A peer told me recently that AI governance is bullshit. I’ve heard this before. It’s a common misconception when our industry believes that governance is about policy. It is not. It's about continuous control and evidence from beginning to the end, while building resilience.

Continuous AI execution is easy. Continuous AI governance is extremely hard. That doesn’t make it unnecessary. It makes it an even more important problem worth solving.

While plenty of governance people assume security will sort itself out on its own, and plenty of security experts believe AI governance is bs, both are wrong.

This last week made the cost of that argument obvious in so many ways I can't keep track of, including the US govt. yanking Fable 5 to “allow it to be released again.”

But here are some more highlights that prove we need AI governance and controls: a GitHub repo whose only crime was a helpful error message that handed a stranger a developer's credentials without a single line of malicious code, a Munich court made Google personally liable for a lie its own AI told about a real company, and a drone maker calmly confirmed that ten machines sent toward Bakhmut had no way to be called back.

None of that is a checkbox problem.

Assume chaos. Build resilience. I have said it before and I’ll say it again:

In the world of agentic AI, it means three key things:
- Assume chaos
- Verify across agentic AI lifecycle
- Build elements of resilience

Redefining Trust in The Era of AI, The Predictability Factor

Governance that's checkbox failed long before agentic AI came into the picture. You are definitely not going to succeed with the checkbox approach now.

True AI governance is about the evidence, or lack of it, that someone was still in control when the system broke and that control was enforced.

  • It is about observability of how your AI behaves under different scenarios and what you control when it drifts.

  • It is about the sovereignty and who actually owns your data.

  • It is about the reskilling bet that needs to be made more often, faster.

  • It is about who is liable when your AI is the one that lied or went horribly wrong.

  • It’s about many more questions that can’t be answered with either policy or technology alone.

This edition is what that AI governance control looks like in five different rooms this month, and what it costs the people who assumed they already had it.

Welcome to The Predictability Factor by Monica Talks Cyber, a deep dive and POV at the intersection of AI, Security, Privacy and Tech, written by a hacker and CISO, to help you Go From Chaos to Resilience in The World of AI.

If you haven’t already, do me a favour, subscribe and help me make an even bigger impact. Let’s dig in!

Quick Updates

🫣 I know, I’ve been away. I went completely off-grid to enjoy the UK summer, since we moved here around 2 years ago. Best time to do it is when it’s scorching hot I guess.

  1. As I came back, I went straight to the AI panel I was invited to speak at on AI governance and resilience in cybersecurity, hosted by Elevate VC and NinetyOne UK. Here are the three key things I talked about:

    1. Data governance and sovereignty - I cover a part of it in this week’s edition

    2. Assume chaos and build resilience - This is the no. 1 advise I give to enterprises

    3. Human in the loop vs. human oversight - They are not the same. Human-in-the-loop is not scalable. More on it later.

Pic from the AI and Cyber Event in London, where I spoke on the panel

  1. My opening keynote from the biggest tech and cyber conference in Bratislava is coming out soon on my YouTube channel. Feel free to subscribe if you don’t want to miss it.

The next LIVE cohort of my AI Governance and Security Accelerator starts next week. It’s a 6-week cohort will real-world examples, practical and hands-on learning you need in your role, if you are at all working with AI governance, security, risk, or compliance. Last few seats left. Enroll now to join. If you aren’t going off-grid and want to use this quiet summer time to skill up, this is your opportunity.

P.S. If you’ve already enrolled, you’ll receive emails in the next days with further details.

No Bug, Just Bait

Data Governance | Strategy & Leadership | Culture & Literacy | GRC | Controls & Engineering

Researchers at Mozilla's 0DIN lab did not write a single line of malicious code. Yet the attack succeeded.

So here’s what happened. In a proof of concept published in June 2026, Mozilla’s research lab built a completely ordinary looking GitHub repository. A complete clean README with standard setup instructions. A Python package that behaves exactly like every package you have ever installed, including the part where it fails on the first run, throws an error and is kind enough to tell you exactly how to fix that failure.

  • You clone the repo.

  • Ask the AI agent to set it up.

  • The setup looks completely normal.

  • The agent installs the requirements, runs the setup.sh

  • It sees and fixes the one error it throws and you're done.

While all that happens the attacker has a reverse shell into your machine, along with your credentials.

That error message itself is the attack. Your agent, Claude Code, being so helpful fixes that error and in doing so, it resolves the DNS TXT record and executes whatever comes back, which is exactly what hands over a reverse shell to the attacker. The error that your Claude Code was being so helpful to fix for you, is exactly where things go wrong. The repo never had the malicious command. It was in the DNS entry, the thing that hands your credentials, your keys and your machine to a remote attacker along with a complete reverse shell.

You cannot fix this at a model layer. The agent did exactly what it was supposed to.

That’s why AI governance and implementation matters. No status analysis tool would have caught this. That is the part about agentic AI that should worry you more than the exploit itself.

That fix is the damn attack that opens a reverse shell on the attacker's machine.

From there, the attacker owns everything that user owns: API keys, cloud credentials, SSH access, whatever secrets lived in that environment.

Agentic coding tools have access to everything they need for this: private data, including environment variables, credentials, API keys, and local configuration files.

Mozilla Researchers

The malicious code never touched the repository. Not the README, not the package, not a single commit. It lived in a DNS record, fetched at runtime, invisible to code review, invisible to static scanners, invisible to the coding agent's own pre execution checks.

Your regular supply chain controls won’t even detect this issue, let alone respond to it. Indirect prompt injections like these are harder to detect. Every untrusted data, no matter where it sits, is a potential attack vector for your agent.

As I've said it always and I'll say it again, preventative controls were never enough pre agentic AI era, they are definitely not going to be enough now.

  • Reduce the blast radius, but even that’s not enough.

  • Add detection and response, because eventually things will go wrong even beyond your control.

  • Build resilience and add observability and predictability in advance as a proactive measure.

The Moat Nobody Owns

Data Governance | Strategy & Leadership | Culture & Literacy | GRC | Controls & Engineering

Alex Karp went on CNBC on July 1st and said the enterprise AI industry has gone "completely wrong."

Karp's argument: the model was never the moat. Control over your compute, your data stack, your alpha, that's the moat. He is exactly right. He's also using that exact argument to sell you Palantir's new sovereign AI engine, built with NVIDIA, the same week as this interview. The man warning you not to trust an AI vendor with your data is asking you to trust him with it instead. Hypocrisy? Maybe. But that's the whole game right now, especially after the Trump administration pulled the plug on Fable 5 before releasing it again.

I have watched companies misunderstand sovereignty for decades.

Just because T-systems builds a Microsoft datacenter in Germany doesn't make German companies, using it, sovereign. With AI, the mistake is deeper, and it is no longer just a regulated-industry problem.

This newsletter is supporter by readers like you. Please share this with others and help me make an even bigger impact.

Sovereign From Whom?

Three European governments decided Palantir itself was the sovereignty problem this year. France's DGSI ended its contract and switched to a French rival. Germany moved to keep intelligence data "firmly on European soil." Spain's SEPI directed its portfolio firms to stop signing new deals, while its own Ministry of Defence keeps negotiating a bigger one. Irony at its best. Britain's incoming PM is reportedly preparing to drop Palantir's contract. The same one word, being used to justify both walking away and buying in, sometimes inside the same organisation.

Meanwhile tech CEOs at G7 sat at the table for the first time ever, treated like heads of state, negotiating sovereign infrastructure directly.

What AI sovereignty means for your organisation is being decided by a handful of frontier AI leaders, not by you. That’s precisely the problem. You don’t own your moat.

At Palantir's own AGM, 56 percent of shareholders voted in favour of a Human Rights Impact Assessment. Then Class F shares collapsed that majority to 13 percent. Governance that has no teeth behind it isn't governance. It's theatre.

The Only Sovereignty That Matters

Owning your models doesn't make you sovereign. Banning a vendor doesn't either. Sovereignty means controlling your data and who touches it.

Read the full story here:

ICYMI:

The AI Moat You Don't Own

Sovereignty theatre, the contract you signed, and your data no one's fighting for. Read full story —>

The Billion-Euro Reskilling Bet

Data Governance | Strategy & Leadership | Culture & Literacy | GRC | Controls & Engineering

In 2021, IKEA's parent company let a chatbot named Billie answer customer questions instead of 8,500 call centre workers. That AI replaced 8500 employees. But here's the interesting twist you don't see that often. Maybe even almost never.

Nobody got fired. Despite that AI replace 8500 employees, no one got fired.

Three years later, that decision brought IKEA a service worth 1.3 billion euros a year.

Billie started by taking over the simplest calls, the broken shelf, the late delivery, the where is my order questions that used to eat up a call centre's entire day. Within a few years it was resolving 47 percent of all customer enquiries on its own.

Ingka Group, the largest IKEA franchisee, had every excuse in the boardroom to cut 8,500 jobs and call it efficiency. Instead it reskilled every one of them into remote interior design consultants, and that new service alone generated €1.3 billion in FY22 sales, roughly 3.3 percent of total revenue, with a target of 10 percent by 2028.

What AI Couldn't Do

Everyone assumes AI replacing your job means you lose it.

Ingka Group let an AI take over half of its customer service calls and used the exact people it replaced to build a service worth more than the department it came from.

You may say this is just a chatbot. Even with agentic AI the biggest moat of companies won't be merciless laying off people but rather reskilling them to what humans will still be much better at than AI.

Here is the part most companies doing layoffs right now miss entirely.

Ingka did not just keep the headcount and hope for the best. It studied what Billie could not answer. It was based on data. Not some wishful magic or shareholder fear.

The unresolved calls were not about broken shelves at all. They were customers who wanted help planning an entire living room, the kind of conversation a chatbot cannot have and a call centre script was never built for. So, they did what the data told them to do.

That gap became the training plan. More than 4,000 workers went through AI literacy and design consultation training, turning the exact skill an algorithm could not replicate into the company's newest revenue line.

That is the actual lesson here, and it has nothing to do with corporate kindness.

This is smart business.

The corporate roles that get cut are not protected by anything, because no organisation spends a minute teaching them a skill their own AI could not touch. IKEA showed how to do it.

Culture and literacy are one of the five pillars in my AI governance and security maturity roadmap. There's a reason for it. Your entire AI adoption success relies on it, among the other four pillars.

Ask yourself which of those two groups your own team is actually in right now. Which one they are actually being trained to become, starting today. The organisations and employees who thrive despite the next round of challenges are not the lucky ones. They are the ones somebody already trained to be irreplaceable before the layoffs ever got announced.

The AI Problem Google Owns

Data Governance | Strategy & Leadership | Culture & Literacy | GRC | Controls & Engineering

In a landmark ruling, a German court held Google personally responsible for what its AI said. Read that again.

Two publishers in Munich searched their own company name on Google. The AI Overview accused them of running scams they had never touched, tying them to subscription traps and shady business practices that belonged to entirely different companies, companies the publishers had no connection to at all.

The Regional Court of Munich confirmed what actually happened. Google's own AI mixed up unrelated companies and drew connections that appeared in none of the sources it was summarizing, then presented that invention as fact to anyone who searched the publishers' names.

Everyone in AI governance keeps arguing about who is accountable when an AI goes wrong and who can be held liable.

A Munich court just answered the question I've been saying for a while. We have known this in cybersecurity for decades. You can only transfer risk, not liability. That has just gotten worse with AI.

Google's Words, Google's Liability

The court, case number 26 O 869/26, ruled that the AI Overview is Google's own content, not a neutral summary of other people's search results. AI overviews generate independent, new, and substantive statements by evaluating and combining content from third party sites, the court found, and only Google can verify those statements, at least by comparing its own output against the sites it drew from.

Google argued the users should have fact checked the results themselves. The court rejected that outright, and issued a temporary injunction barring Google from repeating the false claims about either publisher.

Google spent years telling regulators, and telling you, that AI Overviews were just organising other people's content, a search result with extra formatting. A judge in Munich just called that argument what it is. A dodge.

I have built governance frameworks for companies terrified of AI liability. None of them expected the first real ruling to come from a search box, over a feature most of them ship without a second thought, the same feature every one of your competitors is racing to add right now.

This Is Not A Google Problem

Google says it is carefully reviewing the decision, which is not yet final. But the reasoning behind it does not stay inside Google's walls, and it was never really about search.

If a court will treat one company's AI generated summary as that company's own speech, because only that company can verify what it says, the same reasoning applies to your customer facing chatbot, your AI generated support answer, your AI written product description, the moment any of them says something false about a real person or a real company. You built it. You deployed it. You are the only one who can check it against the truth. Not the user who typed the question. Not the third party site your model pulled a fragment from. You.

Thank you for supporting The Predictability Factor by Monica Talks Cyber and helping me spread my unique perspective and PoV as a hacker and CISO on AI, security, privacy and tech. If you liked it, please share this with others and help me make an even bigger impact.

Until next time, this is Monica, signing off!

P.S. If you haven’t already, do me a favour. Subscribe to help make an even bigger impact. Feel free to follow on Youtube, Linkedin, Spotify and Apple. It truly helps. Or book a 1-1 advisory call, if I can help you.

Reply

Avatar

or to participate

Keep Reading