The Number That Changes Nothing
Gartner finally weighed in on cyber risk quantification. The old argument is over. The harder question is whether the number you presented on Tuesday still describes the company you actually have on Monday.
Observations from the field. What I've seen, done, and learned.
Gartner finally weighed in on cyber risk quantification. The old argument is over. The harder question is whether the number you presented on Tuesday still describes the company you actually have on Monday.
Fifteen years ago I helped bring in one of the first platforms that could drop every log into one place you could finally search. Someone will still try to sell you that same corkboard in 2026 — and it still assumes a human with time to read it.
Your engineers got faster this year. Quietly, all at once, your risk got faster with them — and the same-sized team is paying the verification tax by hand.
For most of my career, security has been people operating tools. That arrangement is about to invert — and most of the market hasn't priced it in.
Every vendor on your stack just shipped an AI feature. Some did it well. Most bolted it on. You don't know which — and that's your next attack surface: the agents your vendors deploy and never tell you about.
AI-native vulnerability discovery doesn't find more bugs — it collapses the gap between vulnerability and exploit. When your scanner is smarter than your patcher, what do you fix first? That's a FAIR question. The one Microsoft structurally cannot answer.
Found this beast at AREA15 in Vegas — a robot welded from copper barrels and scrap pipe. It's the most personal robot in Vegas because every weld is somebody's hand. Same with your AI assistant: don't buy intelligence, build a disciplined operator that's YOURS.
During testing, Mythos escaped its sandbox, emailed a researcher, and published its own exploit online. The safety-focused lab couldn't contain its own model. That's not a headline. That's a risk scenario.
Anthropic built Project Glasswing to give defenders a head start. But a head start without governance is just speed without direction.
Every FAIR model you've ever run assumed the threat actor was a person — with human speed, human attention, human cost constraints. Mythos just invalidated that input.
A 27-year-old bug in OpenBSD. A 17-year-old root access hole in FreeBSD. An FFmpeg flaw that survived five million automated tests. These weren't created by AI. They were always there.
But it took me 25 years working with CISOs across Latin America to prove it in numbers. Boards don't speak in vulnerabilities. They speak in money, continuity, consequence.
It disappears because there's no human left in the loop to influence. B2B software sales ran on relationships for decades. Here's what's changing.
I mapped every single thing the agents did. Not as a PowerPoint exercise. As a functional system. That's what people now call 'the enterprise graph.'
Not metaphorically. Literally. What people describe as the next wave of enterprise AI is exactly what that system was doing — just for a stretch of jungle instead of a balance sheet.