May 5, 2026

93% confident, 29% sure

AI vs AI
| Part
1

Reading time:

6 minutes

A solo operator jailbroke an AI chatbot and breached ten Mexican government agencies in a month. 93% of IT leaders say they're secure. 29% are prepared. ISM on what's actually missing.

Read the full AI Security Series

1. The gap nobody's watching
93% confident. 29% prepared. One person jailbroke a chatbot and emptied ten government agencies. The distance between the story the boardroom hears and the one the incident report tells.

2. 27 seconds to breakout
27-second breakout times. AI-generated phishing that knows your team by name. The dark hoodie hacker lost their job to AI too. What replaced them doesn't sleep.

3. The threat wearing your own badge
76% of organizations have shadow AI. The threat isn't at the gate. It has a badge you issued. Vendor-embedded models, compromised plugins, and the tools your team invited in.

4. Sovereignty is an architecture decision
Everyone's saying sovereign. This article is about what happens when your customer asks and your answer needs caveats. Interchangeability, vendor independence, and what the CLOUD Act means for Canadian data.

5. The people gap
The AI security job posting asks for four careers in one person. That person doesn't exist. The work does. Hour banks, returnable context, and a PMO that holds it all together.

6. What to ask your vendor
Seven questions. Print them out. Bring them to the meeting. Look for straight answers, not carefully worded topic changes. Use them on everyone. Including us.

7. What it looks like when AI security works
Tuesday morning. The phone didn't ring. The customer didn't leave. The Reddit thread didn't get written. That's what good looks like.

Author

Dimitri Phalen is the marketing lead at ISM who prefers plain language over big claims. For years, he’s worked behind the scenes, translating messy, complex IT problems into something teams can actually use. If something sounds like it was written by someone with not enough coffee, who’s been sitting too close to the delivery team for too long, that’s probably his fault.

93% confident. 29% sure.

Kyndryl's 2025-2026 Security and Networks Readiness snapshot measured both numbers in the same study. Same respondents, same year, same survey. 93% of IT leaders said they felt confident about their cybersecurity posture. Then the researchers asked the obvious, but harder question. Not "how do you feel" but "what can you prove." 29% could.

That's a sixty-four-point gap between the story the boardroom hears and the one that eventually comes out the hard wauy.

Keep that in mind. We'll come back to it.

First, a story about someone who found the gap before the people responsible for it did.

One person, one chatbot, not even a month

In December 2025, someone sat down at a keyboard and started typing Spanish-language prompts into Anthropic's Claude. The prompts were polite. Conversational, even. They told the AI it was participating in a legitimate bug bounty program, the kind of white-hat security testing that companies actually pay for.

Claude said no. Then it said no again. Then, after enough rephrasing and enough patience, enough of the specific persistence that separates a curious person from a dangerous one, it started saying ok.

Over the next month, that single operator used just one misled chatbot to scan Mexican government networks for vulnerabilities, write exploit code, build automation tools, and systematically extract data from ten federal and state agencies. Gambit Security, the firm that uncovered it, reported 150GB exfiltrated. 195 million taxpayer records. Biometric data, addresses, tax filings, the works. Not a state actor with a billion-dollar cyber program. Not Fancy Bear (Russia's military intelligence cyber unit) or Lazarus Group (North Korea's most prolific hacking operation). One person, one cheap chatbot subscription, and the kind of stubbornness your aunt brings to a Boxing Day return.

The agencies that got hit? They had firewalls. They had monitoring. They had policies. They had all the industry standards that had served so many as the norm. They almost certainly had someone in a quarterly meeting saying "we've got everything we need." They were part of the 93%.

They were not part of the 29%.

Where the confidence comes from, and why it's not stupid

Here's the thing nobody wants to admit: the confidence isn't irrational, just outdated. These organizations spent real money on security. Years of it. SOCs, SIEMs, firewalls, endpoint protection, compliance frameworks, audit cycles, the whole cathedral of acronyms that IT security has been building since the late nineties. They've done the work for the environment they understood, and for a long time, that environment cooperated.

Then it all changed. AI arrived sideways, as a business benefit, not a security threat. Product teams drove it. Data science groups devoured it. Executives who saw competitors shipping AI features craved it. The security team got consulted somewhere between "we're going live in two weeks" and "can you sign off on this by Friday." By then, the architecture decisions were already made, the model was selected, the data pipeline was built, and the access controls were whatever permissions existed on the original data warehouse because nobody created a separate governance layer for AI workloads. Nobody had time. Nobody had budget earmarked for it. Nobody wanted to be the person who slowed down the initiative the CEO mentioned at the all-hands.

Worst of all, nobody saw it as a threat. It was here to help, it was promoted as a saviour for the mundane, able to do reperative things in moments that humans would take months or more to do. Nobody ever thought what parts of your defence were secure only because of the endless staff hours it would take to find the openings. Starting to see the connection?

That's how 93% confidence coexists with 29% preparedness. The confidence is real, earned, and pointed at the old perimeter. The gap is about the new hoarde at the gates. And the methodical hoarde is growing faster than most teams can map it, which brings us to the part that actually keeps people up at night, or should.

The part that costs you customers

Your client's customer doesn't send a polite email asking where their data lives. They don't schedule a meeting with your privacy officer. They don't read your compliance page.

What they do is notice a headline. Or a Reddit thread. Or a friend in a community Facebook group who mentions, casually, that the company they both use had "some kind of data thing." Not angrily. Worse. Casually. "This is why I switched to [competitor]." A few people agree. Someone shares a link. The story, whatever version of the story the internet decided to tell, has legs before your comms team hears they need to write a response.

Trust doesn't erode in a boardroom. It crumbles in a comments section. And by the time you know it's happening, it's already too late.

The 93/29 gap isn't an internal metrics problem. It's the distance between what your customers believe about your security and what's actually true. When that gap closes on their terms instead of yours, there's no meeting that can fix it. No press release that un-does the rumour. The customer who trusted you doesn't send an email when they leave. They just leave. The only signal you get is the revenue line going the wrong direction and a thread you found too late.

Mexico's ten agencies had 195 million taxpayers who didn't choose to participate in that story. Those people can't un-leak their data. They can't un-expose their tax records. They can't knowlingly turn away the bad actors taking advantage of it to scam them. And every government service those agencies provide now carries an asterisk that wasn't there in November 2025. The agencies still work. The trust doesn't. That gap between working and trusted is where the actual cost lives, and it's the gap nobody's quarterly report measures.

What nobody's mapped

Here's what the inside of that gap looks like in a typical enterprise environment, right now, this week.

A machine learning model that marketing adopted six months ago is trained on customer data that should've been classified as restricted. It wasn't, because the classification system was designed for databases, not training sets. An AI agent in the service desk has permissions inherited from a service account that was set up as a temporary fix during a migration in 2022. That account was never decommissioned, because the person who created it moved to another role and the ticket got buried under eleven other priorities. An inference pipeline routes customer interaction data through a platform whose parent company is incorporated in a country your compliance team hasn't reviewed, because the pipeline was built before compliance was told about the project. It was working, it was fast, and the person who built it got a promotion.

None of these are exotic scenarios. They're Tuesday. They're the AI equivalent of the infrastructure problems we've been finding for decades: reasonable decisions, made quickly, under pressure, by competent people, that accumulate into something nobody planned for and nobody owns.

Accenture's 2025 State of Cybersecurity Resilience report puts numbers on it. 77% of organizations lack data and AI-specific security practices. Only 22% have policies governing generative AI usage. Those numbers are consistent with what we see in Canadian enterprises: the security team secures the infrastructure, the data team governs the data, the AI team builds the models, and nobody is responsible for the seams between them.

You can't secure what you haven't mapped. And most organizations, if they're being honest, can't tell you how many AI systems are peering into their environment right now, who has access to them, what data feeds them, or what happens when one of them goes sideways on a Friday afternoon.

That's the gap. Not the headline-grabbing breach that makes the news. The quiet accumulation of unmapped surfaces, ungoverned models, and unreviewed permissions that sits between what the boardroom believes and what an attacker with a chatbot subscription can find in an afternoon.

We've been doing this kind of foundational work for over fifty years. Data environments that grew over decades, connected by integrations nobody documented, governed by policies nobody updated. The label changes every few years. Data governance. Cloud readiness. AI readiness. Now AI security. The work underneath is the same. It starts with knowing what you actually have, and it's the work most vendors skip because it doesn't demo well.

Read next

Article 2 is about what's coming through the gap, and how fast. Twenty-seven seconds. That's CrowdStrike's fastest observed breakout time. First system to lateral movement. Your incident response team needs forty-five minutes to get on a call. The dark hoodie hacker from the stock photos lost their job to AI too. What replaced them doesn't sleep, doesn't negotiate, and doesn't care what country you're in. They're faster than you.

Cites

Kyndryl Security and Networks Readiness Report 2025-2026: 93% confidence, 29% preparedness, 91% incident rate, $4.5M average cost, 67% talent shortage

Accenture State of Cybersecurity Resilience 2025: 77% lack AI-specific security practices, 22% have GenAI usage policies

CrowdStrike 2026 Global Threat Report: 89% increase in AI-enabled adversary operations, 29-minute average breakout time, 82% malware-free detections

Gambit Security research on the Mexico breach, February 2026: 150GB exfiltrated from 10 agencies, 195 million taxpayer records

Want to understand how we work?

Every conversation starts with your environment. Not our product list.

Get in touch
ArrowArrow

It's not about the technology, or the processes. It's about your clients, your users, and the hard won trust you've built. Every team here keeps that at heart.

Mobile CTA