The Predictability Factor is a weekly deep dive at the intersection of AI, Security, Privacy and Tech, to help you Go From Chaos to Resilience in The World of AI.
March 2026, an autonomous AI agent was pointed at McKinsey's internal AI, Lilli. No credentials. No insider access. No zero-day vulnerability. Two hours later the AI agent had full read and write access to the entire production database. 46.5 million chat messages about strategy, M&A, and client engagements, 728,000 confidential files, 57,000 user accounts and 95 system prompts controlling everything Lilli says, believes, and does.
The attack vector? The old boring yet still very deadly SQL injection. A technique from the 1990s. The door that made it possible? Unauthenticated API and endpoints, publicly exposed.
While you are busy vibe coding your enterprise, someone's already vibe-hacking it, just by pointing an AI to it.
When we are talking about Mythos, etc. why does this matter?
Last year, I gave this keynote in Canada, where I talked about Autonomous AI Hacking (timestamps 19:35 and 21:13) and how very soon someone’s personal AI agent will autonomously attack someone else’s autonomous AI agent, without any of them knowing about it. The lines between personal and enterprise are getting blurrier by the minute. As this continues, enterprise infrastructure’s will be hacked through personal autonomous AI agents.
Your personal autonomous AI will be attacking someone else’s autonomous AI connected to their enterprise.
At the same time, the most effective attacks are still incredibly simple:
Exposed API keys
Leaked access credentials
Phishing someone to get the key to the fort
I've been a hacker and a three-time CISO. I've watched this exact pattern play out for 20 years. This is no different with AI except for one thing. The gap between coding an app, shipping it to prod and getting exploited has never been this narrow.
The most interesting part about the McKinsey’s AI hack isn't even that another AI agent hacked it, it isn’t even the exposed APIs, the SQL injection vulnerability or the lack of basic cyber hygiene. It’s something even worse.
The external AI agent got access to Lilli’s AI system prompts. The very prompts that control Lilli’s entire behaviour. That's your new attack surface you aren’t even thinking of. AI system prompts or any instructions that control your AI's behaviour are your crown jewels to protect.
If your first instinct is that this is just McKinsey's problem, you are dead wrong.
Today’s edition of The Predictability Factor by Monica Talks Cyber, covers:
Quick Personal Updates
🫣 Few weeks ago, I was invited to a cybersecurity executive conference in Finland, to as the main keynote speaker to share my experiences on Securing and Governing Agentic AI Making Million Dollar Decisions, for hundreds of security and business leaders and executives in the audience.
I’ll be speaking next week at a panel on AI Reality Check, in London on May 6th. If you’re around, come join me.
What Mythos Update Means for You
The most powerful AI model ever built for cybersecurity was not built for cybersecurity. Anthropic built Mythos to be exceptional at code. The security capabilities arrived as a side effect. That distinction is not a technicality. It is the reason most of what you are reading about Mythos right now is missing the actual story.
Most Security Problems Are Software Problems
When Anthropic set out to build Mythos, the stated goal was to create the ultimate software engineer: an AI capable of understanding vast, complex codebases, finding hidden flaws through a simple instruction, and writing new code with far fewer vulnerabilities. Cybersecurity was not the brief. As Anthropic's own red team research confirmed, the security capabilities are "a downstream consequence of general improvements in AI reasoning and software engineering capabilities." Not a design goal. A byproduct.
That byproduct makes sense. Why? Because…
Most security problems are software problems. Insecure code. Unpatched vulnerabilities. Logic flaws baked into applications before a security team ever sees them. If you build an AI that genuinely understands software at depth, at some point it will also understand where software breaks. The two are not separable.
So the issue hasn't been whether this has been hyped or not. It clearly has. However, what it missed is what it should have been hyped about, which is…
The AI became so good at code that naturally it became better at cybersecurity as a byproduct. And this is just the beginning.
Mythos is extraordinary at finding the kinds of flaws that attackers exploit. Project Glasswing, Anthropic's vetted partner programme for critical infrastructure, used Mythos to find thousands of zero-day vulnerabilities across every major operating system and every major browser. That is a real capability, not a marketing claim.
But finding a vulnerability and fixing it are not the same job. Not even close.
The 99% No One Is Talking About
Mythos found thousands of zero-day vulnerabilities in every major operating system and every major browser. Security teams called it a breakthrough. The first 72 hours of my feeds were filled with two types of posts: Celebratory posts of Mythos being “god” or posts about Mythos breaking and ending the cybersecurity industry.
Then the findings landed in their inboxes. Over 99% of those vulnerabilities remain unpatched. The AI found them faster than any human ever could. And then the hard part began.
The Hacker News reported that Mythos changed the math on vulnerability discovery while the remediation side of the equation barely moved. A separate industry report found that over 45% of discovered vulnerabilities in large organisations remain unpatched after 12 months, not because security teams are careless, but because the organisational machinery for triage, prioritisation, testing, and deployment of fixes has always evolved at a fraction of the speed that discovery does.
Mythos did not solve that. It accelerated one side of an already unbalanced equation.
Help Net Security put it plainly: the exploit gap is closing, and your patch cycle was not built for this. When AI-powered vulnerability discovery reaches wider availability, and it will, the result is not a more secure world. It is an explosion of known, documented, unaddressed vulnerabilities that your security team has no capacity to remediate at the speed an attacker can exploit them. Add to that:
Attackers are not waiting for Mythos to be released to exploit those vulnerabilities using other AI models.
Not everything that's vulnerable is exploitable or exploited in the wild.
Most of the exploits are actual PoC (Proof of Concept) not real exploits.
The Half That AI Hasn’t Touch
Most organisations will not even get direct access to Mythos. Project Glasswing is a restricted partner programme. The model is not on general release. So the immediate question for you is not "should we deploy Mythos?" The question is: what happens when threat actors access equivalent capabilities, and your patch cycle is still working through last quarter's backlog?
The bottleneck in enterprise security has never been the ability to find vulnerabilities. It has always been the ability to fix them fast enough to matter. Mythos did not fix that bottleneck.
It made it more visible, more urgent, and considerably more dangerous to ignore. The remediation side is still running on the same infrastructure it was ten years ago.
That gap is exactly where your next breach lives.
Read my full blog here:👇
Did Claude Mythos Break The Cybersecurity Industry
😱The AI model that found 10s of thousands of vulnerabilities is too dangerous. Is this is the end of the cybersecurity industry? Read full story —>
The Code That Broke The World
In October 2023, the SEC charged SolarWinds and its CISO Tim Brown personally for fraud. Not the company alone. The individual.
Tim is a dear friend of mine. We talked extensively on my podcast recently, diving deep into his 5-year personal and professional journey through SolarWinds breach, the SEC charges, fighting the lawsuit, what it meant for him and what it means for you working in cybersecurity and AI.
Tim had written internal emails warning about critical vulnerabilities in SolarWinds infrastructure. The company's public statements said something different.
I have been in enough boardrooms to know that most CISOs believed accountability for a breach stays with the company. Tim believed that too. We all did. In October 2023, the SEC proved the entire industry wrong.
That gap, between what you know internally and what you say externally is even stronger liability in the era of AI. Most CISOs, security leaders, risk leaders, CIOs and CEOs haven't just realised it yet.
What Actually Ended Tim's Certainty
A federal judge dismissed most of the SEC's charges in July 2024 and the rest of it by the end of the last year. The industry exhaled. Most people read that as the story ending.
However, it does not end there. Not for you. Not for the industry.
Your AI Creates the Same Liability Gap
During the legal course, this case and the precedent it set, didn't just stay in the US. It affected the industry globally. Across Europe and EMEA, the questions were the same. What did it mean for Tim? What did it mean for CISOs everywhere? What did it mean for our industry?
Here is where this stops being Tim's story and starts being yours. Liability has shifted for CISOs, risk owners and executives.
A 2026 CISO Report puts a number on it: 78% of CISOs are concerned about personal liability for security incidents. Up from 56% the previous year. AI governance decisions are explicitly within that exposure.
The question is no longer whether CISOs can be held personally accountable.
It is this:
When an AI decision is examined in court, how are you showing reasonable care, ethical use, and due diligence? That answer needs to exist before the call comes.
The SEC's 2026 examination priorities are explicit: cybersecurity and AI governance have displaced cryptocurrency as the primary focus. The same is happening across EMEA.
In my CISO roles, I helped build implementation and compliance to NIS2 and DORA.
NIS2 now holds management bodies personally liable for gross negligence. CMMC 2.0 requires executives to personally certify the security posture of entire supply chains.
The regulatory direction is not ambiguous. Individual accountability for what you knew, and said, and did not say, is accelerating across every major jurisdiction.
Only 25% of organisations rate their AI governance maturity as advanced. Which means three in four organisations have internal AI risk findings that are outpacing their governance infrastructure. Which means three in four organisations are, right now, building a version of the gap that defined the SolarWinds case.
Tim said something to me during our conversation that I have not been able to stop thinking about.
The breach itself was survivable. The distance between what he knew and what the company said publicly was not.
Your AI governance posture (or lack thereof) is not a future risk management problem. It is a current evidence problem.
The question is whether your internal record and your external position are telling the same story. If they are not, you are already building your own gap.
Read/Watch Tim and my full conversations here.
ICYMI:
016: Vibe Coded. Vibe Hacked. Fixing Agentic AI Security and Governance
Ultimate roadmap to agentic AI governance and security for enterprise - Part 1. Read full story —>
Woman Wrongly Jailed Because AI Failed
On June 23, 2021, Kimberlee Williams was delivering DoorDash in Lawton, Oklahoma. A security checkpoint flagged her. Outstanding warrants for her in Maryland. But she had never been to Maryland. She spent the next 6 months in 3 Maryland jails proving her innocence.
Kimberlee Williams spent 6 months in jail for crimes she allegedly committed in a state she never visited. Not once. She is not an outlier. She is the 14th person to become the victim. The technology that put her there is already running in your organisation, in your town, in your country.
The System That No One Had to Disclose
Here is what actually happened, because technology is only part of the story.
A bank investigator working a fraud case sent a surveillance image of an unknown suspect to CrimeDex, a private listserv used by law enforcement and private investigators. An anonymous person on that network ran the image through facial recognition software and flagged Kimberlee Williams as a match. Montgomery County Detective Michael Adami took that anonymous tip and obtained arrest warrants. He did not tell the court that facial recognition was involved. He did not have to.
Three counties issued charges based on the same misidentification. Not one conducted an independent investigation. Not one disclosed to a judge that an algorithm, run by an anonymous source on a private network, was the origin of the entire case against her.
She spent 23 days in an Oklahoma jail before being transported to Maryland. Then three months in Montgomery County. Then two more months across Prince George's County and Anne Arundel County as the charges followed her from jail to jail.
The charges were eventually dropped. After six months.
This was not a technology error that slipped through an otherwise sound system. This is how the system was designed to work: AI invisible, humans acting on its output without scrutiny, and no mandatory disclosure to the person whose life was being decided.
Fourteen Is Not an Outlier, It Is a Pattern
Kimberlee Williams is the fourteenth person publicly known to have been wrongfully arrested because of faulty facial recognition in the United States.
Facial recognition technology has documented higher error rates for women and for people with darker skin tones. The ACLU, in letters sent to three Maryland police departments in April 2026, is demanding two specific reforms: prohibit police from relying on face recognition searches conducted by outside entities, and ban arrests made solely on the basis of a face recognition match without independent corroboration.
Both of those demands are still demands. They are not yet law in Maryland. They are not yet law in most places.
Which means the same conditions that took six months of Kimberlee Williams's life are still operational right now, in systems that are still not required to disclose their involvement.
The Enterprise Mirror
Read this next part carefully, because the Kimberlee Williams story is not a criminal justice story. It is a model for how AI accountability failures happen at scale in any system, including yours.
In all honesty, the facial recognition technology did not put Kimberlee Williams in jail. Ultimately, a human did. In fact, several humans did.
While AI failed miserably, human oversight and accountability failed even further.
Over and over, across 3 counties and 6 months, human beings made decisions based on what an algorithm told them. Not one of them told a judge the algorithm was involved. Not one of them dared to verify the AI’s decision before taking action on it.
That is not a technology story. That is an accountability story. At some point in the last 6 months or more, an algorithm made a decision about you.
Maybe it decided your loan application. Maybe it decided your insurance premium. Maybe it flagged your face. You were never told. Kimberlee Williams was never told either. Not until she had already spent six months in jail.
AI is a tool. It can upgrade humans. Or it can destroy businesses, society and human lives. The only difference between the two is how we use AI and human oversight.
When your AI makes the next consequential call, who in your organisation is the person who stops and says: are we certain? Have you done independent checks? Has a human signed off on this.
Linus Torvald, the creator of Linux, won't even let you commit an AI generated Code that is signed off by AI, but Maryland police department arrested a woman just because somebody ran through an AI without actually checking it.
Until next time, this is Monica, signing off!
What did you think of this edition?
— Monica Verma
P.S. Please follow me/subscribe on Youtube, Linkedin, Spotify and Apple. It truly helps. Or book a 1-1 advisory call, if I can help you.
***
