Agentic AI-based services are the new Shadow IT.
Uncategorized
60
Posts
45
Posters
0
Views
-
@briankrebs I am also really curious how many people have aggressively violated various privacy laws by feeding stuff into various LLMs for "summary" and "analysis".
Frankly it should be a much larger compliance nightmare than it is. (Or, I suppose, it *is* a ginormous compliance nightmare and just right now everyone's thinking it isn't. Incorrectly)
-
@SecureOwl @briankrebs I will confess to playing random songs on a coworker's Alexa when they checked in their personal home Alexa key into a corporate git repository.
@ai6yr @SecureOwl @briankrebs
Random songs? Not Rick Astley? -
@wordshaper @briankrebs Unfortunately, I don't think the people doing this care or will ever care. Privacy laws tend to be a joke anyways and there is very little incentive for most people/companies to change. I don't think most governments even want that to change. It's better for them, allows more data collection, etc.
I wish I didn't have such a negative and cynical outlook on it all.
@mrmoore @briankrebs HIPAA has some teeth and frankly I would be shocked if a bunch of attorneys *haven't* violated their professional oaths. More importantly, while the US may be a privacy nightmare the EU and UK do have a bit more to say on the matter, with regulations that have teeth.
-
Agentic AI-based services are the new Shadow IT. Change my mind.
@briankrebs Was recently forced to sit through an AI booster presentation at work, where the presenter kept demonstrating the use of tools that are banned as per corporate policy.
Lots of management and IT in the meeting. No one spoke up. Security is deader than satire.
-
@briankrebs I am also really curious how many people have aggressively violated various privacy laws by feeding stuff into various LLMs for "summary" and "analysis".
Frankly it should be a much larger compliance nightmare than it is. (Or, I suppose, it *is* a ginormous compliance nightmare and just right now everyone's thinking it isn't. Incorrectly)
@wordshaper @briankrebs this is why i try to buy the drinks for our legal team. they care about privacy, and care at their wit's end.
-
I'd argue that very few companies have any real appreciation for how many of their employees are already feeding API keys and other stuff into fairly new and questionable agentic AI tools or platforms. So many companies are like, oh we're taking a wait-and-see approach to adopting AI. Meanwhile, half their dev team is doing critical development work on shared servers that have no authentication or limited (no 2fa) auth.
-
I'd argue that very few companies have any real appreciation for how many of their employees are already feeding API keys and other stuff into fairly new and questionable agentic AI tools or platforms. So many companies are like, oh we're taking a wait-and-see approach to adopting AI. Meanwhile, half their dev team is doing critical development work on shared servers that have no authentication or limited (no 2fa) auth.
@briankrebs I have personally witnessed people just blindly feeding secrets and sensitive data right into systems where they straight up say "we're gonna hoover up literally everything you feed us as data for 'training' and might spit it out verbatim to anyone who asks." In an organization that basically threatened Very Bad Things would happen to anyone who even *hinted* at information they deemed 'confidential' to anyone else.
-
Agentic AI-based services are the new Shadow IT. Change my mind.
@briankrebs Um no. Not today. I attend sprint demos on the daily to see how far our agentic AI insights have progressed. Not ready for primetime. I work with Fortune 500s and they are asking us questions which lead me to assume not much further development on their side. This will change but not this year or next year. My whole reasoning for saying this is due to data in multi tenant architectures. AI is very prone to making mistakes and there are liabilities.
-
@wordshaper @briankrebs this is why i try to buy the drinks for our legal team. they care about privacy, and care at their wit's end.
@dr_a @briankrebs I also am very fond of our legal team, and I am reminded I should make them some whiskey pie next time Iβm near. (Lawyers also, for the record, are fond of Baileyβs cream puffs and rum soaked piΓ±a colada cakes. I suspect theyβre not fond of their own livers, but maybe itβs just the job)
-
I'd argue that very few companies have any real appreciation for how many of their employees are already feeding API keys and other stuff into fairly new and questionable agentic AI tools or platforms. So many companies are like, oh we're taking a wait-and-see approach to adopting AI. Meanwhile, half their dev team is doing critical development work on shared servers that have no authentication or limited (no 2fa) auth.
@briankrebs how about the ones using bypass methods to do their work without realizing theyβre using a file transfer service that doesnβt delete the data theyβre exfiling allowing any rando to download the company source code with no tracking
-
@briankrebs how about the ones using bypass methods to do their work without realizing theyβre using a file transfer service that doesnβt delete the data theyβre exfiling allowing any rando to download the company source code with no tracking
@briankrebs devs arenβt smart. We see you. Youβre fucking stupid and creating more work for the rest of us still capable of doing our jobs.
-
@mrmoore @briankrebs HIPAA has some teeth and frankly I would be shocked if a bunch of attorneys *haven't* violated their professional oaths. More importantly, while the US may be a privacy nightmare the EU and UK do have a bit more to say on the matter, with regulations that have teeth.
@wordshaper @briankrebs While HIPAA does have some teeth, it leaves a lot to be desired. There is a lot more ways around HIPAA than people imagine. I think EU is definitely better than the US in terms of privacy, you can already see many problems coming from EU. Parts of GDPR could be rolled back, Chat Control initiatives, etc.
-
I'd argue that very few companies have any real appreciation for how many of their employees are already feeding API keys and other stuff into fairly new and questionable agentic AI tools or platforms. So many companies are like, oh we're taking a wait-and-see approach to adopting AI. Meanwhile, half their dev team is doing critical development work on shared servers that have no authentication or limited (no 2fa) auth.
@briankrebs just this afternoon a colleague and I were questioning whether the real βAI is coming for your jobβ was not βAI will replace youβ but βidiots with AI are going to tank your company and youβre all getting laid off when it collapsesβ.
-
I'd argue that very few companies have any real appreciation for how many of their employees are already feeding API keys and other stuff into fairly new and questionable agentic AI tools or platforms. So many companies are like, oh we're taking a wait-and-see approach to adopting AI. Meanwhile, half their dev team is doing critical development work on shared servers that have no authentication or limited (no 2fa) auth.
@briankrebs more disturbingly, there are also cases where users throw API keys at their agents, and then have the agents automatically generate/refresh access tokens for them because the user cannot be arsed to do the daily login/2FA dance.
-
@ai6yr @SecureOwl @briankrebs
Random songs? Not Rick Astley?@leeloo @ai6yr @SecureOwl @briankrebs songs randomly picked from a playlist.
The list: [ "Rick Astley - Never Gonna GIve You Up" ]
-
Agentic AI-based services are the new Shadow IT. Change my mind.
True, true.
Just had this conversation. Without a solid understanding and policy, itβs Wild West. We need to find a way to give them what they want before they just start really feeding random secrets into other LLMs.
And yes, blocking or stopping access will just result in Gmail exfil of data, sneakernet (remember me!), or using random βprojectβ sites to bypass blockers.
-
Agentic AI-based services are the new Shadow IT. Change my mind.
@briankrebs@infosec.exchange No? We did a better job than slop machines. -
I'd argue that very few companies have any real appreciation for how many of their employees are already feeding API keys and other stuff into fairly new and questionable agentic AI tools or platforms. So many companies are like, oh we're taking a wait-and-see approach to adopting AI. Meanwhile, half their dev team is doing critical development work on shared servers that have no authentication or limited (no 2fa) auth.
@briankrebs when I interview for appsec positions, I like to ask "what would it take for you to fire a developer for a security lapse?" Interesting conversations ensue. I don't think anyone actually ever fires developers for security failings, including failure to learn from repeated blunders.
-
Agentic AI-based services are the new Shadow IT. Change my mind.
@briankrebs I think it depends on perspective. But specifically for cyber-security threat modelling? Absolutely.
-
Agentic AI-based services are the new Shadow IT. Change my mind.
Representative
Representative
Representative. This is bullshit.
Plesse hold. Your call is important to us.
Bullshit.
Connecting you to a real human ...
Gli ultimi otto messaggi ricevuti dalla Federazione
-
@NorcalGma2 I totally mean it! She knitted a heart with sparkling beads (not sure I have the terminology correct) and I would love to send it to you, if you're interested... part of giving back because you always bring so much sunshine to our feeds
-
@dret @tecnologia caro vita meloni...gli italiani si sono stufati di Berlusconi Renzi Grillo Salvini e meloni si vanta di durare a lungo... ma Γ¨ una lunga disgrazia!
-
@buba_and_nemo calzini e fazzoletti nelle scarpe per ottimizzare gli spazi
-
@_elena π Youβre toot kind!
-
-
Come una sola persona ha ottenuto il controllo di 7mila robot aspirapolvere
https://www.ilpost.it/2026/02/26/aspirapolvere-robot-romo-falla-sicurezza/
> Un ingegnere informatico voleva controllare il proprio con un joypad, ma una falla di sicurezza gli ha aperto un mondo
-
Cose da mettere in valigia.
Thing to pack up in the suitcase.
-
@fucinafibonacci @attualita no, l'ho certamente raccontata "colorandola", ma hanno davvero mandato un reparto di incursori della marina in un carcere minorile per sedurli rispetto all'arruolamento. Ed hanno davvero rimandato il senso che l'arruolamento avrebbe facilitato certificazioni e documenti di identitΓ che molti ovviamente non avevano. Il ministro Crosetto Γ¨ stato chiaro rispetto alla esigenza di aumentare l'organico delle FFAA.
