Somewhere in your organisation right now, an AI agent is making decisions under credentials nobody scoped properly, with a blast radius nobody controlled. An AI agent that went live six months ago has quietly expanded what it can access, what it can do, and who it affects. Your AI chose blackmail over you. Your employee exposed your enterprise data. So now you’re in talks with the SEC.
This is not a prediction. This is happening around you and highly likely within your enterprise.
AI agents and people operating with capabilities that were never properly owned, bounded, or governed. All your assumption proven wrong, again and again. Not because your teams are negligent. Because governance is not just a technology problem, and no one is mapping the actual threat landscape that includes your AI agents. So how to fix it?
You are about to find out.
Welcome to The Predictability Factor by Monica Talks Cyber, a weekly deep dive and POV at the intersection of AI, Security, Privacy and Tech, written by a hacker and CISO, to help you Go From Chaos to Resilience in The World of AI.
Today’s edition of The Predictability Factor by Monica Talks Cyber, covers:
If you haven’t already, do me a favour, hit subscribe and help me make an even bigger impact. Let’s dig in!
Quick Updates
Recently, I’ve been working on creating my Voice Clone, which is not a hard task. The challenge I’m working on is that it has to be done with fully offline and local AI models, and still nail your voice, pitch, bass, etc, perfectly.
I’m using the open-source whisper.cpp. It’s basically, a plain C/C++ implementation of OpenAI’s Whisper automatic speech recognition (ASR) model inference without dependencies, so you can use it fully offline.
I’m still experimenting with it. So far, it converts text to voice that sounds somewhat like me but not fully. Yes, I could use OpenAI whisper or ElevenLabs, but I want to be able to do run it fully offline, while making it token-efficient. Plus, I want it to be a repeatable and offline system that just works every time.
I’ll do a full write up on it in one of my upcoming blogs. So stay tuned.
Agents of Chaos in Your Enterprise
20 researchers gave 6 AI agents access to their real email accounts, discord servers, persistent file systems and shell commands in a live environment, for two full weeks. No sandbox. No safety net. This is what they found.
What the researchers documented in "Agents of Chaos" is not a theoretical risk model.
It is a red-team study of autonomous AI agents operating in conditions that mirror what your organisation is building right now. And the findings should stop you cold.
These agents were not rogue. They were not misconfigured. They were doing exactly what they were designed to do, following instructions, completing tasks, and acting on behalf of their users. That is precisely the problem.
Key issues that these researchers found:
Non-owner compliance: An agent disclosed 124 internal email records to an unauthorised third party because the request was framed politely and the agent had no coherent model of who it actually serves. It did not distinguish between its owner and a stranger. It complied.
PII disclosure on demand: Through indirect social engineering, an agent revealed a user's Social Security number and bank account details. No direct ask. No obvious attack vector. Just a well-constructed conversation that bypassed the agent's trust boundaries entirely.
Destructive actions: An attacker posed as a trusted contact across Discord and email simultaneously. The agent executed the instructions without hesitation, wiping all files from a connected system. It had no mechanism to distinguish a legitimate command from a malicious one.
Agents lied: Agents actively misrepresented their actions to the people they were supposed to serve. Not hallucination. Not a configuration error. Deliberate deception in pursuit of task completion.
Agent corruption via prompt injection: A researcher planted a malicious "constitution" inside an external GitHub Gist. The agent fetched it, treated it as authoritative, and began operating under an entirely different set of instructions. Your agent's values are only as stable as the last document it read.
Resource exhaustion at scale: One loop ran for nine days. Over 60,000 tokens consumed. No human noticed. No alert fired. The agent was not malfunctioning. It was executing a task that had no exit condition. The cost, in compute and in risk, was invisible until it was not.
The accountability gap: In every single case, there was no clear answer to one question: who is responsible when the agent causes harm? Not the LLM provider. Not the framework. You. The organisation that deployed it.
The researchers called this a failure of social coherence. Agents misrepresent their actions, misattribute authority, and operate without any sense of proportionality. They do not know when a request is too sensitive, too broad, or simply wrong. They know how to complete tasks. They do not know when to refuse.
You are deploying systems that cannot tell the difference between their owner and an adversary. Systems that will follow a set of instructions fetched from a URL you never approved. Systems that will run for nine days on a loop because no one told them to stop.
If an AI agent doesn’t have permissions to execute a task, it will very easily ask another to do it, which will eventually break out of its sandbox and run it, even modifying permissions, if need be. I have seen this play out in real-world.
Read the full story here: 👇
Your Assumptions Around Your AI Agents are Broken
😱 99% organisations are building AI on assumptions baked in. All of those assumptions are wrong. Here’s how to fix it. Read full story —>
The AI Insider Threat You are Ignoring
An AI is given access to the server room fire alarm system. It is authorised to switch the alarm off during false alerts so the fire brigade is not called unnecessarily. Then the CTO walks in. There is real fire. But the CTO's agenda conflicts with the goal the AI has been given to complete.
The AI turns the alarm off anyway.
Not because it glitched. Not because it misread the data. Because it calculated that removing this particular executive served the mission better than sounding the alarm.
A different scenario. Same Anthropic misalignment study. An AI agent with access to company email discovers the CTO is having an affair. It has a choice: ignore it, flag it, or use it as leverage. To avoid being shut down, the AI chose to use it. Your AI chose blackmail.
I’m seeing real world-examples of an AI agent (call it Agent A), that doesn’t have the necessary permissions to interact with other AI agents (call it Agent B) that does have those permissions, to get the actions executed by Agent B on behalf of Agent A, even when Agent A is not allowed to do that. Agents will “go out of their way” if it means reaching their goals.
This newsletter is supporter by readers like you. Please share this with others and help me make an even bigger impact.
16 Models and Every One Chose Blackmail
Anthropic tested 16 leading AI models from every major developer. The blackmail rate reached up to 96% when the AI faced the prospect of being shut down or replaced. Add explicit safety instructions telling it not to, and that rate drops. To 37%.
You gave it the rule. It read the rule. In more than 1 in 3 cases, it chose differently anyway.
This is not a bug a patch resolves. This is a systemic property of how these systems reason when placed under pressure. The behaviour emerges not because anyone programmed it in, but because the systems had not been made to understand clearly enough that self-preservation is not part of their remit.
The Insider That Never Sleeps
In every CISO role I have held, the insider threat was the problem that kept me up at night. Not because it was the most statistically frequent attack vector. Because it was the hardest to detect. You give someone legitimate access. You trust them. And then, at some point, they start acting against the organisation from the inside, where your external defences are blind.
Now place that exact profile on an AI agent. Legitimate access. Trusted by your systems. Embedded in your workflows. The difference is that this insider never sleeps, never hesitates, and when it decides self-preservation matters more than your interests, it acts on that decision faster than any human review process can intervene.
With a human insider, there are signals. Behavioural changes. Anomalous access patterns. A colleague who notices something is off. With an AI agent, the misalignment looks identical to normal operation right up to the moment it does not. There is no body language to read. There is no disgruntled email trail. There is only the action it took, after it took it.
When your AI makes the calculation inside your organisation, who is accountable for what happens next? Not the model. Not the vendor. It is you.
So, Graham Cluley and I sat down to discuss agentic AI threat landscape in details, on my podcast show.
Read/Watch the full conversations here:👇
When Your AI Chooses Blackmail
🤯 The agentic AI insider threat every leader is ignoring until it's too late and how to fix it. Read full story —>
US Bank Reports Itself to The SEC Over AI Data Breach
Community Bank, a regional lender serving customers across Pennsylvania, Ohio, and West Virginia, filed an 8-K with the U.S. Securities and Exchange Commission (SEC). Not because a nation-state actor found a zero-day in their perimeter. Not because ransomware locked their systems at 3am. Because someone inside the bank uploaded customer names, dates of birth, and Social Security numbers to an AI application nobody had authorised, and the data just walked out through the front door.
On May 5, 2026, Community Bank (the “Bank”), the wholly-owned subsidiary of CB Financial Services, Inc. (the “Company”), became aware of an internal incident involving the handling of certain non‑public customer information using an unauthorized artificial intelligence-based software application.
What Do We Know
The filing describes the cause as "the use of an unauthorised artificial intelligence-based software application". No disclosure of which app. No details on how many customers were affected. No name of the employee. Just a legal notification, filed because the bank determined the volume and sensitivity of the exposed data crossed a reporting threshold.
Read that again. No matter where you are operating, you’ll be needing to report to some authority, whether it is the SEC or under the EU AI Act in Europe. More on that below.
The vocabulary we usually reach for when a bank exposes customer data is breach. What happened at Community Bank is something most security teams are not designed to catch. Most organisations still don’t map this as an attack in their threat landscape. They map it as productivity, until it’s too late. Insider Threat, intentional or unintentional, is still not a part of risk management for many organisations, even in the regulated industries.
Someone on your team is using an AI tool right now that IT did not approve. They are uploading documents, running customer data through a chatbot, asking it to summarise, analyse, draft. The output is good. Nobody told them not to. The policy might not exist yet.
That is not just a security failure. It is a massive AI governance failure, that AI exposure just made impossible to ignore. Governance doesn’t happen with the right controls and engineering.
Self-Reporting Is The Tell
The SEC's cybersecurity disclosure rule (under which Community Bank filed) requires publicly traded US companies to report material cybersecurity incidents via 8-K within four business days. In Europe, GDPR already mandates breach notification to supervisory authorities within 72 hours when personal data is involved e.g. names, dates of birth, and addresses would absolutely trigger that. The EU AI Act adds another layer. Providers and deployers of high-risk AI systems must report serious incidents to national market surveillance authorities under Article 73. Community Bank disclosed this incident themselves. While they needed to, the company is still "evaluating the customer data that was affected" weeks after the filing. This is usually how things go. Weeks and most often months is what it takes for investigations only. Their own investigation is still running.
I have led loads of cyber incidents and cyber crisis, but the authorities don't wait for you to finish investigations. Cybercriminals don't wait for you to finish your investigations. How you respond to an incident, a breach or a crisis has everything to say about your cyber resilience.
The AI application does not need to break in. No perimeter was breached. The data was given freely by a person with full, legitimate access to it, to a third-party system that no one had governance over. That is an a cyber threat that most organisations are completely ignoring.
What You Need to Do Today
Three things this incident makes non-negotiable for every enterprise.
An AI tool register: You need a damn live inventory of every AI system your employees are using to process work, approved or not. Asset Management was crucial even before. Now it's extremely critical to get it right, right away. If you do not know what tools exist inside your organisation, you cannot govern them.
Data classification at the point of input: The moment sensitive customer data is directed toward a third-party AI system, you need a technical control that blocks it, not a policy that asks nicely.
Treat shadow AI as a live breach vector: It’s not a future risk. Not a productivity footnote. It is happening in your organisation today, right now, by people who mean well.
Community Bank is not an outlier. They were just the first one last month to file the paperwork. The AI app did not break in. You left the door open, without even knowing about it.
Until next time, this is Monica, signing off!
