teaming attacks, monitoring real-time behaviors such as prompts, tool calls, and actions, and evaluating outcomes against defined risk policies (e.g., misuse, hallucination, privacy leakage, or unauthorized actions).

For instance, our award-winning paper (Best Paper at the National Security Agency and NeurIPS), DecodingTrust, has provided comprehensive security and safety testing for foundation models. Our DecodingTrust-Agent platform has built a realistic agent simulator hosting diverse environments with native red-teaming agents to perform dynamic, adaptive, and continuous red-teaming testing.

Importantly, safety measurement must be continuous and adaptive, since updates to prompts, retrieval sources, or tools can introduce new vulnerabilities. In practice, this means combining automated red-teaming, runtime guardrails, and observability to measure not just model responses but the safety of the end-to-end AI system operating in the real world.

Your research background spans robustness, privacy, and adversarial attacks. Which of these areas has proven hardest to translate into real-world defenses?

Translating research in robustness, privacy, and adversarial attacks into real-world defenses is actually very feasible. In fact, many of the research directions in my group are directly inspired by practical security challenges observed in deployed AI systems. The real difficulty lies not in building defenses, but in providing reliable security guarantees in dynamic, real-world environments.

In academic research, our group has made strong advances such as certified robustness and privacy guarantees, but these results typically rely on assumptions that may not fully hold in complex production systems. Modern AI applications continuously evolve through new data, fine-tuning, retrieval pipelines, and tool integrations, which can introduce new vulnerabilities over time.

As a result, effective AI security cannot rely on one-time protection—it requires continuous red-teaming, risk discovery, and adaptive guardrails that evolve alongside the system. This is exactly the philosophy behind Virtue AI: combining our long-standing research in AI security with automated large-scale red-teaming and real-time protection to continuously identify emerging risks and update defenses, enabling practical and scalable security for real-world AI systems.

What makes securing autonomous AI agents fundamentally different from securing traditional software or even chatbots?

Agents aren’t static programs. They don’t follow predictable paths, and they don’t stay within the perimeter you drew for them at deployment.

Traditional security assumes fixed execution paths, stable APIs, and deterministic behavior. Autonomous agents violate all of those assumptions. They reason about what to do next, pick tools based on context, and produce effects across multiple systems in a single run.

You can’t scan a prompt, harden a model, or monitor a single API call and consider the job done. You have to secure the agent as a complete system—its reasoning, its tool use, its environment, and what happens downstream.

That’s the core problem point controls can’t solve. They were never designed for it.

Where do existing security tools fall short when agents can act across many systems, tools, and data sources at once?

They leave you blind to how the agent actually operated end-to-end.

Most tools were built for applications with clear perimeters and stable behavior. They can tell you what a single API call looked like. They can’t tell you how an agent reasoned its way through five tool calls to produce an outcome nobody intended.

The visibility gap is the problem. If you can’t see the full chain of actions and decisions, you can’t govern it, and you can’t audit it after the fact.

How do real-time guardrails reduce risk compared with monitoring or logging alone?

Logging tells you what went wrong after the damage is done. It’s useful for forensics and compliance, but it doesn’t stop anything.

With autonomous agents, the delay between action and detection can be genuinely costly. An agent that’s already executed a bad API call or exfiltrated data didn’t wait for your logging pipeline to catch up.

Real-time guardrails intercept the action before execution. If an agent attempts something out of policy, it gets blocked or flagged before it runs, not after.

The combination matters too. Real-time prevention plus a single consistent enforcement point across all agent-to-tool interactions is a different risk profile than passive monitoring of individual components.

Virtue AI was founded by deeply technical researchers. How does that shape product decisions compared to more commercially driven AI startups?

AI security and governance is fundamentally a deep technical problem. The systems we are protecting—such as large language models, multimodal models, and agentic systems—are themselves built on advanced research. Without strong foundational AI expertise, it is almost impossible to design effective security solutions for them.

In many cases, the biggest challenge in AI security is when an advanced red-teaming algorithm identifies vulnerabilities of AI agents in a research paper—how do you translate that insight into a production-grade defense that can reliably protect real systems at scale? At Virtue AI, closing this gap between research and deployment is core to how we operate and what we are experienced with.

Because Virtue AI was founded by researchers who have spent decades working on AI robustness, adversarial learning, and trustworthy AI, our research and engineering teams work on the same problems simultaneously. Our researchers continuously study emerging model architectures, new agentic workflows, and evolving attack techniques, while our engineering teams integrate these insights directly into production systems.

When we identify a new vulnerability—such as a novel prompt injection pattern or agent manipulation strategy—it can quickly be translated into new detection models, guardrails, or red-teaming strategies. This happens continuously, not just on a quarterly product roadmap.

As a result, our products remain both cutting-edge and enterprise-ready, helping organizations secure their AI systems as they build and deploy them. Many of our customers tell us that this research-driven approach is exactly what allows them to move faster while maintaining safety and compliance.

In contrast, purely commercially driven teams often optimize around what customers are asking for today, which can lead to incremental features but may lag behind the rapidly evolving threat landscape of AI systems. In AI security, threats evolve as quickly as the technology itself. A research-first foundation allows us to anticipate new risks earlier and build defenses before they become widespread problems.

What is the most common misconception enterprises have about AI security when they first come to Virtue AI?

One of the most common misconceptions enterprises have when they first come to Virtue AI is that AI security can be addressed simply by applying traditional cybersecurity tools or basic content moderation filters.

In reality, AI systems introduce entirely new threat surfaces, such as prompt injection, jailbreaks, hallucination-driven misuse, data leakage through retrieval systems, and agent manipulation through tools or external APIs. These risks emerge from the behavior and reasoning of the model itself, not just from the surrounding infrastructure.

As a result, protecting AI systems requires security mechanisms that understand the AI model and agents’ inputs, outputs, and decision processes across the full lifecycle of an AI application, which requires fundamental AI research capabilities.

This is why we emphasize AI-native security: combining automated red-teaming to discover vulnerabilities, real-time guardrails to enforce policies, and system-level observability to monitor prompts, tool calls, and agent actions.

Once enterprises see how different AI risks are from traditional software risks, they quickly realize that securing AI requires a fundamentally new security stack.

Finally, what does “responsible AI deployment” mean to you in practice—not in theory, but inside an enterprise shipping products today?

Faster and safer aren’t opposites, even though most enterprises treat them that way. The assumption is that serious security slows you down—more review cycles, more gates, more friction before something ships.

In practice, the enterprises that deploy agents confidently are the ones that build security into the process rather than bolt it on at the end: automated red-teaming before deployment, real-time controls once the agent is live, and centralized visibility across the full agent lifecycle.

That’s not a compliance exercise. It’s what actually lets you move fast, because you’re not discovering in production what you should have caught earlier.

Responsible deployment, in concrete terms, means you know what your agents can do, you can see what they’re doing, and you can stop them when something goes wrong.

Responsible AI development enables continuous, large-scale AI system deployment with confidence, rather than slowing down AI innovation.

Thank you for the great interview, readers who wish to learn more should visit Virtue AI.

mm

Antoine is a visionary leader and founding partner of Unite.AI, driven by an unwavering passion for shaping and promoting the future of AI and robotics. A serial entrepreneur, he believes that AI will be as disruptive to society as electricity, and is often caught raving about the potential of disruptive technologies and AGI.

As a futurist, he is dedicated to exploring how these innovations will shape our world. In addition, he is the founder of Securities.io, a platform focused on investing in cutting-edge technologies that are redefining the future and reshaping entire sectors.