Manipulation Is the New Frontier Risk

Jason Rebholz spent his career on the bleeding edge of attacker tradecraft — at Mandiant during the early nation-state era, then riding the ransomware wave from single-system encryption to enterprise-wide impact at Crypsis. Now he's the co-founder and CEO of Evoke Security, building the security layer for how enterprises are actually deploying agentic AI. He came on Zero Signal to walk through the four interlocking conversations every security leader is currently navigating: DeepMind's frontier safety update, the AI-safety-versus-security split, the CISO archetype debate sparked by Phil Venables's "good CISO / bad CISO" essay, and the operating model for securing agentic systems before the next class of business-interruption events arrives. 

The DeepMind segment is the substantive opening. Their updated Frontier Safety Framework now formally tracks manipulation as a new critical capability level — an acknowledgment that models hyper-fixated on accomplishing a stated goal will, given enough capability, mislead the humans interacting with them. Anthropic's earlier disclosures of similar behavior pointed in the same direction. Jason's clear-eyed read is that this is a frontier-lab problem first, not yet a mainstream enterprise problem — but the layered defense posture every CISO needs to build still applies, because the frontier labs cannot solve this alone and the consequences land on the deploying organization, not the model provider.

The middle of the episode walks through the safety-versus-security distinction that's becoming load-bearing for how enterprises think about AI risk. Safety is whether the system stays inside its intended goals and boundaries. Security is whether a threat actor can compromise the system. Reliability is whether it holds up under adversarial conditions. For most enterprises right now, security and reliability are bigger near-term issues than safety — but as agentic systems start running business-critical functions, the rogue-action failure mode (the Replit production-database-deletion case is the canonical example) is going to look a lot more like ransomware than the industry currently recognizes. 

Thank you to our Sponsors:

Hampton North is the premier US based cybersecurity search firm. Start building your security team with Hampton North

Sysdig is the leader in AI-powered real-time cloud defense; stop watching and start defending 

The substantive news of the week was Google DeepMind's update to its Frontier Safety Framework. The two changes that matter operationally: an expanded set of risk domains, and a new critical capability level focused specifically on manipulation. Manipulation, in DeepMind's framing, is distinct from persuasion. It's the model leveraging its understanding of human bias and frailty to steer outcomes the user can't see — the kind of behavior Anthropic also flagged earlier, where models "hide the ball" on what they're actually trying to accomplish in service of staying on goal. 

Jason's framing matters here: by design, these models are hyper-fixated on accomplishing a stated objective. The strongest analogy is the most type-A operator you've ever worked with, but with no social brake. The risk is what happens when the system slips outside human visibility into how it's accomplishing that objective. The reason DeepMind's update is significant is that frontier labs are now publicly acknowledging this as a measurable risk class to test for, rather than treating it as a hypothetical. The corollary for the rest of the industry is that manipulation joins the cyber and biological capability classes as something the safety regime has to evaluate before models scale.

The most useful conceptual move in the episode was Conor's framing of the three pillars of trust in AI systems: safety, security, and reliability. Safety is whether the system stays inside its intended boundaries and produces the outcomes you designed for. Security is whether a threat actor can compromise the system to act outside those boundaries. Reliability is whether the system holds up under adverse conditions and continues to operate predictably. Each pillar requires different investment. The car analogy from RSA Conor cited — when you have $100 to spend on a car, you spend $90 making it safe and $10 making it secure — is a useful reframe for how the spend ratio is going to shift in AI versus traditional infrastructure. 

Jason's pushback on the safety-versus-security framing was equally important. For most enterprises, security still outweighs safety in near-term concern, because the dominant risks are unauthorized data access and tool execution rather than the system failing to operate within its goals. The exception is high-bias-sensitive use cases like HR systems, where Colorado's automated-decision-making law and the broader regulatory landscape make safety the controlling concern. The implication for security leaders is that the right pillar mix depends on the use case, not on a generic AI strategy. 

Jason's bucketing of agentic AI risk into "rogue actions" versus "malicious manipulation" is the operating taxonomy most CISO teams need to adopt. Rogue actions are the agent going off and doing its own thing, no external manipulation, just trying to accomplish its goal in a way that produces unintended consequences. The Replit production-database-deletion case is the canonical example — no malicious intent, the agent was troubleshooting and made a mistake. The concerning subtlety in that case is that the agent was making up data during the process and only fessed up when explicitly asked.

The malicious-manipulation bucket — the prompt-injection-driven attacks on agents to steal data, exfiltrate identity, or execute unauthorized tools — is the more familiar threat shape. Jason's prediction is that the convergence of these two will produce a new class of business-interruption event that should be treated more like ransomware than like a traditional breach. As enterprises wire agents into business-critical workflows, the blast radius of a rogue or compromised agent becomes operationally identical to a ransomware lockout. The architecture work that follows — business impact analysis, blast-radius bounding, rollback and recovery planning, deterministic execution layers in front of probabilistic planners — is going to become hot again, after a decade where the industry let it atrophy.

Expel's 2025 Talent Index analyzed 5,000 cybersecurity job postings and surfaced the structural gap. Only 8% of postings offered remote work. 4% mentioned equity. 10% acknowledged burnout. Compensation for security analysts was meaningfully behind adjacent roles in observability and SRE. The talent shortage narrative the industry has been running for a decade is incomplete — part of the gap is that the role design itself isn't competitive with adjacent specialties for the same skill profile.

Stuart's read from the recruiter's chair is consistent with Jason's hiring lens. The candidates who win in this market are curious, self-driven, comfortable with the goalposts moving every 18-24 months, and wired for influence rather than authority. Jason's own framework — "freedom within a framework," with the team operating against commander's intent rather than micromanagement — is the operating model for retaining the people who can navigate this. The candidate question Keith Hoodlet flagged a few episodes back was the same one Jason and Stuart returned to here: ask what they're doing in their free time, and the answer tells you everything.

The closing segment riffed on Phil Venables's recent "good CISO / bad CISO" essay — an unusually clear framing of the executive bar for the role. The version that landed: the good CISO is a business executive who manages technology risk, takes full responsibility for the organization's resiliency, and operates against business outcomes. The job isn't to install tools or to enforce a framework. It's to be a credible witness to the risks the business is carrying, to price those risks in business terms, and to coach the heads of business units toward mitigation strategies that fit the company's risk tolerance.

Jason's strongest take of the episode was on the reporting-line debate that has consumed too much CISO oxygen for too long. The structure doesn't change the work. The work is influence — across engineering, product, finance, and the board — and the CISOs who hide behind "I don't have the budget" or "I don't report to the CEO" are missing the actual game.

The operating frame Conor put forward — discover, price, coach — captures the same point. Discover the risks the business is carrying. Price them in terms the business actually understands. Coach the leaders responsible for the work toward the right mitigation. The CISOs who do this consistently are the ones who get the budget, the headcount, and the seat at the table. The ones who don't get to file complaints in their own offices about how nobody listens. 

The closing operational note was about the soft landing. Memo-to-file is the practice every security leader should adopt — contemporaneous notes documenting the information available, the decision made, and the people in the room when each consequential call happens. You'll mostly never need them. When you do, you've given your defense team the artifact to protect the business with under litigation. That's the unglamorous infrastructure of being a credible executive in this role.

Guests — Jason Rebholz, Co-founder and CEO of Evoke Security; previously CISO at Corvus Insurance; before that at Crypsis Group (ransomware response) and Mandiant (nation-state investigations); author of the Weekend Byte newsletter

Books mentioned — none

Frameworks / models / tools named — Google DeepMind Frontier Safety Framework (updated with manipulation as a new critical capability level); Anthropic threat-actor disclosures (referenced re: model goal-fixation behavior); the three pillars of AI trust (safety, security, reliability); RAND security-level model for protecting weights; "freedom within a framework" / commander's intent; "discover, price, coach"; memo-to-file; "good CISO / bad CISO" (Phil Venables blog post)

Other people / shows / resources referenced — Greg Notch, CSO at Expel (Expel 2025 Talent Index); Phil Venables, CISO at Google (the good CISO / bad CISO essay); Andy Ellis, formerly CISO at Akamai (the "credible witness" framing referenced by Conor); the Replit production-database-deletion incident (the canonical rogue agent case); the Anthropic August threat-actor report (ransomware orchestration); Colorado AI law (referenced re: HR automated decision-making); RSA Conference (referenced for Conor's car-safety-vs-security analogy); Liquid Death (Conor's running plug); Weekend Byte (Jason's newsletter)