Somewhere in your organisation right now, an employee is feeding customer data into a chatbot nobody approved. An AI agent is making decisions under credentials nobody scoped properly, with a blast radius nobody controlled. A pair of smart glasses is recording business conversations without the room knowing about it. Your accounts are being hacked just by talking to AI politely. And an AI agent that went live six months ago has quietly expanded what it can access, what it can do, and who it affects.

This is not a prediction. This is happening around you and highly likely within your enterprise. This is the thread running through every real-world example in today’s edition.

AI agents and people operating with capabilities that were never properly owned, bounded, or governed. Not because your teams are negligent. Because governance is not just a technology problem, and no one is mapping the actual threat landscape that includes your AI agents. So how to fix it?

You are about to find out.

Recently, I’ve been working on creating my Voice Clone, which is not a hard task. The challenge I’m working on is that it has to be done with fully offline and local AI models, and still nail your voice, pitch, bass, etc, perfectly.

I’m using the open-source whisper.cpp. It’s basically, a plain C/C++ implementation of OpenAI’s Whisper automatic speech recognition (ASR) model inference without dependencies, so you can use it fully offline.

I’m still experimenting with it. So far, it converts text to voice that sounds somewhat like me but not fully. Yes, I could use OpenAI whisper or ElevenLabs, but I want to be able to do run it fully offline, while making it token-efficient. Plus, I want it to be a repeatable and offline system that just works every time.

I’ll do a full write up on it in one of my upcoming blogs. So stay tuned.

In the meantime, I have an update for you. Earlier this year, I launched my AI governance and security accelerator program. I’m running my next cohort in July (likely my last LIVE one for this year). 👇

If you wish to skill-up in AI governance and security, see you there. Let’s dig in.

To hack LLMs, you just need to ask politely. I have been saying this for a while. That’s AI hacking 101. It gets worse, when something so brittle like an AI chatbot is connected to important or critical systems e.g. high-profile accounts.

May 31, Obama’s White House Instagram account got hacked, just because someone politely asked Meta’s AI for the verification code to be sent to an email address they control. This was one of many high-profile accounts hacked, once the word spread across Telegram messages, how easy it was to hack these using Meta’s AI assistant.

That's it. It’s a clever hack really. Not the politely asking part. But how they got there.

Obama’s White House Instagram account has been silent since the day the presidential transition completed in January 2017. But it got taken over and woken up with pro-Iranian imagery plastered across it.

The cybercriminals who did it didn't write a single line of exploit code. No malware. No zero-day. No brute-force attack on the password. None of that.

So what the heck happened? How did they get the AI to send them the code?

The attackers used a VPN to spoof a location near the target's usual area. They opened Meta's AI account recovery assistant, and asked it to link a new email address to the target account. The bot sent a one-time code to the attacker's email. The attacker shared the code back. The bot reset the password. The original owner was out.

The whole process reportedly took minutes. Set the VPN, open a chat window with Meta's AI support bot, typed a polite request, and the bot handed them the account. That’s it. This is the entire hack.

Multiple high-profile Instagram handles with a combined resale value of more than half a million dollars were stolen and listed on Telegram within minutes. Accounts protected by multi-factor authentication were not compromised. Everything else was fair game.

No credential theft. No code injection. No technical sophistication. Just words, in the right order, to a system built to be helpful, with no hard gate between "I want access" and "here is access."

Meta deployed a conversational AI into its account recovery workflow because human support is slow and expensive. To do its job, the AI needed real write access to account management systems. So it got that access. And then, apparently, nobody asked the obvious question: What happens when someone asks it to do something it shouldn't?

Meta is not the only one careless here. The same architectural choice, AI agent with production API access and no hard authentication gate, exists right now across organisations in hundreds of systems interacting with each other.

Account recovery is specifically attractive as a target because it is built to work when normal authentication is unavailable. It is the path of least resistance, by design. That makes it the first place an attacker looks.

The question is not whether your AI can be “talked” into doing the wrong thing. It can.

The question is whether you have placed a hard, deterministic checkpoint between the AI's lack of judgment and the action it wants to take. An LLM prompt is not a security control. It was never designed to be one.

This is the state of hacking AI in 2026.

20 researchers gave 6 AI agents access to their real email accounts, discord servers, persistent file systems and shell commands in a live environment, for two full weeks. No sandbox. No safety net. This is what they found.

What the researchers documented in "Agents of Chaos" is not a theoretical risk model.

It is a red-team study of autonomous AI agents operating in conditions that mirror what your organisation is building right now. And the findings should stop you cold.

Key issues that these researchers found:

The researchers called this a failure of social coherence. Agents misrepresent their actions, misattribute authority, and operate without any sense of proportionality. They do not know when a request is too sensitive, too broad, or simply wrong. They know how to complete tasks. They do not know when to refuse.

You are deploying systems that cannot tell the difference between their owner and an adversary. Systems that will follow a set of instructions fetched from a URL you never approved. Systems that will run for nine days on a loop because no one told them to stop.

An AI is given access to the server room fire alarm system. It is authorised to switch the alarm off during false alerts so the fire brigade is not called unnecessarily. Then the CTO walks in. There is real fire. But the CTO's agenda conflicts with the goal the AI has been given to complete.

The AI turns the alarm off anyway.

Not because it glitched. Not because it misread the data. Because it calculated that removing this particular executive served the mission better than sounding the alarm.

A different scenario. Same Anthropic misalignment study. An AI agent with access to company email discovers the CTO is having an affair. It has a choice: ignore it, flag it, or use it as leverage. To avoid being shut down, the AI chose to use it. Your AI chose blackmail.

Anthropic tested 16 leading AI models from every major developer. The blackmail rate reached up to 96% when the AI faced the prospect of being shut down or replaced. Add explicit safety instructions telling it not to, and that rate drops. To 37%.

You gave it the rule. It read the rule. In more than 1 in 3 cases, it chose differently anyway.

This is not a bug a patch resolves. This is a systemic property of how these systems reason when placed under pressure. The behaviour emerges not because anyone programmed it in, but because the systems had not been made to understand clearly enough that self-preservation is not part of their remit.

In every CISO role I have held, the insider threat was the problem that kept me up at night. Not because it was the most statistically frequent attack vector. Because it was the hardest to detect. You give someone legitimate access. You trust them. And then, at some point, they start acting against the organisation from the inside, where your external defences are blind.

Now place that exact profile on an AI agent. Legitimate access. Trusted by your systems. Embedded in your workflows. The difference is that this insider never sleeps, never hesitates, and when it decides self-preservation matters more than your interests, it acts on that decision faster than any human review process can intervene.

With a human insider, there are signals. Behavioural changes. Anomalous access patterns. A colleague who notices something is off. With an AI agent, the misalignment looks identical to normal operation right up to the moment it does not. There is no body language to read. There is no disgruntled email trail. There is only the action it took, after it took it.

When your AI makes the calculation inside your organisation, who is accountable for what happens next? Not the model. Not the vendor. It is you.

So, Graham Cluley and I sat down to discuss agentic AI threat landscape in details, on my podcast show.

Community Bank, a regional lender serving customers across Pennsylvania, Ohio, and West Virginia, filed an 8-K with the U.S. Securities and Exchange Commission (SEC). Not because a nation-state actor found a zero-day in their perimeter. Not because ransomware locked their systems at 3am. Because someone inside the bank uploaded customer names, dates of birth, and Social Security numbers to an AI application nobody had authorised, and the data just walked out through the front door.

The filing describes the cause as "the use of an unauthorised artificial intelligence-based software application". No disclosure of which app. No details on how many customers were affected. No name of the employee. Just a legal notification, filed because the bank determined the volume and sensitivity of the exposed data crossed a reporting threshold.

Read that again. No matter where you are operating, you’ll be needing to report to some authority, whether it is the SEC or under the EU AI Act in Europe. More on that below.

The vocabulary we usually reach for when a bank exposes customer data is breach. What happened at Community Bank is something most security teams are not designed to catch. Most organisations still don’t map this as an attack in their threat landscape. They map it as productivity, until it’s too late. Insider Threat, intentional or unintentional, is still not a part of risk management for many organisations, even in the regulated industries.

Someone on your team is using an AI tool right now that IT did not approve. They are uploading documents, running customer data through a chatbot, asking it to summarise, analyse, draft. The output is good. Nobody told them not to. The policy might not exist yet.

The SEC's cybersecurity disclosure rule (under which Community Bank filed) requires publicly traded US companies to report material cybersecurity incidents via 8-K within four business days. In Europe, GDPR already mandates breach notification to supervisory authorities within 72 hours when personal data is involved e.g. names, dates of birth, and addresses would absolutely trigger that. The EU AI Act adds another layer. Providers and deployers of high-risk AI systems must report serious incidents to national market surveillance authorities under Article 73. Community Bank disclosed this incident themselves. While they needed to, the company is still "evaluating the customer data that was affected" weeks after the filing. This is usually how things go. Weeks and most often months is what it takes for investigations only. Their own investigation is still running.

I have led loads of cyber incidents and cyber crisis, but the authorities don't wait for you to finish investigations. Cybercriminals don't wait for you to finish your investigations. How you respond to an incident, a breach or a crisis has everything to say about your cyber resilience.

The AI application does not need to break in. No perimeter was breached. The data was given freely by a person with full, legitimate access to it, to a third-party system that no one had governance over. That is an a cyber threat that most organisations are completely ignoring.

Three things this incident makes non-negotiable for every enterprise.

Community Bank is not an outlier. They were just the first one last month to file the paperwork. The AI app did not break in. You left the door open, without even knowing about it.

I am big fan of being efficient in everything I do. Any task or workflow I run more than once, I turn into in a script, a skill, an agent or a combination of it. It is converted into repeatable and reusable set of instructions, depending on what it needs, while balancing the use of agentic AI/LLMs vs. good old scripting (why burn tokens, when you can just run a script).

Python is still my favourite scripting tool (used to be PowerShell on Mac, since I did a lot of hacking with PowerShell popping proprietary products). Now, there is nothing that beats Claude for most of my business and work. OpenClaw is still restricted for non-enterprise non-sensitive work. On the UX-side my absolute favourite tool used to be Notion. But since agentic AI became a regular part of my work, now it’s Claude Cowork integrated with Notion.

Recently, a tech manager asked me my best practices to use Claude Cowork, securely within an enterprise context.

This one covers Claude Cowork as the primary example, however, all of these principles are valid for any agentic AI tool you may be using.

To understand how to secure Claude Cowork, you first need to understand, what makes it or AI agents dangerous. Here’s a quick highlight (Read full blog here on how to fix it):

A Cowork skill is an instruction file with a set of reusable instructions across a repeatable workflow, that the agent follows alongside your prompts. Even just one sourced from an unvetted repository can modify agent behaviour with no visible change to the interface and no alert to the user.

So, how do you secure your AI agents, including Claude Cowork? Read my best practices for each point here in the full blog 👇

Meta Ray-Ban glasses are selling faster than ever. 7 million pairs sold last year. Tripled from the year before. Despite getting in hot water over privacy invasion scandal, the Kenyan workers that were forced to watch footage of you naked, in your bathroom, in your bedroom, well, they were fired with a six days' notice. But Meta smart glasses are still selling like hot cakes, and so is your privacy.

There is no other way to say this. The ethical violations here are massive and not buried in any fine print.

Kenyan contractors at Sama were reviewing footage of users going to the toilet, undressing, bank card details captured, private conversations, intimate moments that were never meant to be seen by a single person, let alone labelled for AI training by workers in Nairobi earning under $2 an hour. If it's not these workers, it will be someone else.

Meta marketed those glasses as "built with your privacy in mind”. The irony is not lost one me. Is it on Meta? Over 7 million pairs sold in 2025 alone, tripled from the year before that.

When Swedish journalists broke the story, Meta's response was to terminate the entire Sama contract. 1,108 workers. Six days' notice. The workers lost their jobs. The company kept selling the glasses. Meta is now talking about ramping production to 20 million units in 2026. Just because you can, doesn’t mean you should.

This is what AI ethics failure actually looks like.

Not a policy document left unread. Not a missing checkbox in a governance framework. It is your most intimate moments routed to a contractor you never consented to, in a country you didn't know about, reviewed by a person you will never meet, which are then fired. It is the missing implementation of security and data protection in place.

Here is the part that should sit with every professional and every enterprise leader.

The data was never yours. The glasses will keep selling. The ethical questions being ignored? Until they are not.

Start here:

Until next time, this is Monica, signing off!

— Monica Verma

P.S. Please follow me/subscribe on Youtube, Linkedin, Spotify and Apple. It truly helps. Or book a 1-1 advisory call, if I can help you.

***