Welcome to The Predictability Factor by Monica Talks Cyber, a weekly deep dive and POV at the intersection of AI, Security, Privacy and Tech, written by a hacker and CISO, to help you Go From Chaos to Resilience in The World of AI.

Today’s edition of The Predictability Factor by Monica Talks Cyber, covers:

Last month, I had the utmost privilege of giving the opening keynote at one of the biggest tech and cyber conferences in Slovakia.

In my keynote, I shared real-world examples of how agentic AI is being hacked, how to secure it, but most importantly how to govern it from end-to-end, from policy to risk management to actual controls.

Here's one of the examples, I used in my keynote.

Have you ever seen a surgeon’s work?

A surgeon works with the instruments laid out on the tray. That tray does not contain a chainsaw.

What the heck does a surgeon, a surgical tray and your AI agent have in common? We’ll dive deep into that in this edition.

My keynote from Slovakia is coming out next week on my YouTube channel, subscribe here to not miss it.

A surgeon works with the instruments laid out on the surgical tray. That tray does not contain a chainsaw. But when it comes to your AI agents the story is completely opposite. That’s precisely the problem with agentic AI.

You are giving your agents the chainsaw. That’s the problem of “excessive agency”.

Your zero-trust implementation is only protecting you from the wrong threat. Not because it was poorly built. Because it was built for a different actor. When you give an AI agent an email-send tool with no scope boundary, or a delete function with no confirmation gate, or write access to database while it can process any and all information, it is going to use it.

This is practically like giving a surgeon (your AI systems) a chainsaw as a part of its tooling (permissions to take action) and then hoping it didn’t grab for it.

The agent is not intentionally rogue. The authorisation was the given. The chainsaw was handed. The tool that should have never been on the tray in the first place was accessible. The agent walked into the bar with the chainsaw.

This is the problem of excessive agency or in other words, "failure or complete lack of least agency". Above are classic textbook and yet very real-world examples of that failure.

But this is not the same as least privilege.

Least privilege tells you to give a system the minimum access it needs. Least agency goes one level deeper.

They are not the same. The distinction matters because your AI agents are not static. That’s why your traditional zero-trust model at configuration or deployment time won’t protect you when you AI agents run amok with a chainsaw across your enterprise environment, mostly due to three key reasons:

I wrote a deep-dive on excessive vs. least agency for agentic AI. Read the full story here:👇

The recently layoffs aren’t just brutal, they have reached a 'vicious' cycle. The CEOs who have laid off employees over the last months, fall into exactly two categories.

But those in category two eventually realised (or soon will) that with the current state, the cost of running AI is much more than the cost of human employees.

The latest release of Claude Fable 5 just proves my point further. It is same the underlying model as the mystic Mythos version trained on the same weights (and yes it is more powerful) but with significant restrictions (obviously everything is hackable) and cost, such as:

Right in that moment, when CEOs make this alarming realisation, they fall back into category one. Realising they miscalculated the entire “AI-layoff” mathematics, it brings them back to category one. Both categories keep feeding into each other, over and over.

The vicious cycle repeats.

Eventually token usage will become commodity. It has to, for it to be sustainable and accessible over a long-term, but that time is not now.

For now, while token prices have fallen 280 times over the past two years (going in the right direction of becoming a commodity), the total enterprise AI spend has also risen 320% in the same period.

Uber's CTO confirmed the company burned through its entire 2026 AI coding budget in four months. One healthcare enterprise consumed one trillion tokens in six months, generating over $6 million in unplanned costs before finance could even trace the source.

The reason is not complicated.

Agentic AI consumes up to 1,000 times more tokens than a standard LLM query, depending on the number of steps required to complete a task. Every autonomous action, every RAG retrieval, every chain-of-thought reasoning loop burns tokens. Newer models at higher cost and higher burn rates only make this problem worse.

Yet, either nobody modelled this before the headcount announcements went out or they laid off people and used AI as the excuse to make the employees their next scapegoat.

Peter Steinberger recently tweeted about “self-running loops” that prompt your agents instead of you prompting your coding agents. He isn’t the only one. Boris Cherny, the guy who leads Claude Code recently said this:

But you still have to be in the loop to test it, otherwise you’ll just run your token costs through the roof.

So the idea is basically, you don’t code through prompt. You design self-running loops or multi-agent systems that generate, create, question, and refine prompts for you. Your job is to design that multi-agent system.

One agent proposes code → another reviews/tests → a meta-agent improves the next prompt based on results.

Rinse. Repeat. Tokens through the roof.

I warned about this one year ago.

It begets repeating. Companies are outright replacing you and entire departments with AI, thinking it’s a great idea. It is not. Here are at least 3 reasons why:

Vibe coding may be great, and yes it makes virtually everyone a “coder”, but 90% of that 90% code will end up being buggy, insecure and in certain cases even fatal. Now, agentic AI-based coding by someone who understands code vs. someone just vibe coding an app and shipping into production is more of a lack of skills and governance problem. But we will see more of these examples. Eventually some company will suffer a massive loss. Some executive, likely the CISO will become the scapegoat and will be held liable, to whatever extent. Most of this unsafe / insecure code will end up being used and reused without understanding any implications.

Look, coding with AI has become 100x. And sure, engineers and coders can also produce buggy, insecure and faulty code, but when a system stops working at 3am and there’s no one who understands that code, not even an AI who can fix it without crashing your production or other environments connected to it, reducing that threshold means two things:

While on one hand, it’s amazing opportunity for accessibility and bringing the world forward. On the other, because the threshold is so low now, we need a better, faster and more efficient way to not only detect this buggy code (which AI can with the latest models) but also fix systems from falling apart, especially if it can mean insecure code becoming a part of the entire value chain of a company.

We simply aren’t there yet. Doesn’t mean we won’t ever be. But we aren’t there today. Eventually we will.

We need more people in cybersecurity, not just those who understand code, but also those who understand the psychology behind cyberattacks, the emotions it triggers to get users to click on things, the flawed fundamental around “throw money at tech” and why that doesn’t work, how to motivate stakeholders to do the right things, how to leverage AI and human skills and competencies, how to drive the business forward, how to communicate, how to build and execute a vision, and how to help business continue to do “risky” things while managing security risks, safety concerns and AI issues, and to have a vision of what needs to be build, not necessarily just the how, but the what and the why.

Cybersecurity is not just about coding, hacking or being a SOC analyst. AI outright replacing cyber folks will just increase that already large talent gap.

You, as a company, do not become efficient by outright replacing skilled workforce with AI. That'll just create problems you never heard of, issues that AI cannot fix and you no longer have the right people to fix it, and even more problems by trying to fix AI with AI that AI created in the first place and already didn’t understand to begin with, which will ultimately lead to more inefficiencies.

That is the AI-efficieny-trap which companies are falling for.

Add to that, the junior to mid-level staff is likely the most inexpensive staff you have, they are most eager to learn and grow, and even if they aren’t the most skilled they are the next generation of builders, creators and architects.

In fact, you become efficient by training and utilising skilled workers for things that AI clearly cannot lead at and then by building an augmented team of AI and human employees (“and” being the key), where AI is replacing the tasks and not some outright replacement of the entire workforce.

73% of organisations that executed AI-driven staff cuts failed to come out financially ahead. 55% of executives now regret replacing workers with AI. 35% of companies have already rehired more than half the roles they cut. The roles that once paid $55,000 are now commanding $75,000 or more, because they require someone who can manage, audit, and govern the AI that was supposed to make those roles unnecessary.

So, how do you skill up? Read the full deep-dive here:👇

At a Stanford event last week, a student asked Demis Hassabis, Google DeepMind CEO, what AI should not touch.

He replied: consciousness.

In 2023, I did a keynote and panel in Grand Cayman, and I talked about how AI was already changing and shaping humanity through the means of human language. It is one of the primary reasons how Natural Language Processing (NLP) changed entirely why many people believe AI is “real”, “conscious” and “their best friend or even lover”.

You have watched the movie, Her, haven’t you?

Demis’ argument is precise and the enterprise implications are going to hit harder than you can imagine.

Hassabis calls AGI-level intelligent tools the "first Rubicon." Making entities that seem conscious to us is the "second Rubicon."

I have been saying this for a while now.

As I walked down the stage after giving my opening keynote in Slovakia last month (Video coming out soon on my YouTube), a CEO asks me, how do I know AI is not conscious. If it isn’t conscious, how can it “mimic” humans so well and know it’s being tested or why does it chose its own goals against your explicit instructions?

The answer isn’t simple but it relies heavily on what AI has been trained on.

Consciousness is a hard question to answer and prove in a machine.

While we understand human consciousness to include cognitive abilities, awareness, emotions and more, I believe, we will need re-define human consciousness even better than we know today, to eventually get to defining “what makes a machine conscious and what are those signs of consciousness”.

For now, I don’t agree with Geoff Hinton who suddenly is claiming that AI is conscious, just because it knows it’s being tested or because researchers says “its aware”.

To me that is training and learning, not consciousness. But I do agree, we will need to re-define consciousness and differentiating what that means for humans vs. AI.

However, what this means for your governance framework and enterprise is more immediate than you have accounted for.

If you are deploying AI systems today, you are deploying tools, not conscious entities. Not yet. Not with LLMs. That maybe a tiny relief but only a tad bit.

The risk profile, the liability framework, and the ethical accountability structure that applies to tools is already complex enough that most organisations have not fully mapped it.

Today, any wrong decision or action by an AI system means a human needs to be ultimately held accountable. The question is what that accountability entails and how do you define it? Is it the developer? The business owner? The CEO? The board?

Those questions are hard enough, but the moment the field moves toward systems that exhibit what Hassabis calls "feeling", the entire governance model will need to shift overnight.

Just last week, on June 4, 2026, Wired published findings from a code review of the Meta AI app, called the companion app, for Meta's Ray-Ban smart glasses. The app has was installed on over 50 million devices. But that’s the not the most interesting part.

Hidden inside: a fully built facial recognition system called NameTag.

The code would convert every face the glasses captured into a unique biometric faceprint, compare it against a database stored on-device, and surface the person's identity to the wearer. Faces the system did not recognise were cropped, indexed, and stored locally for future processing. Two versions had been scoped internally: one that recognised only the wearer's existing Meta connections, and one that could identify anyone with a public social media account.

Meta's VP of Communications called the reporting "shoddy" and "intellectually dishonest." Within 48 hours, Meta quietly pushed an app update that deleted the code entirely.

Meta declined to answer questions from WIRED. Whether it had already built the biometric database. How long it retained photographs of unrecognised strangers. Whether that data would ever reach Meta's servers. No answers. The feature, they said, "does not exist."

The "dormant code" framing is precisely the governance trap you need to flag right now.

Meta's defence rested on the argument that because the feature was not activated, it was not real. Under the EU AI Act's prohibitions on untargeted biometric scraping, the distinction between code that is deployed and code that is merely present on 50 million devices is not the clean line Meta implied. Shipping a system into production without disclosure, then removing it when caught, is not a governance policy. It is the absence of one. It is a complete violation of your digital privacy. It is prohibited use case for AI under the EU AI Act.

The second thing worth sitting with: Your employees are wearing these glasses into your offices, into your boardrooms, and into your facilities where you store sensitive information and host confidential conversations. Meta refused to confirm whether NameTag's data collection had already begun during internal testing.

Two days earlier, on June 2nd, Amazon was hit with a class action lawsuit over its Ring doorbell camera. The feature called Familiar Faces, launched in December 2025, uses AI to identify people who regularly come to a home. Ring users opt in. The delivery worker, the neighbour, the person walking past on the pavement do not. Virginia resident Charles Sigwalt filed the suit in Seattle seeking at least $5 million for a proposed nationwide class.

The lawsuit states:

Amazon's response: the data is encrypted and unidentified faces are deleted after 30 days.

That is not the same thing as consent. Read these two stories together because they are the same story.

The legal ground under both cases is not the technology. It is the consent gap between the person who opted in and every other human being who entered the camera's field of view without agreeing to anything.

You have no way to audit that from the outside, and your physical security policy almost certainly has not caught up with the reality that an always-on AI camera with dormant biometric processing is now a consumer wearable. The convergence of physical, digital and biological worlds started a while back, and is only going to get stronger.

As a GRC leader, CISO, security team, etc. the risks you’ll need to be governing are going to increase in complexity.

This is not a story about one company removing one feature after public pressure.

Amazon's Ring already paid $5.8 million to the FTC for employees accessing private customer videos without authorisation. Meta previously used facial recognition at scale and abandoned it only after a $650 million class action settlement under Illinois's BIPA law. The features came back with same ambition just in different forms.

Does your AI governance implementation cover hardware around you and not just software that sits in your cloud?

Until next time, this is Monica, signing off!