Interviewer: Hello and welcome to The AI Summit London. Today we are joined by Kam Karaji,, the Director of Cyber Security & Risk Management for the NFL.

Kam: My background hasn’t always been technology. I’ve been in technology and cyber for the best part of 10 years. Before that, I was a police commander for 14 and a half years. My police background was varied, everything from being a bobby on the beat answering 999 calls to counterterrorism activities across the UK.

Why did I move into technology? We began seeing more intelligence threats coming into the UK through counterterrorism channels. As a human, how do I process 150,000 data points and decide what is important, what could cause harm, and what might injure someone? We didn’t have the benefit of AI then; it was all human-in-the-loop.

Since leaving policing, I’ve held CISO and cybersecurity director roles, mostly in financial services, and I ended up at the NFL by chance. I’m not a fan by any means, I don’t follow or fully understand the sport, but what’s interesting is the analogy of being a cyber‑proficient organisation and how that affects fan engagement and the game-day experience. It’s been a whirlwind, and I’m genuinely excited planning for a game and seeing fans enjoy it.

Interviewer: Now you’re at the NFL, and we’re here at The AI Summit. How do you see AI reshaping operations and cyber resilience, particularly for securing high‑profile venues and large‑scale events?

Kam: I like to show a Where’s Wally image when I talk. I can put it in front of my kids and they’re occupied for hours trying to find Wally. For me, that picture resembles a stadium and its 60,000–80,000 fans. Finding the one thing that matters in that crowd is almost impossible. Yes, we can have extensive physical and cyber controls, but something will slip through the net.

As professionals, we must decide what happens when something does slip through. How important is it? How does it affect the game, the fans, the event, and the NFL brand? With AI, we can analyse behaviours and, in jurisdictions that permit it, apply facial recognition. Some US states allow it; others don’t. That helps us track a person if they become an anomaly, this is user behavior analytics.

We also use MAGs (metal detectors). You may have seen newer airport scanners where you walk into a tunnel, raise your hands, and a scanner rotates around you. It’s not just looking for metal; it identifies anomalies on the body, items where there shouldn’t be items, shapes that resemble weapons, then triggers a physical pat‑down. Similarly at the NFL, our MAGs incorporate capabilities to detect threats beyond conventional metal.

We’ve seen everything from a knife hidden at the ankle to a plastic gun in a waistband. A plastic firearm won’t trigger a traditional metal detector, yet it can still cause lethal harm. So we blend technology and human judgment. AI provides a confidence score on potential threats, and professionals then decide: does this make sense, do we act, or not?

Interviewer: That’s fascinating operationally. Turning to responsibility and real‑world pressures: where are security teams getting genuine value from AI today, say in third‑party risk management and cyber risk assessment, and how does that stack up against adversarial use like deepfakes, large‑scale social engineering, and autonomous reconnaissance?

Kam: In the NFL, people might not expect the complexity within a sporting organisation, but it’s substantial. For example, say two teams come into the country to play. They’re here for a week: they train, they play on Sunday, and then fly home.

The issue with AI is that these individuals are highly visible on social media. Deepfakes can surface at any moment, targeting players and others. Malicious narratives can spread quickly, and by game day a player’s social channels can be flooded with harmful content generated by an AI agent or bot. This doesn’t just affect players; it affects officials, owners, executives, everyone.

Staying a step ahead of the adversary is possible, but doing so correctly at speed is extremely hard. In our world, what’s the quickest way to understand whether a deepfake could affect a game or a player? Use the human in the loop. How do we shut down the channel? Do we investigate or act immediately? We need clear executive guidance, what’s our kill switch, and when do we use it?

Interviewer: That flows into board‑level accountability. What should the conversation with a board about AI risk actually look like?

Kam: We’ve had an interesting journey. We have 32 clubs doing different things, so we needed governance. We asked all 32 clubs to tell us the business necessity they’re trying to meet. If they’re using AI, they submit a formal application to the NFL for review.

Club owners are innovators. They’ll deploy everything under the sun to technologically advance their team. That can be fantastic, but the more you automate with AI, the more those systems will make or inform decisions, and the data must go somewhere. Are those decisions being made without any human in the loop?

We created a governance steering group. Applications go to a formal panel with representation from legal, finance, business operations, and security. We assess: does it meet the business necessity and support sound decisions? If yes, it passes. If not, we highlight the risks.

When we speak that language to the board, we avoid a “safety‑net” approach. By the time you’re in the boardroom, directors are already on their own platforms seeking answers. I prefer to be transparent: if you’re using these tools, I’ll consult mine as well, then we’ll align on evidence, risk, and outcomes.

Interviewer: That leads to my next question about the human side of judgement in the AI sphere. How important is human judgement in your day‑to‑day decision‑making when using AI? The speed and efficiency are remarkable, but accountability and judgement must sit with a human.

Kam: If judgement doesn’t remain with a human and AI makes the decision for you, situational awareness can be lost. In policing, we were taught not to chase the “red mist”: when you fixate on a suspect, you miss what’s happening around you. In AI terms, that red mist can be a single alert that collapses the bigger picture into a narrow focus. As a leader, I have to step back and ask: what’s the broader risk? One individual or signal may be a decoy, replicated multiple times, while the real risk flashes in and out elsewhere. We need clear decision factors, when to escalate, when to contain, and when to stand down, and to ensure a human reviews AI outputs in context.

Closing

From stadium‑scale anomaly detection to deepfake response playbooks and formal AI governance, Kam Karaji underscores a pragmatic blend of AI and human judgment. The mission is clear: protect fans, preserve the game‑day experience, and make accountable, auditable decisions at speed.