{"id":173422,"date":"2025-12-31T11:10:00","date_gmt":"2025-12-31T16:10:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2025\/12\/31\/how-fomo-is-turning-ai-into-a-cybersecurity-nightmare\/"},"modified":"2025-12-31T13:00:56","modified_gmt":"2025-12-31T18:00:56","slug":"how-fomo-is-turning-ai-into-a-cybersecurity-nightmare","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2025\/12\/31\/how-fomo-is-turning-ai-into-a-cybersecurity-nightmare\/","title":{"rendered":"How FOMO Is Turning AI Into a Cybersecurity Nightmare"},"content":{"rendered":"<p><a href=\"https:\/\/www.inc.com\/nick-selby\/how-fomo-is-turning-ai-into-a-cybersecurity-nightmare\/91261473\">How FOMO Is Turning AI Into a Cybersecurity Nightmare<\/a><\/p>\n<p><a href=\"https:\/\/www.inc.com\/nick-selby\/how-fomo-is-turning-ai-into-a-cybersecurity-nightmare\/91261473\">https:\/\/www.inc.com\/nick-selby\/how-fomo-is-turning-ai-into-a-cybersecurity-nightmare\/91261473<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2025-12-31 11:10:00<\/a><\/p>\n<p>Source Domain: <a href=\"www.inc.com\">www.inc.com<\/a><\/p>\n<p>Author: <a href=\"\"><\/a><\/p>\n<p> Using an unordered list, summarize the following article with between 4 and 8 key points. After years of helping companies navigate technical challenges, my colleagues and I have\u00a0observed\u00a0a troubling pattern across several verticals and sectors. AI implementations fail not because the technology \u201cdoesn\u2019t work,\u201d but because executives rush into deployment without addressing the fundamental operational concerns of the technology. AI tools are not as safe and predictable as traditional enterprise software. This approach introduces risks that can cost millions. The Problem\u00a0Isn\u2019t\u00a0the Technology\u2026I\u2019m\u00a0not an AI skeptic. An Inc.com Featured PresentationFor many\u00a0business\u00a0uses, executives can strike the correct reward-to-risk balance by asking the right questions upfront, limiting potential harm if something goes wrong, and insisting that both business and technical teams\u00a0monitor\u00a0how the software performs. There are good AI use cases that, in some circumstances, can transform business operations.\u00a0\u00a0For example: a mid-sized enterprise client using a website chatbot to connect potential customers with an account executive reported\u00a0significant results:  thousands of dollars in weekly bookings, and hundreds of thousands of dollars in their weekly pipeline. They found that people interacting like this tend to become \u201chigh-intent leads, faster\u201d than through\u00a0any\u00a0of their other channels.\u00a0There\u2019s serious pressure on executives to implement AI software for reasons that include a genuine belief that, as in the\u00a0previous\u00a0example, AI tools can increase customer engagement and lower costs.\u00a0\u00a0CEOs also are subject to plain old Fear\u00a0Of\u00a0Missing Out: The self-fulfilling cycle of advancing competitiveness creates very real pressure from investors and boards: when your key competitors are going \u201cAI-First,\u201d the pressure can be intense to jump aboard a speeding train.\u00a0So\u00a0it\u2019s\u00a0understandable that we see a lot of urgent CEO calls to, \u201cHurry up and AI the Everything!\u201d\u00a0\u00a0Less justifiable, though, is the\u00a0scant\u00a0attention being paid by executives to effectively consider the risks of any given AI software implementation.\u00a0That\u2019s\u00a0where companies consistently stumble. The only way to change this is for senior executives to\u00a0reframe\u00a0their understanding of the risks at hand.\u00a0\u2026It\u2019s\u00a0the Implementation.\u00a0The risk decisions made by executives must derive from a cross-functional risk management approach that enables them to consider all aspects of the business holistically.\u00a0An AI tool can be benign or advantageous from an operational perspective, but harmful from a\u00a0cybersecurity perspective, a legal perspective, or a cost perspective and\u00a0vice\u00a0versa. Consider the 2025\u00a0security breach of Drift, which affected more than 700 customers of\u00a0Salesloft\u2019s\u00a0AI-powered B2B chatbot product. Despite breathless claims about Drift\u2019s \u201cconversational AI capabilities,\u201d the breach\u00a0probably stemmed\u00a0from basic information security failures unrelated to AI.\u00a0\u00a0The damage derived not from its AI functions but from the access privileges customers had granted to the Drift agent within the Salesforce and Google Workspace clouds: once they had pilfered the customers\u2019 credentials to these critical internal systems and logged in, the criminals simply asked the agent for the data they wanted.Based on\u00a0Salesloft company statements, the security failings appear to include absent or improperly configured multi-factor authentication on source code repositories, and hardcoded and improperly stored credentials (our understanding is less than complete because\u00a0Salesloft\u00a0security communications have themselves been vague, something that has helped neither their customers, nor the industry).\u00a0This incident reflects a broader industry pattern: executives considering buying AI tools have focused on promised features but forgotten about\u00a0due\u00a0diligence of the AI-vendor\u2019s core security practices. As we will see, some healthy skepticism about how vendors approach core information security and legal tenets and practices can reveal\u00a0an accurate\u00a0risk picture to inform CEO decisions.\u00a0\u00a0Legal and Security Risk Management is Harder Because AI Makers Have Re-Defined Industry Terms.\u00a0\u00a0Let\u2019s\u00a0remove the mystery and magic surrounding AI hype. \u201cI refer to it as software,\u201d says\u00a0EPSD Advisor\u00a0and National Academies\u00a0Cyber Hard Problems committee\u00a0member Wendy Nather, \u201cbecause the term \u2018AI\u2019 tends to enchant and ensorcell.\u201d\u00a0Even companies trying to perform responsible due diligence face hidden challenges. Most of the procurement, information security, IT, and legal teams that\u00a0comprise\u00a0companies\u2019 risk management function face newly complex assessment challenges, all while foot-tapping executives urge them to approve new AI implementations quickly in the name of competitive advantage.\u00a0A core issue is confusion over what words mean in the \u201cAI safety\u201d context. As researchers Heidy\u00a0Khlaaf\u00a0and Sarah Myers West\u00a0have documented, AI vendors have co-opted standard information security and risk management terms, so familiar terms now carry different meanings in different contexts.\u00a0When AI vendors use terms like \u201cred teaming\u201d and \u201cvulnerability management,\u201d your security and legal professionals hear familiar language and assume rigorous security testing has occurred. Often, that assumption is wrong.\u00a0In traditional IT security, \u201cred teaming\u201d means organized attackers actively\u00a0attempting\u00a0to breach your systems and steal data so your defenders can fix security holes before criminals exploit them. In AI contexts, it typically means a kind of content moderation testing, like checking whether a chatbot refuses to generate racist content or bomb-making instructions.\u00a0Similarly, \u201cvulnerability management\u201d in cybersecurity means identifying and patching security flaws that could expose your systems to attack. In AI contexts, vendors often use it to describe managing their risks of biased outputs or inaccurate responses.\u00a0Both interpretations address important\u00a0concerns, but\u00a0protect against different risks. One safeguards your data and systems from breach. The other prevents the vendor\u2019s tools from generating inappropriate content. When vendors blur these lines, an executive might\u00a0reasonably believe\u00a0they are buying a secure product when testing only covered content appropriateness.\u00a0Additionally, your legal teams might review a vendor attestation\u00a0stating\u00a0they have conducted \u201cidentification, estimation, and evaluation of known and reasonably foreseeable risks to health, safety, and fundamental rights\u201d and assume this covers traditional product liability or workplace safety concerns. But in AI contexts, \u201chealth and safety risks\u201d often refers to things like algorithmic bias or content that might promote self-harm, not safety or regulatory compliance in the traditional sense. \u201cMisuse\u201d might mean prompt injection attacks or generating harmful content, not the contractual or regulatory violations your lawyers typically assess.\u00a0This linguistic sleight of hand can create dangerous gaps: the same words can refer to radically different risk universes.\u00a0The lesson: risk managers must demand clear, plain-language definitions of terms to verify they properly understand what each vendor term means and how it is used.\u00a0\u00a0When AI Variability Becomes a Business Risk\u00a0A key thing some executives\u00a0fail to\u00a0consider is generative AI software\u2019s inherently non-deterministic nature.\u00a0\u201cNon-deterministic\u201d means that, given the same inputs, the answer can and often will be different at\u00a0different times.\u00a0That\u2019s\u00a0only sometimes acceptable: it may not matter much for that bot\u00a0making sales appointments, but it can create profound risk elsewhere.\u00a0\u00a0Companies allowing unsupervised chatbots to answer customer questions about specific product terms\u00a0face\u00a0customer frustration, and legal judgments, when those answers are wrong and create harm.\u00a0Consider the Air Canada case. The airline\u2019s chatbot erroneously\u00a0told a passenger\u00a0he could apply for a bereavement fare discount after\u00a0purchasing\u00a0and taking his flights. He\u00a0couldn\u2019t. Air Canada declined to honor the discount, and in 2024, the Civil Resolution Tribunal of British Columbia\u00a0ruled against the airline, forcing it to honor it. The cost to Air Canada of this ruling was not material, but the customer trust and legal precedents were profound. Air Canada seems to have since\u00a0discontinued\u00a0using the tool.\u00a0Non-deterministic systems are even more dangerous in software engineering operations, where\u00a068 percent of developers\u00a0report using AI tools daily or weekly.\u00a0\u00a0As engineer Chris Swan from\u00a0Atsign\u00a0says, the practice of IVO (Immediately Verify Output) has\u00a0emerged\u00a0as one of the most effective ways to deal with AI randomness. But, Swan warns, \u201cThis raises the specter of Almost Right Output (ARO). It\u00a0doesn\u2019t\u00a0withstand thorough scrutiny, but in most organizations, ARO gets waved through as looking \u2018good enough.\u2019\u201d (See Addy Osmani\u2019s essay,\u00a0The 70 Percent Problem, for both related and orthogonal\u00a0concerns.)\u00a0As Wendy Nather says, \u201cAt some point it should be deemed irresponsible to deploy stochastic agents (like AI software) to perform essential functions that you can\u2019t fully predict or test.\u201d The only way to know whether AI software is right for an application is through structured, deliberate testing and analysis of whether unpredictable,\u00a0possibly incorrect\u00a0outputs can create customer or reputational harm. This is\u00a0likely far\u00a0down in the weeds, but CEOs need to insist that the risks uncovered by this testing be\u00a0made\u00a0clearly, and in plain business terms so that executives can understand the choices the test results can inform.\u00a0And CEOs must demand this business-level analysis from their risk management teams before approving any AI\u00a0implementation, and\u00a0demand a human in the loop to\u00a0validate\u00a0(as is done with IVO) before committing AI-generated code or text to customer-facing products.\u00a0Three Critical Control Areas\u00a0Before any AI integration, companies must implement three foundational control families:\u00a01.\u00a0Risk Enumeration and Threat Modeling\u00a0Former US Navy SEAL commander\u00a0Clint Bruce\u00a0asks the essential question: \u201cWhat is the cost of wrong?\u201d This gives CEOs a straightforward business decision. When adopting AI software that will access critical systems and data, risk management professionals should assume the tool is compromised and answer the question: \u201cHow bad would this be?\u201d Procurement, information security, legal, and IT teams must\u00a0identify\u00a0what data the tool will access, what could go wrong, and how it will integrate with existing systems. This practical mapping of data flows, access patterns, and failure modes defines the blast radius\u00a0you\u2019ll\u00a0face if problems occur. The answer must be realistic and measurable, and, again, phrased in plain business terms so executives can make risk-reward decisions. And this operation should be repeated after the vendor makes major upgrades, such as introducing a leap from version X to Y.\u00a02.\u00a0Blast-Radius Reduction\u00a0Presume any software (including AI)\u00a0that\u2019s\u00a0introduced to your systems and data stores is compromised. To reduce the likelihood and impact of catastrophic failure, CEOs must limit AI tool access to only the data essential for it to function and achieve the desired outcome (vendor recommendations maximize connections to your data). Treat as essential and mandatory robust data classification, strict permission boundaries, and monitoring systems that detect unusual access patterns. The decisions about minimum\u00a0viable\u00a0access should be documented in an\u00a0Architectural Decision Record\u00a0and included in the risk map and threat model document, along with who made the decisions, when, and the\u00a0context in which they were made.\u00a0\u00a03.\u00a0Instrumentation and Alerting\u00a0Absent vendor\u00a0notification,\u00a0most companies discover AI security issues months late, if at all. If you\u00a0can\u2019t\u00a0observe\u00a0what your AI tools are doing, you\u00a0can\u2019t\u00a0secure them. This requires comprehensive logging, real-time monitoring, data loss prevention, and automated response capabilities. Your monitoring must distinguish human actions from AI agent actions. Test these capabilities to ensure they work when needed.\u00a0All this applies to internally built tools and applications, not just third-party implementations. Emerging protocols like Model Context Protocol (MCP) often de-emphasize information security basics in favor of AI features and functionality. Code reviews of clients\u2019 internally built MCP servers revealed uniformly poor security practices: dated libraries, insufficient authentication and logging mechanisms, and trivially exploitable vulnerabilities. The AI functionality worked perfectly, but the server components were security minefields. Your custom applications, systems and data integrations, API configurations, and deployment choices all contribute to the actual attack surface.\u00a0The Business Case for Thorough Consideration\u00a0I\u2019ve long said that\u00a0savvy\u00a0executives recognize that rushed deployment creates technical debt that\u00a0compounds like\u00a0high-interest credit card debt. The same applies to AI: every shortcut you accept today will cost exponentially more to fix later, constraining your ability to deploy AI effectively across the organization.\u00a0The alternative\u00a0isn\u2019t\u00a0avoiding\u00a0AI,\u00a0it\u2019s\u00a0treating the implementation of AI software as a business strategy problem that requires the same systematic approach\u00a0you\u2019d\u00a0use for any significant technology transformation. This means clear definitions, comprehensive planning, and robust measurement systems that translate technical realities into business metrics.\u00a0Ask the Right QuestionsAI errors and information security breaches are business risks, not IT problems. As such, CEOs should require business leaders and risk management professionals to document strong business cases and risk analyses before deploying generative AI tools, starting\u00a0with: \u201cIs this a good use case for AI software?\u201d With the AI market changing rapidly and\u00a0buyer-beware rules unclear, take an old-school approach to answering this question:<br \/>\nEstablish written business goals (and undesirable outcomes) that\u00a0state\u00a0the problem the tool will solve, success criteria, and measurement methods.\u00a0<\/p>\n<p>Document each tool\u2019s blast radius; what damage would occur if the tool is compromised?\u00a0Determine\u00a0this through proper integration planning, configuration, and mapping acceptable data flows that minimize data access and maximize visibility into what these tools do in your systems and with your data.\u00a0<\/p>\n<p>Implement and test automated detection and blocking of suspicious activities.\u00a0<\/p>\n<p>Create conditions for effective cross-functional incident response when problems arise.\u00a0<br \/>\nDon\u2019t skip over these. In enterprise technology, speed comes from discipline, not shortcuts or from a rush to implement.\u00a0The Future of AI in the Enterprise\u00a0Companies that thoughtfully implement AI may enjoy a genuine potential competitive advantage. The key is in executives\u2019 understanding that \u201cthoughtful implementation\u201d means insisting on proper foundations and not getting dazzled by the bright lights.\u00a0This requires executive education, great organizational communication, cross-functional planning and training, and recognition that risk management\u00a0isn\u2019t\u00a0a barrier to AI adoption but instead enables sustainable, scalable AI programs that\u00a0actually deliver\u00a0the competitive advantage that leads to business value.\u00a0Companies that get this right will realize AI\u2019s transformative potential. Companies that\u00a0don\u2019t will\u00a0spend years and millions of dollars cleaning up the mess.\u00a0Go inside one interesting founder-led company each day to find out how its strategy works, and what risk factors it faces. Sign up for 1 Smart Business Story from Inc. on Beehiiv.<\/p>\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>How FOMO Is Turning AI Into a Cybersecurity Nightmare https:\/\/www.inc.com\/nick-selby\/how-fomo-is-turning-ai-into-a-cybersecurity-nightmare\/91261473 Publish Date: 2025-12-31 11:10:00 Source&#8230;<\/p>\n","protected":false},"author":1,"featured_media":173423,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/img-cdn.inc.com\/image\/upload\/f_webp,q_auto,c_fit\/vip\/2025\/11\/GettyImages-2165825923.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[26,30,24,31,27],"class_list":["post-173422","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-ai","tag-breach","tag-cybersecurity","tag-exploit","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/173422"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=173422"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/173422\/revisions"}],"predecessor-version":[{"id":173424,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/173422\/revisions\/173424"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/173423"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=173422"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=173422"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=173422"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}