tag / security

A POC pitted an agent-based compliance scanner against an active network scanner on the same Windows domain controller. They disagreed about whether it was vulnerable to BEAST. The disagreement is the whole story.

AI agents are the next vulnerability vector and we are not tackling it fast enough. A look at why the gap between AI adoption and AI governance is widening, what it looks like inside real orgs, and where identity programs should be aiming.

I built a small security lab to teach the failure modes I see most often in client work. The first real test was running it against my own production site.

Passwordless authentication is finally landing across enterprise IAM programs. The same orgs are simultaneously onboarding AI agents that hold long-lived credentials and run inside the human's session. The two projects are colliding, and most identity programs aren't ready.

I came up through racking servers, hypervisor migrations, and identity provisioning. The lesson that work taught me, and that I keep applying to AI in 2026, is that you cannot make good security calls from one set of binoculars.

The orgs most exposed to AI-era security risk are the ones moving fastest to ship with AI. They are also the orgs least likely to have a CISO. I built Diallo Security Advisors for that gap.

After more than a decade in enterprise security across the public and private sectors, I'm convinced the actual perimeter is human and machine identity. Most security programs are still spending the majority of their budget on the wall around the castle.