How MoonPay Stopped Blocking AI and Started Governing It

Baltimore Aircoil Replaces MPLS with Cato, Improving Voice Quality, Enabling Video Conferencing, and Increasing Agility Summary As AI use took off across MoonPay, the team needed a way to give employees room to move without losing control of security and compliance. With Cato AI Security in place, MoonPay could support AI adoption across the company while maintaining its compliance standards, keeping security scores above 99%, and avoiding the need to add security headcount. Key Results PCL Level 1, SOC 2 Type 2, and ISO 27001/27018/27701 certifications maintained with security scores above 99% throughout rapid AI expansion Security team scaled AI governance company-wide without adding headcount New AI requests no longer force a choice between speed and security Securely Moving Money Across Two Worlds MoonPay is the world’s largest provider of crypto payments infrastructure. The company serves 35 million customers and 500 enterprise partners — including Mastercard, PayPal, Nike, and Adidas — across 180+ countries. Doug Innocenti joined as CISO nearly five years ago, later expanding to CIO and CSO. Years of disciplined work had earned MoonPay PCI, SOC 2, and ISO 27001 certifications — a rare standard in the crypto industry — and Innocenti had no intention of giving that ground back. Then ChatGPT burst onto the scene. While the industry defaulted to “don’t worry about it,” Innocenti saw exactly what to worry about: everything he’d built was blind to what was happening inside the AI tools themselves. He started looking for a solution before most of his peers had framed the question. “Blocking AI was never an option. It’s too powerful,” Innocenti says. “What I needed was something that could get in between the employee and the tool, in real time, and help ensure it’s being used safely.” The Gap No Existing Tool Could Close Existing tools like DLP and CASB had no visibility into AI conversations, and the problem was growing: vendors were silently activating AI inside tools MoonPay already had deployed. “I could secure the data coming into the computers. I could secure the data going out,” Innocenti explains. “But what was being fed to the AI, and what was coming back — that was a risk I couldn’t see.” He tested every option: DLP, access restrictions, locking down data sources. Every path ended the same way: to truly contain it, he’d have to take everything away. Just as he was running out of options, he came across Aim Security, now Cato AI Security via Cato’s acquisition of Aim in 2025. “Cato AI Security isn’t retrofitted for AI,” Innocenti says. “It is built for it. It is an enabler that also protects. It fit exactly into the strategy I wanted.” "Cato AI Security isn’t retrofitted for AI — it is built for it. It is an enabler that also protects. It fit exactly into the strategy I wanted." Doug Innocenti, CIO/CSO, MoonPay For customers, an acquisition can be a moment of uncertainty. For Innocenti, it made perfect sense. AI was moving, as he put it, “from a product into a protocol” — woven into every system and workflow at the network layer. Cato was already there. “Because Cato sits at the top of the network, it catches every AI interaction — every prompt, every response — no matter how it’s generated,” he says. “That’s exactly where AI security needs to be.” "Because Cato sits at the top of the network, it catches every AI interaction — every prompt, every response — no matter how it’s generated. That’s exactly where AI security needs to be."Doug Innocenti, CIO/CSO, MoonPay From Blind Spot to Business Enabler Before setting policy, Innocenti deployed in discovery mode. What he found confirmed what he'd suspected: AI was already everywhere. "It went from 0 to 100 in a moment," he says. Rather than blocking, the team worked alongside employees to understand how AI was being used and tune controls accordingly. That visibility became the foundation for real-time enforcement, tuned to how MoonPay's teams actually work. Today Cato AI Security governs every way MoonPay’s teams interact with AI. The catches are concrete. When MoonPay launched an internal CLI, an employee hit an error — a crypto wallet address, blocked by Cato AI Security. “We never thought about that,” the employee said. That was the point. Blocking what shouldn’t go in is one thing. Innocenti thinks equally hard about what leaves. Enterprise licenses for LLMs protect against data being used for model training, but not against data leaving the perimeter. “Enterprise licenses expand the blast radius,” he explains. “If those vendors have a problem, the data you sent is still there.” Cato AI Security lets him set limits on what leaves and anonymize what does. It speaks to a philosophy that shapes every control he sets. “Data is an asset,” he says. “You’ve got to find a way to let people use it securely. If I can manage where it goes and anonymize when it does, I make security an enabler, not a blocker.” "Data is an asset. You can lock it down, put it in a vault, and no one ever touches it — but it’s a valuable asset that people need to use. You’ve got to find a way to let them use it securely. If I can manage and control where it goes and anonymize it when it does, I make security an enabler, not a blocker."Doug Innocenti, CIO/CSO, MoonPay The Long Position Pays Off The results are clear. PCL Level 1, SOC 2 Type 2, and ISO 27001/27018/27701 certifications have held through rapid AI expansion. Security scores have stayed above 99%. The team has kept pace without adding headcount. The business impact is harder to measure but easy to feel: Innocenti can say yes. With governance in place across every layer, new AI requests no longer force a tradeoff. In a market where AI is a competitive differentiator, that ability to move without hesitation is the edge. “We’re now securing AI across our employees, our internal tools, and the AI features we ship to customers — with the same level of rigor throughout,” he says. "We’re now securing AI across our employees, our internal tools, and the AI features we ship to customers — with the same level of rigor throughout."Doug Innocenti, CIO/CSO, MoonPay The next chapter is agentic AI — autonomous systems that take actions, not just respond to prompts. As MoonPay builds into agentic AI, Cato AI Security is part of the architecture from the start. It’s the same discipline that has governed every layer before it. “The company has never operated without AI security in place,” Innocenti says. “I don’t know that world — and I never want to go back to it.”

CIAL Dun & Bradstreet Improves Networking and Security in Latin American with Cato Summary As AI use took off across MoonPay, the team needed a way to give employees room to move without losing control of security and compliance. With Cato AI Security in place, MoonPay could support AI adoption across the company while maintaining its compliance standards, keeping security scores above 99%, and avoiding the need to add security headcount. Key Results PCL Level 1, SOC 2 Type 2, and ISO 27001/27018/27701 certifications maintained with security scores above 99% throughout rapid AI expansion Security team scaled AI governance company-wide without adding headcount New AI requests no longer force a choice between speed and security Securely Moving Money Across Two Worlds MoonPay is the world’s largest provider of crypto payments infrastructure. The company serves 35 million customers and 500 enterprise partners — including Mastercard, PayPal, Nike, and Adidas — across 180+ countries. Doug Innocenti joined as CISO nearly five years ago, later expanding to CIO and CSO. Years of disciplined work had earned MoonPay PCI, SOC 2, and ISO 27001 certifications — a rare standard in the crypto industry — and Innocenti had no intention of giving that ground back. Then ChatGPT burst onto the scene. While the industry defaulted to “don’t worry about it,” Innocenti saw exactly what to worry about: everything he’d built was blind to what was happening inside the AI tools themselves. He started looking for a solution before most of his peers had framed the question. “Blocking AI was never an option. It’s too powerful,” Innocenti says. “What I needed was something that could get in between the employee and the tool, in real time, and help ensure it’s being used safely.” The Gap No Existing Tool Could Close Existing tools like DLP and CASB had no visibility into AI conversations, and the problem was growing: vendors were silently activating AI inside tools MoonPay already had deployed. “I could secure the data coming into the computers. I could secure the data going out,” Innocenti explains. “But what was being fed to the AI, and what was coming back — that was a risk I couldn’t see.” He tested every option: DLP, access restrictions, locking down data sources. Every path ended the same way: to truly contain it, he’d have to take everything away. Just as he was running out of options, he came across Aim Security, now Cato AI Security via Cato’s acquisition of Aim in 2025. “Cato AI Security isn’t retrofitted for AI,” Innocenti says. “It is built for it. It is an enabler that also protects. It fit exactly into the strategy I wanted.” "Cato AI Security isn’t retrofitted for AI — it is built for it. It is an enabler that also protects. It fit exactly into the strategy I wanted." Doug Innocenti, CIO/CSO, MoonPay For customers, an acquisition can be a moment of uncertainty. For Innocenti, it made perfect sense. AI was moving, as he put it, “from a product into a protocol” — woven into every system and workflow at the network layer. Cato was already there. “Because Cato sits at the top of the network, it catches every AI interaction — every prompt, every response — no matter how it’s generated,” he says. “That’s exactly where AI security needs to be.” "Because Cato sits at the top of the network, it catches every AI interaction — every prompt, every response — no matter how it’s generated. That’s exactly where AI security needs to be."Doug Innocenti, CIO/CSO, MoonPay From Blind Spot to Business Enabler Before setting policy, Innocenti deployed in discovery mode. What he found confirmed what he'd suspected: AI was already everywhere. "It went from 0 to 100 in a moment," he says. Rather than blocking, the team worked alongside employees to understand how AI was being used and tune controls accordingly. That visibility became the foundation for real-time enforcement, tuned to how MoonPay's teams actually work. Today Cato AI Security governs every way MoonPay’s teams interact with AI. The catches are concrete. When MoonPay launched an internal CLI, an employee hit an error — a crypto wallet address, blocked by Cato AI Security. “We never thought about that,” the employee said. That was the point. Blocking what shouldn’t go in is one thing. Innocenti thinks equally hard about what leaves. Enterprise licenses for LLMs protect against data being used for model training, but not against data leaving the perimeter. “Enterprise licenses expand the blast radius,” he explains. “If those vendors have a problem, the data you sent is still there.” Cato AI Security lets him set limits on what leaves and anonymize what does. It speaks to a philosophy that shapes every control he sets. “Data is an asset,” he says. “You’ve got to find a way to let people use it securely. If I can manage where it goes and anonymize when it does, I make security an enabler, not a blocker.” "Data is an asset. You can lock it down, put it in a vault, and no one ever touches it — but it’s a valuable asset that people need to use. You’ve got to find a way to let them use it securely. If I can manage and control where it goes and anonymize it when it does, I make security an enabler, not a blocker."Doug Innocenti, CIO/CSO, MoonPay The Long Position Pays Off The results are clear. PCL Level 1, SOC 2 Type 2, and ISO 27001/27018/27701 certifications have held through rapid AI expansion. Security scores have stayed above 99%. The team has kept pace without adding headcount. The business impact is harder to measure but easy to feel: Innocenti can say yes. With governance in place across every layer, new AI requests no longer force a tradeoff. In a market where AI is a competitive differentiator, that ability to move without hesitation is the edge. “We’re now securing AI across our employees, our internal tools, and the AI features we ship to customers — with the same level of rigor throughout,” he says. "We’re now securing AI across our employees, our internal tools, and the AI features we ship to customers — with the same level of rigor throughout."Doug Innocenti, CIO/CSO, MoonPay The next chapter is agentic AI — autonomous systems that take actions, not just respond to prompts. As MoonPay builds into agentic AI, Cato AI Security is part of the architecture from the start. It’s the same discipline that has governed every layer before it. “The company has never operated without AI security in place,” Innocenti says. “I don’t know that world — and I never want to go back to it.”

Diamond Braces Uses Cato to Boost WAN Security, Performance, and Reliability Summary As AI use took off across MoonPay, the team needed a way to give employees room to move without losing control of security and compliance. With Cato AI Security in place, MoonPay could support AI adoption across the company while maintaining its compliance standards, keeping security scores above 99%, and avoiding the need to add security headcount. Key Results PCL Level 1, SOC 2 Type 2, and ISO 27001/27018/27701 certifications maintained with security scores above 99% throughout rapid AI expansion Security team scaled AI governance company-wide without adding headcount New AI requests no longer force a choice between speed and security Securely Moving Money Across Two Worlds MoonPay is the world’s largest provider of crypto payments infrastructure. The company serves 35 million customers and 500 enterprise partners — including Mastercard, PayPal, Nike, and Adidas — across 180+ countries. Doug Innocenti joined as CISO nearly five years ago, later expanding to CIO and CSO. Years of disciplined work had earned MoonPay PCI, SOC 2, and ISO 27001 certifications — a rare standard in the crypto industry — and Innocenti had no intention of giving that ground back. Then ChatGPT burst onto the scene. While the industry defaulted to “don’t worry about it,” Innocenti saw exactly what to worry about: everything he’d built was blind to what was happening inside the AI tools themselves. He started looking for a solution before most of his peers had framed the question. “Blocking AI was never an option. It’s too powerful,” Innocenti says. “What I needed was something that could get in between the employee and the tool, in real time, and help ensure it’s being used safely.” The Gap No Existing Tool Could Close Existing tools like DLP and CASB had no visibility into AI conversations, and the problem was growing: vendors were silently activating AI inside tools MoonPay already had deployed. “I could secure the data coming into the computers. I could secure the data going out,” Innocenti explains. “But what was being fed to the AI, and what was coming back — that was a risk I couldn’t see.” He tested every option: DLP, access restrictions, locking down data sources. Every path ended the same way: to truly contain it, he’d have to take everything away. Just as he was running out of options, he came across Aim Security, now Cato AI Security via Cato’s acquisition of Aim in 2025. “Cato AI Security isn’t retrofitted for AI,” Innocenti says. “It is built for it. It is an enabler that also protects. It fit exactly into the strategy I wanted.” "Cato AI Security isn’t retrofitted for AI — it is built for it. It is an enabler that also protects. It fit exactly into the strategy I wanted." Doug Innocenti, CIO/CSO, MoonPay For customers, an acquisition can be a moment of uncertainty. For Innocenti, it made perfect sense. AI was moving, as he put it, “from a product into a protocol” — woven into every system and workflow at the network layer. Cato was already there. “Because Cato sits at the top of the network, it catches every AI interaction — every prompt, every response — no matter how it’s generated,” he says. “That’s exactly where AI security needs to be.” "Because Cato sits at the top of the network, it catches every AI interaction — every prompt, every response — no matter how it’s generated. That’s exactly where AI security needs to be."Doug Innocenti, CIO/CSO, MoonPay From Blind Spot to Business Enabler Before setting policy, Innocenti deployed in discovery mode. What he found confirmed what he'd suspected: AI was already everywhere. "It went from 0 to 100 in a moment," he says. Rather than blocking, the team worked alongside employees to understand how AI was being used and tune controls accordingly. That visibility became the foundation for real-time enforcement, tuned to how MoonPay's teams actually work. Today Cato AI Security governs every way MoonPay’s teams interact with AI. The catches are concrete. When MoonPay launched an internal CLI, an employee hit an error — a crypto wallet address, blocked by Cato AI Security. “We never thought about that,” the employee said. That was the point. Blocking what shouldn’t go in is one thing. Innocenti thinks equally hard about what leaves. Enterprise licenses for LLMs protect against data being used for model training, but not against data leaving the perimeter. “Enterprise licenses expand the blast radius,” he explains. “If those vendors have a problem, the data you sent is still there.” Cato AI Security lets him set limits on what leaves and anonymize what does. It speaks to a philosophy that shapes every control he sets. “Data is an asset,” he says. “You’ve got to find a way to let people use it securely. If I can manage where it goes and anonymize when it does, I make security an enabler, not a blocker.” "Data is an asset. You can lock it down, put it in a vault, and no one ever touches it — but it’s a valuable asset that people need to use. You’ve got to find a way to let them use it securely. If I can manage and control where it goes and anonymize it when it does, I make security an enabler, not a blocker."Doug Innocenti, CIO/CSO, MoonPay The Long Position Pays Off The results are clear. PCL Level 1, SOC 2 Type 2, and ISO 27001/27018/27701 certifications have held through rapid AI expansion. Security scores have stayed above 99%. The team has kept pace without adding headcount. The business impact is harder to measure but easy to feel: Innocenti can say yes. With governance in place across every layer, new AI requests no longer force a tradeoff. In a market where AI is a competitive differentiator, that ability to move without hesitation is the edge. “We’re now securing AI across our employees, our internal tools, and the AI features we ship to customers — with the same level of rigor throughout,” he says. "We’re now securing AI across our employees, our internal tools, and the AI features we ship to customers — with the same level of rigor throughout."Doug Innocenti, CIO/CSO, MoonPay The next chapter is agentic AI — autonomous systems that take actions, not just respond to prompts. As MoonPay builds into agentic AI, Cato AI Security is part of the architecture from the start. It’s the same discipline that has governed every layer before it. “The company has never operated without AI security in place,” Innocenti says. “I don’t know that world — and I never want to go back to it.”