The ISM has been updated again, and this time AI is front and centre. In this episode of Secured, Cole Cornford is joined by returning guest Toby Amodio, Practice Lead at Fujitsu Cybersecurity Services, for another instalment of Policy Wonks and Gronks, cutting through the vendor noise to talk about what the March 2026 update actually means in practice.
They explore where AI is genuinely delivering value for cyber professionals, from automating compliance mapping and vendor assessments to streamlining pen test reporting and SOC triage. But they are equally candid about the risks: the erosion of foundational skills as junior roles get outsourced to AI, the creeping fatigue of reviewing outputs at scale, and the danger of skipping straight to full automation without the expertise to validate what the machine is doing.
The conversation also tackles bigger picture concerns unique to Australia, sovereign AI capability, the risk of a brain drain to the US, and whether a small country can afford to decentralise its AI infrastructure. Toby closes with a sharp reminder for government CISOs: AI is just another system, and how people use it matters far more than the certifications attached to it.
Transcript Synced · click any line to jump ▾
Cole Cornford: My number one tip would be AI is just another system. The two things that you need to worry about is the security of the system and then how people are using the system. Your main concern is more how people are using it than the security of the system.
Toby Amodio: If things are happening so quickly, how are we even going to have a detection capability and then response capability?
Cole Cornford: Yeah, it's going to be bot versus bot, and we're definitely heading into bot versus bot on a global scale. In the end, there's way more positive bang for your buck here, and the ways that I've seen it utilized has been providing significant significant benefits for entities to streamline and make efficient the drudgery work and letting them focus on the things that matter most.
Toby Amodio: I'm Cole Cornford, and this is Secured, the podcast where I chat with developers, security pros, and the folks with stories worth telling. We talk about what really happens in AppSec, the good, the bad, and the bits that people usually leave off their slide decks. Open source now powers over 90% of the software we build, but it's also where attackers increasingly strike. ChainGuard closes that trust gap with hardened, secure, production-ready open source builds so teams can build faster, stay compliant, and eliminate risk. Get your free CVE reduction report at dayone.fm/chainguard and start shipping software with confidence. And welcome back to another episode of Secured. This time again, it's our usual segment of policy wonks and gronks. I've got my resident policy wonk, Toby Amodio, and myself, the gronk, because I am not particularly intelligent when it comes to these ISM updates. So Toby, hit us away with what's changed this time around.
Cole Cornford: We've got a great update to the ISM for March 2026. And whilst I'd love to talk about all the the intricacies of it. Realistically, there's some pretty simple control updates, and the main thing behind it is the way that we use risk and engage with risk around AI in a strategic way. And so I figured we can use this session to really get into the weeds around what AI means for us as cyber professionals, both from the positive perspective and the negative perspectives. You comfortable with that?
Toby Amodio: Yeah, absolutely. I'm happy to. Like, AI has been I know dominating basically every single thing I've ever been to, like RSA last week, all of my friends who are CISOs and like practitioners just went around and they counted, I think every single vendor was an AI vendor of something. So even if it's like a traditional security company, like a Check Point or a Fortinet or something, they're like, I'm AI Fortinet now. It's like, oh, but you know, we do need to like talk and bring it back to like what's actually real instead of just like AI marketing hype and fluff. And for the longest period, I was very skeptical because I've seen us go through like so many of these things. And I like to be someone who sits on the fence and see how things play out a bit. And like, this genie's not getting put back in the bottle. There are very real things that I'm doing at Galah that I think are like going to fundamentally change like software security, pen testing, code reviews, like security operations. Like, I'm sure that you're seeing lots of stuff in the government sector as well.
Cole Cornford: Oh, 100%. It's one of those, it's funny 'cause it is the AI is so hot right now, the old Hansel quote. But the reality is that it's not everything or nothing, but it is making meaningful changes. And I think both on the governance and the operations side, it has legitimate use cases to improve your business processes from a cyber professional perspective. And if you're not using it and if you're not leveraging it, you will get left behind. Despite all the hype from all the vendors, there is practical uses, and I'd love to chat to you about some of them. I know specifically for me in that governance, risk, and compliance space, I'm seeing the repeatability of outputs and the streamlining of our ability to generate content for audits and ensure that they're done at scale is inextricably improved by AI. It's just made it so much easier, and it's made the output of our seniors, even our mids, to be almost— Yeah. 2x times their capability just because of the way it can augment our capabilities of the resources. What are you seeing in the governance space?
Toby Amodio: Yeah, like I see people who are using it incorrectly. There's people who say, okay, I've got to do like write policies. I'm just going to get it to generate a policy for me. And then they'll just take it at face value. And then they get burned when the suggested, like the training material that the policy that was generated on is relevant for an enterprise context, but not relevant for a small business. So why are you going out and doing like MDM, DLP, and all of these crazy things and wasting time, right? However, I'm also seeing it do some really awesome things. Like one of the things that I'm building internally at Galah is like, is to help me with vendor assessments. Cause like as a consultancy, one of the most frustrating things is that I, no one trusts SOC 2, no one trusts ISO anymore because of all of those like fucking idiot scam companies that just pay to buy my SOC 2 certificate, please. Pay to comply.
Cole Cornford: Right, yeah.
Toby Amodio: Yeah, pay for compliance so you can get into regulated industries. Like, that's not going to go badly at all. So, but anyway, CISOs don't trust that shit anymore, so they all build their own bloody questionnaires that have no correlation or like overlap whatsoever because they're contextually relevant to their business, which makes sense to me, right? However, that means that I now have 700 different ways to have to answer questions. And so what AI lets me kind of do is have an existing knowledge base of answers, or at least collect evidence on a regular basis. And then when those questions come in, like, look at the knowledge base and just pre-populate everything. And yes, we're going to make some mistakes, but the fact is, um, I've gone from needing to effectively have like a full-time compliance person to manage the volume of vendor assessment stuff, or investing in a product that does this for me, to now just having a system that just looks at what, what's in GitHub, says, hey, this is where you're at and this is where the gaps are against what they're asking you. And you just do a sanity check as opposed to having to go and source like hundreds of screenshots of evidence. Like it's, it's kind of scary, um, because there's a lot of, um, a lot of the work that I did early in my career, and I'm sure it would have been the same for you, was like logging into systems, getting screenshots of evidence, like reviewing, like, because that's how you get the exposure to all the different things. I, I remember early on I was like, I've got to know what the red cable is, that's top secret information, and the black cable is like distant, um, never relevant at any point. I'm sure it's changed, but that's how I learned, right?
Cole Cornford: Yeah, you're, you're 100% right, and it's a really good use case for it. Like, if you're in a business or you're a cyber professional, building an agent that can then take compliance attestations and then map them to the client's requirements or various, uh, compliance baselines just saves time. And shamelessly linking back to the ISM, when those compliance baselines are changing on a quarterly basis, you don't have to do the drudgery work of mapping those changes and then understanding how it impacts your compliance states. You can have that done for you and then sanity check it. And given that those changes are happening on such a frequent basis, it then removes the need to have someone manually doing that. And you automate that drudgery work and you move into the, as you said, that value-add space, which has its own— Yeah. Benefits, but it also has its own risks and downsides, as you said, because we can end up with the position where there's not juniors teaching the next generation coming through. How can they get that base level of knowledge of the systems if we're effectively outsourcing to AI their roles?
Toby Amodio: I still think there's a lot of value because like we're old farts who like know how things were in the old world, and people can come in and say, "This is how this should be in the new world." And I anticipate that there's a lot of people who've learned how to do their accounts payable and accounts receivable systems or how to do audits or how to do a penetration test or how to review log files who— now there's going to be people who have learned how to use this technology and can kind of architect a series of skills to do that kind of task, whereas previously, Like, if you, you know, you might be fearful to do that because, you know, why have I learned this 10 to 15 years of like specialized capability if I'm just going to go give it to a machine to do? So I, one of the biggest barriers that I'm trying to get ahead of, at least inside of Galah, is reticence to adopt the technology and fear of the technology displacing skill sets. How do we get people to understand it? It's not there to like reduce headcount, it's to make it so I can do 2 or 3 times as many penetration tests, right? And I know that I'm seeing this even with like a lot of professional services firms, like the bigger ones, is that the graduate pools are not really like decreasing because like they need that labor to go ahead and systematize and build processes because the partners are too busy doing sales. It's just that the— The model's getting a little bit fitter.
Cole Cornford: You know? So— Yes. Yeah, yeah, agreed. And it's interesting you mentioned pentesting. How have you seen it on that operational side or on that operational validation side of your business? Yes.
Toby Amodio: The thing about pentesting is that where most of the effort goes is either on trying to get the, like, the environment set up and all the credentials, like, tested and validated, and then on the other end to decide, like, what's the report writing, what's— how are we retesting, how are we helping people validate things? And, like, I find that that's where the majority of the effort goes in a lot of our engagements, like, like, from just pure overhead, because I want pentesters to be focusing on delivering the pen test. And so if they're in the system with Burp Suite open, doing hacking, doing a great job, that's great. But the, the things where I'm finding a lot of value is that the report writing is getting a hell of a lot easier. Customer experience is getting a lot easier because instead of us having to begrudgingly ask testers, "Hey, can you please tell someone what you've done for today?" We're able to just effectively look at things like your Burp logs, and then from the summary of the Burp logs, then understand, "Hey, this is the type of endpoints or attack vectors or things that we've been thinking about." It's not perfect, but the fact is that you suddenly now have an automated consistent brand and voice for applying to customer experience. Your reports can be generated instead of like, you know, having to be bespoke written. It's excellent in that way. And I'm spending a lot of time on figuring out how do we deal with the front of the, like, you know, the engagement, which to me is things like, you know, building a statement of work, which I know is like not the easiest thing to do because it's like bespoke and like every single engagement is going to be quite unique. Yeah. And we've got to a point where we've been able to get that down to like a couple of minutes now, which, you know, normally you need a full-time operations manager to be delivering that kind of stuff. So I'm quite bullish on like what we're going to be doing in that space. I just want my pentesters to focus on novel and interesting activities.
Cole Cornford: Right. Amen. We all want our pentesters to be cracking shells, not to be writing reports. And Lord knows that people don't get into pentesting to make sure they can write a 40-page document.
Toby Amodio: So, Because the document's the value though, because like every—
Cole Cornford: Oh, agreed.
Toby Amodio: Like every person who wants it, they're going to say, hey, like I need this because I need to acquire a certification or I need to have like assurance that like my system is reasonably secure. So that output is the thing that the customers really care about. But this allows us to make sure that this document in the end, instead of spending like, you know, half the test on like fucking around on corporate shit, that means you have like 9.5 days on testing and that gives you either the ability to do tests for people who otherwise couldn't afford them, 'Cause you can now, like, this gives you a market—
Cole Cornford: Democratize.
Toby Amodio: It democratizes a service that otherwise couldn't have people participate in, right?
Cole Cornford: Yeah, agreed, agreed. And I find as well, it helps those pentesters who may not have those English skills or like have the writing ability to then almost have a translation layer to present it in a consistent, as you said, way and a way that the I know I've said it before, but I often think of them as dolphins 'cause they're clearly intelligent, they just can't communicate. And it's the translation layer of a dolphin to the normal client language, so, which is really critical. And I've seen it not just happen in that pen testing space, but across everything from that ops managerial space, especially we're seeing the increasing utilization of it within the SOC and the monitoring context and enables us to get people into more high-value work. And then it also, as you said, it automates that drudgery work of pulling logs from disparate sources to present it to the, the SOC engineer or the SOC analyst to help them do their job in a more timely way to then quickly validate whether it's a false positive or a false negative. So I think it's super helpful. I think it does come though, even though it's got these great use cases, there are a number of risks. And one of the risks that I get worried about is as we outsource that knowledge, it's going to lead to slop being passed on. And so it's that awkward piece where, as you said, we still need it to be an add, like an addition to us. So it's meant to complement our capability, not replace it. And when people let it replace their capability, it's often just pumping slop out that's not contextual and can't inform. Are you seeing that same challenge?
Toby Amodio: Oh yeah, I especially like people who are busy, so that like they've got a lot of things on and then they use AI as a way to just like try to get something out, like whether it's a proposal or whether it's a, you know, a GRC document, a policy, uh, whatever. They think that I'll just get ChatGPT to generate, I'll make a couple of tweaks, it'll be fine. And like what ends up happening is that that final product, like the customer feels like, well, why did I pay for a service if I could have generated it myself? And what expertise easy even bringing to the table, like if you've just taken something straight outta Claude, right? So I'm seeing a lot of consultancies who are spending, like, who are doing that. But there is a way to, you know, bring your expertise into that. And I find that the way that I do it is I have a bit of a maturity model where we move people from having like, you know, reticence and aversion to using artificial intelligence to learning to be assisted by it. And then documenting whatever process that they're doing while using AI, eventually converting that into a skill, and then that skill gets augmented by their expertise to kind of change things. And so that's, that's the ultimate model I want to get to, is having everybody there augmented layer rather than at the, um, the end goal, which is where all the CFOs want to go to, which is AI solves everything, we don't need people anymore, zero is the perfect number.
Cole Cornford: Yeah, yeah.
Toby Amodio: But then if the machine's going and doing a lot of things like, you know, who's to blame? Ultimately, it's the directors of the company or the directors in the government, right? So, and like, there's no oversight or understanding about why it's made these decisions.
Cole Cornford: So you can't— You can't outsource accountability, and you definitely can't outsource accountability to a Bebop. And but you're 100% right. It's funny, like, even just recently, I was using an LLM to augment some of our research around data retention policies within a government context. And it put out, hey, quite confidently, you need to retain this for 25 years. And it's funny because I would look at it and went, well, that's wrong because I know it's wrong because I've been doing this for so long. And then I looked at the source and even the source that it had linked me to didn't say what it had told me. And again, it's a perfect example of if it hadn't been, if I hadn't had that knowledge or I hadn't checked the source, I probably would have pumped forward really bad advice, which would have put the entity in a non-compliant state with the government standards. And so It is that like you can't outsource entirely. You've got to trust but verify and you've got to make sure, as you said, that what's the value add that we're bringing into that engagement? And that should be augmented by AI, not replaced. And then you should be making sure that you are passing and across what you are providing to the client. And the reason why is like we used to have this saying for SARSOs, which is the only thing that's important is knowing what's important. And the only thing that's more important than that is being able to communicate what's important. And your real value add is those two elements. And so if you, are in that process chain of just getting slop and passing slop, you're not sourcing what's important and you're not being articulating what's important. So definitely use those lenses to validate what you're doing and the value it's bringing.
Toby Amodio: Yeah, like for me, I think this is why I force people to go along this journey of being along the maturity model where they start with just doing things entirely manually and then they slowly move up. I don't want them to skip steps because when you skip steps, that's when all of the, the little edge cases that come about from your expertise— because you can build a lot of like, like guardrails around how the agent works, where you can build ways to validate whatever the content is. You just find as many ways that you're going to footgun yourself and mitigate those in advance, right? Have a lot of test criteria, use like deterministic tools, like, um, use manual tools like grep, um, have manual processes in there. But by doing it in, in following that very specific order of improving your capability, it means that your expertise is like really shaping a very battle-hardened way of achieving the outcome that you're looking for. And I think that a lot of people jump straight to augmented or native, and then it just crashes and burns and just does stupid things, and they misunderstood the scenario very well. So yeah, it's people who are so worried about losing their, you know, their edge and their capability. It's true if you do just like decide to just say, hey, now the machine's going to make all the decisions for me.
Cole Cornford: Yeah.
Toby Amodio: But if you take your, if you take, if If you're sitting in a Waymo, as opposed to being a taxi driver, you've got to accept that, you know, yeah, you no longer need to worry about driving. You've got to figure out what's going on there. But I think fatigue is the big thing though. Like, that's what I'm thinking is the problem. Because I, as someone who does a lot of secure code review, I know that reading code is a lot harder to do than writing code. And I think that a lot of people who are busy doing the activity reviewing the activity is a lot harder than doing it in a lot of cases. And I think people are not easily making that switch. So—
Cole Cornford: I concur. And it's like, for me, this is one of the challenges for cyber people that's not really caused by cyber people. But if we end up vibe coding and slop coding, then we end up vibe assurance and slop assurance, and it kind of just expands out by scale, and then it just creates more and more more fatigue both for the consumers, but also if you scale out, as you said, you're twice as productive, you've got that only scales so far before you're doing too much context switching, you're gonna miss things as we mentioned, you're not gonna end up verifying and it's gonna fall over at some point. And so I think as you said, to ensure that you are giving yourself the space to think through problems and have the capacity to think through problems will reduce your fatigue on it. But you should also work with your entities to make sure that they understand the scale impacts of having an equivalent piece. Like, if you've got vibecoders pumping out code left, right, and center that you have to assure, or if you've got vulnerability scanners that are AI-enabled that are scanning the whole environment and you've got the outputs, you're scaling your work to that and not just creating more and more and more and more impact onto your—
Toby Amodio: Yeah.
Cole Cornford: Wetware, because your people can't scale like your AI. So you need to make sure that you're working around that fatigue and scalability.
Toby Amodio: I find like you, if you eliminate one bottleneck or you just like get extremely efficient in one, in one way, and then you have to find the next bottleneck, and then eventually like, oh, I found the next bottleneck. And so it's just turtles all the way down. And you, you end up also, the other thing is just having a mental map of how your, all of these processes and stuff sits together. Like I, I have to sit there drawing circles and lines and just being like, this is the steps. I end up with Are you familiar with like finite state machines?
Cole Cornford: Yeah.
Toby Amodio: Effectively, that's what I'm doing is I'm creating like business process maps or finite state machines of how I'd be anticipating that everything would work end to end. At some point though, it's too much context window for myself to understand what's going on. And that's what scares me is like when I'm running a small business, I can understand what's happening from like, you know, sales, like marketing into sales into delivery of specific activities and the customer experience and then back into marketing. And then as soon as my business goes from say 15 headcount, which is where we're at the moment, to like 30 headcount or maybe 60 or 600 or 6,000, then that's like not possible whatsoever. And that's where I think that you're going to end up with all of these like disparate pockets that are doing the same types of activities slightly incorrect or like slightly different than one another. And so I reckon it's got huge amounts of like rework and people doing the same thing or creating their own new bottlenecks. Like it's, it's gonna be messy.
Cole Cornford: Well, and I often think as well about like the advent of AI agents in SOAR, like orchestration from a security context is great, but to me they're just macros on crack and we're gonna have to be doing these guardrails on the agents and then it'll be agents watching agents. And, and again, it's that fatigue piece about making sure you can keep your, your mental model across what's going on and you're not automating to the point of obscuring. So then you're just creating more pressure on yourself. But I think in the end, there's way more positive bang for your buck here. And the ways that I've seen it utilized has been providing significant benefits for entities to streamline and make efficient the drudgery work and letting them focus on the things that matter most. But obviously that's hard in every entity to work out what matters most because there's a lot of noisy competing elements. And I think that it'll be a continued piece as it evolves rapidly around how do you use it, how do you use it to complement your core elements, and how do you use it to ensure that you're driving security within your entity.
Toby Amodio: I, I do wonder if we're going to have to get to a point where we have like a, a centralized skill repository that people kind of like draw from as a baseline in every organization rather than them creating their own. Processes, like, because that's, that's what I want to do. I'm calling it BirdBrain because I don't know, HiveMind, BirdBrain, it's a bird business, whatever. I'm funny. Haha. But the other places that I've seen trying to do it, you end up with a lot of citizen developers who've built something. Um, and that process like works for now, but is it going to work in the future? Is it going to work? Like if you give it to other people to follow it, like it's a big question, you know?
Cole Cornford: So. Yeah, no, I totally agree. And I feel like there's a space. In Australia for government or big businesses to start to generate agents where you can go, hey, this agent provides this service and this is the guardrails. And it shouldn't be every single agency or every single business doing that themselves. They should be able to develop once and then leverage at scale and use, as you said, the community to help tune that piece would be the best place to be. But in reality, we'll probably just end up with sprawling rot like we have with all IT, which is great and not depressing at all. Yeah.
Toby Amodio: I mean, we're just going to have so much more legacy. We're going to have like a tremendous amount of legacy.
Cole Cornford: Legacy agents that we have to take out. It'll be The Matrix where we're trying to take out agents left, right, and center.
Toby Amodio: All I could think about is like, you know, all those video games where the robots are walking around like NieR: Automata and stuff where it's just like, what is my purpose? Why am I here? What's going on? I'm obsolete. Just, or Futurama even. So that's the kind of vibe I'm thinking about. It's just rusty buckets that are have a specific purpose, and we're like, "I'm here to connect Jira to Confluence." And they're like, "Oh, we don't do that anymore.
Cole Cornford: What are those?" I can't wait till we have a SOC agent who becomes self-aware and then wants to be an ethical hacker and wants to be a pen tester like every other grad. It's the AI agent that wants to be a pen tester.
Toby Amodio: They don't even say no. That's the other thing. Like, they'll just go ahead and try to do things badly. Like, I mean, it's It's not that different from a grad really, right? Because a lot of grads will just give it a crack and then be like, oh, whoops, oh well. So like, that's probably one of the risks I think is going to come up a lot as well actually, is that how are we going to even, if things are happening so quickly, how are we even going to have a detection capability and then response capability? Like, because like overwhelmingly we've had time to generally identify and respond to something. But if you just do stupid shit really fast, like you're gonna have to rely on these machines to find the stupid shit and respond.
Cole Cornford: Yeah, it's gonna be bot versus bot and we're definitely heading into bot versus bot, uh, on, on a, on a global scale. And the outcome of that will be not only additional pressure for us to ensure that the bots are doing the right things and not accidentally nuking your own capability, but we're gonna end up with this like dead, dead internet scenario where most the activity on the internet from a networking perspective as well as the actual content is AI-generated, AI to AI to AI to AI. And so you can get into a really risky position. But I guess we can't solve all of the world's problems here. And, and kind of the, the core of it is that whilst the ISM focuses on, you understand, the risks around AI and try and leverage the, the benefits, it's easier said than done and it requires you to really know it. And as you said, we really need people to make sure they're engaging with it. You can't be the Luddite on this. It is not going away. And if anything, it's going at scale. So you really need to understand what it is, how it can augment your people, and then engage with it appropriately.
Toby Amodio: Yeah. The, the thing that scares me is that we don't have a foundational model or the capability to produce foundational models in Australia. And so sovereignty is a real big challenge that worries me for the government sector. And the open-source models are traditionally Chinese. And while I'm not someone that's going to throw too much shade over there, the fact is we just don't control them. We don't know how they're trained. We can use technology like Obliteratus to reduce the weighting within them, but still, we can't be 100% confident that they haven't been poisoned or customized to the context of Australia, right? And so that's going to be a problem over the longer term, especially for the federal government, because then it's going to do stuff in a way that's relevant for America, like, because that's where all the AI training is going to, really.
Cole Cornford: Yeah, yeah, agreed, agreed. It is— it's non-tractable, especially with the scale that's required for the compute. And I see a lot of the models now just saying we're not even going to try and do non-regional compute in the sense that— sorry, regional compute in the sense that everything goes back to America because that's where we've got the massive data centers. And so Yeah, and obviously America's such a reliable ally at the moment that I have absolutely no concerns with America and their leadership. And I for one appreciate our orange overlords. And so yeah, it's problematic, especially for a small country like Australia on how do you understand that capability, how do you maintain sovereignty, or if it's not direct sovereignty, how do you maintain the security of your elements with your sovereign interests in mind. So yeah.
Toby Amodio: I also worry about, are we also having like a, I mean, we've traditionally had a software brain drain to America because that's where the capital is and where the businesses are and the opportunity space to be able to build the software businesses. And I worry about whether we're going to be having that AI capability also brain draining over there as well. Like I've already seen a few good promising Australian startups try to get into Y Combinator and move across and like, that's going to be really disappointing as a country if we're losing like such good talent to go and build overseas, right? And I don't know, I'm just team Australia. It's my company's gullah. So I want people to build good businesses here. We just need the infrastructure to support it, right?
Cole Cornford: I concur. And I think that there could definitely be some investment. And I think that to support that, I feel like we're too small of a country to do this decentralized.. And I think that there needs to be a real government lean in on how do we facilitate and do like almost a Y Combinator thing piece centrally to then drive that innovation because we're too small of a country to decentralize it. It just doesn't work. We can't get the economies of scale here. So how do we support that? And then again, how do we leverage AI to support that development and innovation?
Toby Amodio: So going back to the original topic, which was ISM changes, for a government CISO or accountable authority, what would you say would be the number one tip as Mr. Wonk that you would give to them to be able to protect themselves from AI?
Cole Cornford: My number one tip would be AI is just another system. So the two things that you need to worry about is the security of the system and then how people are using the system. And my main tip to, to CISOs will be your main concern is more how people are using it than the security of the system. Most of them come with certifications. You can put guardrails on it, but with probabilistic computing, if people get a bad output and trust it and say it's repeatable, that can lead to really bad outcomes, especially in the government sector. If you're using it to inform a decision, how it is used becomes really critical. So despite the ISM changes and talking about risk and risk being sitting with the system owners, you have to be really clear that they understand how those AI systems are being used, what are they being used for, and you're helping the users to understand the difference between deterministic computing and probabilistic computing and what that means for the outputs and how they manage the outputs. We don't want to end up with a Robodebt times V2 because they've just allowed the AI to choose who to audit. That would be a terrible outcome because it will be non-repeatable, it'll be a black box, and it will lead to tragedy, terrible outcomes.
Toby Amodio: I was going to say, like, robot debt, um, it's not like we've just had a magic box where we've just made— let it make decisions before without, like, having any scrutiny of it. For those who don't understand, the problem with robo-debt was that they basically annualized people's salaries, um, like, based on a single point of, like, basically one paycheck. And they figured that, oh, if you got paid $5,000, um, in one paycheck, therefore your salary is $400K.. But oftentimes people might work for like a gig for like a week or two and then be largely unemployed for the rest of the year. So what I think students saw, like university, like casual academics, or like people would shift work, et cetera.
Cole Cornford: They basically sent debt notices to people based on probabilistic modeling of their income. And it turned out that most of those were wrong. And so they probably shouldn't have sent debt income on projected earnings and done it off the real piece.
Toby Amodio: So I just love projected earnings. Makes me so happy, like with my own bloody childcare payments, you know.
Cole Cornford: Exactly, exactly. But I think that we're, I think that like any other system, we've got really good people who can manage it. And I think that following the standard ISM PSPF approaches to systems and then being forthright with your AI committees around how they're being used, you can stay ahead of it and you can leverage it appropriately. And more pressingly for us, as you said, how do you make sure you can use it to optimize your services. I think we've had a good chat today around different ways that they can use it to improve cyber services.
Toby Amodio: As to Gronkh, I think that the biggest thing that I see problematically is shadow AI, where people are just using whatever and you have no visibility of it. So I would just be looking at your DNS logs and seeing what random SaaS service or AI service are your guys are going and talking to. And because you probably don't know what shadow AI systems that you're actually making calls out to, 'cause that's, I feel like that's the biggest issue is just people saying, I need to get on top of this. Let me just start using things to get better at my job. You end up having a proliferation of technology that you don't understand. So.
Cole Cornford: Yeah, correct, correct, correct.
Toby Amodio: Anyway, Toby, thank you for coming in today. It's been an absolute pleasure. Another episode of Policy Wonks and Gronks. Until the next ISM update.
Cole Cornford: My pleasure. Thanks, Cole. It's always good to see your face, mate. Be safe.
Toby Amodio: Thanks a lot for listening to this episode of Secured. If you've got any feedback at all, feel free to hit us up and let us know. If you'd like to learn more about how Galar Cyber can help keep your business secured, go to galarcyber.com.au.
