At the crossroads of AI, cybersecurity and commerce: Q&A with Mastercard’s incoming cyber, fraud and identity leader

Since childhood, Ann Johnson had every intention of becoming a lawyer. She was accepted by a law school and was even offered a scholarship.

But she didn’t go down this path. Instead, she went to Los Angeles, where she “pretty accidentally” ended up in the technology sector and later found a new calling to protect people in a different way, building cybersecurity teams and capabilities. 

That career start was 38 years ago. Johnson, the former corporate vice president and deputy chief information security officer at Microsoft, will be joining Mastercard starting on May 4 to lead Security Solutions. She’ll be taking the reins from Johan Gerber, who will now bring his cyber, fraud and identity expertise to a new role within the company’s Core Payments operations starting May 1. Together, these executive changes reflect Mastercard’s efforts to keep strengthening its core networks and grow in AI, data and cybersecurity.

As Johnson gets ready to join the company, the Mastercard Newsroom interviewed her this week. She discussed the cybersecurity challenges and opportunities posed by AI and shared her perspectives on partnerships and how the cybersecurity industry has changed in recent decades. 

Johnson, who lives in Seattle, started working in the tech industry in education and then healthcare. In 2000, she joined RSA Security, where she built its identity protection and verification business, which secured online banking and card payments. She joined Microsoft in 2015, where she was integral in building the tech giant’s security business.

“Coming to Mastercard is a privilege. This is a tremendous opportunity,” she said. “Mastercard is at the forefront of embedding security into the global payment systems, and this is an incredible foundation to build upon.” 

The following Q&A was edited for length and clarity.

I have been in technology my entire professional career, and I view the work that I've done in cybersecurity as very purpose-driven. It's all about securing the world. I'm incredibly excited about Mastercard because when I think about securing commerce and financial transactions, that's such an important part of the ecosystem, especially now as we're evolving to the era of agentic commerce. So blending the drive that I have to do work that has meaning and purpose, with the opportunity at Mastercard, it’s just a great match for me. I'm a technologist at heart, and my belief is that applied technology can make the world better.

When I started in cybersecurity in 2000, people spent more on their coffee budgets than they spent on their cybersecurity budgets – unless you were one of the largest organizations in the world. In that era, everything was about keeping bad guys out. There were firewalls and routers and all kinds of moats and walls around the infrastructure. In about, let's say, 2010 to 2012, we evolved into what we call the “assumed breach,” which meant that we assume the bad guys are already in the environment. So we minimized the damage by finding them as quickly as possible and setting up containment or segmentation so they can't move around the environment very quickly.

Then starting about 2018, 2019, we started talking about this thing called “zero trust.” And zero trust was this concept that identity is actually the control plane. We started moving away from these moats and walls and saying, “Okay, we actually need to open up the environment, but really give zero trust to everything,” meaning that as a person, you, your laptop, or your applications have the least access needed to do the job.

Now in the year 2026, and particularly in the past two weeks with Mythos by Anthropic, the paradigm has shifted again. That shift is that we need to go back to the fundamentals and truly consider what secure by design means. We have to be deliberate about security, privacy and trust throughout every digital and human interaction.

I'll give you the most pragmatic example: I want to buy a pair of shoes, right? I'm going to ask my agent to go search the internet to find the best price, best shipping, best availability for this pair of shoes so I'm not having to manually search 20 websites. AI will be one of the best tools to help us quickly sort through a prolific volume of data and determine that an agent is doing what they're supposed to.

That's one use case. The second use case is automated security operations centers. Envision a world where we can materially scale and improve our human efforts for things like threat hunting and auto-remediation of cyber vulnerabilities.  

The third use case: non-human identities. Everything has an identity in your environment – your computer, your software, data. As an industry, we know how to manage human identities, but we've not done a fantastic job managing non-human identities because of the volume. Think about everything from a healthcare device to an automated mining vehicle in the middle of the desert to an oil rig in the ocean. Those are all connected devices, but they also have decadeslong life cycles. So how are you going to patch, update, etc.? 

AI will be able to determine if those devices are behaving in the manner they're intended to behave much more quickly than any other tooling, and then get to the place where we're automatically patching those devices and determining whether it’s behaving in a malicious manner or if it’s just broken. That’s just one of many positive use cases. 

It's going to be a step change for the bad actors and a step change for the good guys. I believe that even with AI, the good guys are going to stay ahead. 

For Mastercard to be successful, whether in cybersecurity, identity or fraud, we have to protect, secure, and nurture a really strong ecosystem.

We have to continue to refine the strategy and think about who the right partners are to help us execute – merchants, banks, technology companies, regulators – because constructive partnerships have to be mutually beneficial.  

Data is deeply important – not just to optimize and deliver our own services, but also to help the ecosystem to do the same. That’s how you create real value.  

I want to push the envelope on what we can do to really propel the industry into the future very quickly and continue to protect the payment ecosystem. I think Mastercard is uniquely positioned to do just that.