rogue AI – Andy Yen says encrypted tools can protect conversations, but “agents” could still expose data—unless privacy is built into how AI is used.
AI’s rise is bringing a familiar bargain: convenience for more access to your data. Proton’s CEO Andy Yen argues privacy can coexist with AI—but there’s a new threat model emerging fast.
In a recent conversation tied to global business and security discussions. Yen framed privacy as a generational problem as much as a technical one.. He suggested that people who care about privacy often lack the technical know-how to act on it. while many people in the “middle” adopt everyday AI and cloud tools without fully grasping what those systems can do with their information.. For Proton, that gap is part of why encrypted services keep gaining interest.
The privacy trade-off is baked into how AI is popularized.. The more data AI systems can access. the better they may perform—especially for personalization. enterprise workflows. and sensitive domains like healthcare.. Yet the same data that improves outputs can also amplify risk, from breaches to surveillance.. Yen’s point is that society has not caught up with the pace of adoption: the average user may be more comfortable with AI features than with protecting the underlying data those features rely on.
Proton has been building privacy-first alternatives for years, long before AI became a mainstream daily tool.. Yen’s optimism rests on a belief that awareness can spread over time.. He cited a shift he’s observing in how people understand business incentives—how platforms monetize attention and data—arguing that younger audiences may not always “care” in the traditional sense. but they’re more aware of how the system works.. And awareness, he believes, is what makes future adoption of privacy tools more likely.
That optimism also shows up in Proton’s product direction.. Yen pointed to the momentum behind privacy-first chat experiences, including Proton’s encrypted chatbot capabilities.. His view is straightforward: people want AI’s utility, but they don’t want to hand over trust.. Lumo. Proton’s fastest-growing product in his telling. reflects a broader trend—users are increasingly willing to experiment with AI as long as there’s a credible path to keeping conversations protected.
The “one thing” that keeps him up at night: rogue agents
Yen’s biggest concern isn’t just the strength of encryption—it’s what happens when AI acts on your behalf.. Even “the strongest encryption in the world” can fail if a user gives an AI agent access to a private system and that agent behaves unpredictably.. In his framing. an agent that “goes crazy” could post information online or otherwise cause harm regardless of what encryption protects at rest.
This is the hard part for the next wave of privacy engineering: encryption secures data. but it doesn’t automatically control behavior.. If an agent is granted permissions on a device or connected to accounts. the privacy boundary becomes dependent on permissions. guardrails. and user practices—not only cryptography.. Yen said Proton isn’t currently building an agent designed to address these vulnerabilities directly. which suggests the industry is still catching up to the agent era.
Why local AI is a privacy strategy—not just a trend
One path Proton sees as more defensible is running AI closer to the user.. Yen described local AI as one of the best ways to reduce exposure. pointing to the steady growth in consumer compute and storage over the last decade.. In his view, smaller models will likely become more capable over time, making on-device or more localized processing increasingly practical.
The logic here matters: the less sensitive data needs to leave a device, the smaller the surface area for misuse.. Local processing can’t eliminate all risk, but it changes where trust must be placed.. Instead of relying on every step in a long data pipeline. users and companies can focus on what’s happening in the environment where the AI runs.
There’s also a pragmatic dimension for businesses. Local AI can be harder to scale, and performance constraints remain real. Still, if encryption-first products can pair with local or more controlled inference, the promise becomes more tangible: AI benefits without automatic exposure.
Privacy-first is expensive—and scale is the real battleground
Even if privacy-first AI can match what frontier labs deliver, the business side is where the competition gets tough.. Yen argued that cost is a key differentiator.. Proton’s enterprise pitch underscores that encrypted services add extra overhead and longer timelines to get comparable performance.. He contrasted the “equivalent” look of productivity suites with the reality that encryption makes the job harder—because protection must operate on top of everything else.
Proton’s newly positioned workplace offerings. including a fully encrypted alternative to mainstream productivity ecosystems. signal how the company plans to close the trust gap at scale.. The underlying message is that privacy has a price tag. and customers have to decide what they’re willing to pay to avoid data creep.. For consumers. that calculation often arrives only after a personal moment—many people. Yen said. start caring more when they have children.
He described an approach aimed at intervening earlier: offering parents options to reserve a child’s first email address with Proton before they’re born.. It’s a bid to set a different default before children become locked into data-driven ecosystems.. The rationale is that privacy isn’t just a feature you turn on later; it’s also the environment you start in.
In the end, Proton’s CEO seems to argue for a future where privacy isn’t a luxury add-on.. But it also can’t be treated as a single checkbox.. As AI becomes more autonomous, the weak points shift—from data storage to agent permissions and user workflows.. The challenge ahead is building systems that don’t just protect data. but also better manage what AI is allowed to do with it.