Blog

Five Eyes Finally Says The Quiet Part Out Loud

ByKayne June 22, 2026June 22, 2026

Five eyes cyber security agencies statement

Key quote:

Unsupported systems are easy targets. They are not just technical debt, they are strategic liabilities.

Why it matters: Five Eyes is awfully chatty lately, from warning about the risks of China recruiting spies via LinkedIn to giving context on the use of agentic AI. In their latest report, they say “Cyber risk can no longer be treated as a purely technical issue. This is a core business risk and leadership responsibility.” Which is what I’ve been saying for years (including in my new book), except now it’s coming from the five prominent western spy agencies.

Anthropic’s marketing campaign for Mythos seems to have been a prelude to Fable, which was suddenly pulled in June 2026 when the Trump administration blocked foreign nationals from accessing it. And that’s because they recognized the same thing that this report points out: a lot of software (they call that software “strategic liabilities”) hasn’t been subjected to the same level of adversarial testing as modern web browsers, and so AIs aren’t having problems finding vulnerabilities. This isn’t a new problem, though. We’ve known the enterprise security software market has been terrible for decades, and Neils Provos was shelling software using older models earlier in 2026. It’s just reaching fever pitch as new models (and harnesses for older ones) get better. That urgency is backed by hard numbers: CISA’s pointing out that we can’t just ‘patch harder’ – after all, only 26% of known exploited vulnerabilities were remediated in 2025, down from 38% the year prior. Meanwhile, Zscaler found a 93% year-over-year spike in sensitive enterprise data being uploaded to AI tool; companies don’t have adequate controls in place.

Checkbox compliance isn’t going to work in this case, although honestly, it hasn’t worked for years. Companies need to start thinking very quickly about attack surface management and actual zero trust (I’ve been on about this for years), and then have demonstrable evidence that those controls actually work. If you can’t prove your controls hold under pressure, you’re just hoping for the best when being investigated or audited. It’s likely that this will be the year insurers and attorneys sit up and take notice of how companies were (or weren’t) operating their defensive controls at a new level of detail in response to breaches.

Blog

The $20 Billion AI Black Box and the Data You Thought Was Private
ByKayne May 6, 2026June 10, 2026

Key quote: “Because no Defendant in this matter has served on Plaintiff either an answer or a motion for summary judgment as of the filing of this Notice, Plaintiff may dismiss this matter without prejudice as a matter of right.” Why it matters: I was tracking Case 3:26-cv-02803 because it potentially exposed an uncomfortable economic…

Read More The $20 Billion AI Black Box and the Data You Thought Was Private
Blog

3,800 Repos, One Extension, Zero Excuses
ByKayne May 20, 2026June 10, 2026

Key quote: 1/ We are sharing additional details regarding our investigation into unauthorized access to GitHub’s internal repositories. Yesterday we detected and contained a compromise of an employee device involving a poisoned VS Code extension. We removed the malicious extension version, isolated the endpoint, and began incident response immediately. Why it matters: One developer at…

Read More 3,800 Repos, One Extension, Zero Excuses
Blog

Who Owns Liability in AI Hiring?
ByKayne June 16, 2026June 16, 2026

Key quote: “It makes no sense for a Texas employer with a Texas applicant who will perform work in Texas, I don’t think there is any dispute that that employer would be subject to Texas law for employment discrimination.” What plaintiffs are asking the court to do is to also apply California law, depending on…

Read More Who Owns Liability in AI Hiring?
Blog

Why Shell vs. CLF Could Change Your AI Governance Program
ByKayne June 2, 2026June 10, 2026

Key quote: A producing party’s good-faith averment of nonexistence resolves a production dispute. Why it matters: Welp, I’m *not* an attorney, but I’m tracking this one closely. In our last episode of How the Conservation Law Foundation, Inc. v. Shell Oil Company Turns, CLF had been ordered (PDF) to produce the prompts that were used…

Read More Why Shell vs. CLF Could Change Your AI Governance Program
Blog

Regulators Are Blinking. Your AI Risks Aren’t Waiting.
ByKayne May 14, 2026June 10, 2026

It was a pleasure joining Aashis Luitel and Tristan Ingold on Sprinto’s webinar today. We covered a lot of ground in an hour, but here’s what I keep coming back to: the worst thing leaders can do right now is wait. The timing of the webinar was comedy gold. Days before we chatted about AI…

Read More Regulators Are Blinking. Your AI Risks Aren’t Waiting.
Blog

What happens when police let an algorithm do the investigating
ByKayne June 11, 2026June 11, 2026

Key quote: What looks like a second, independent identification is in fact the same algorithmic error surfacing twice, creating an illusion of confirmation that drives officers to treat the result as reliable. Why it matters: Robert Dillon is a commercial crabber from Fort Myers who’d never been to Jacksonville Beach and was arrested due to…

Read More What happens when police let an algorithm do the investigating

Similar Posts