The 4 Classic Failures AI Just Made Existential

Matt Stamper chairs the FBI InfraGard CISO Cross-Sector Council, representing nearly a thousand CISOs across critical infrastructure. He co-authored the CISO Desk Reference Guide, spent years at Gartner covering incident response architecture, and now runs Executive Advisors Group — advising CISOs on program design, tabletop exercises, and the governance problems that do not go away just because the tooling gets better. This conversation lands at the intersection of four chronic security failures and the AI acceleration that just removed every remaining margin for error.

The argument is not that AI creates new categories of risk. It is that AI compresses the timescales on risks the industry already could not manage. Vulnerability exploitation windows have collapsed from months to hours. Agentic models can daisy-chain low-severity vulnerabilities into custom attack paths no scanner would flag. Runbooks designed for human coordination cannot keep pace when the game is lost in the first sixty seconds. Matt walks through what this means for CISOs trying to communicate risk to boards that still want a single slide, for IR teams whose playbooks do not contemplate agent-on-agent scenarios, and for an industry that needs to stop blaming victims and start building resilience as an engineering discipline.

Thank you to our Sponsors:

Hampton North is the premier US based cybersecurity search firm. Start building your security team with Hampton North

Sysdig is the leader in AI-powered real-time cloud defense; stop watching and start defending

The episode opens on a frame Matt has been building across his advisory work and his InfraGard engagements: four disciplines — identity governance, data governance, third-party risk management, and vulnerability management — that the industry has always struggled with. The argument is not that these are new problems. The argument is that AI removed the last margin of error around each one.

The root cause, in Matt's telling, is governance ambiguity. Who owns vulnerabilities — the CISO, the CTO, infrastructure and operations, the business unit manager responsible for a given application? The same question applies to identities: HR, the line of business, or the security team? When accountability is distributed to the point of being unowned, the discipline degrades. That degradation was tolerable when exploitation timescales were measured in weeks or months. It is not tolerable when the zero-day clock shows weaponized exploits appearing in hours.

Matt frames the Glasswing moment as a watershed — not because the model itself is the final threat, but because it demonstrated the ability to build customized, daisy-chained exploits from low-severity vulnerabilities that most organizations would never prioritize. The implication: triaging only criticals and highs is no longer a defensible position. Vulnerabilities discovered in 2018 and 2019 that were never exploited before are now chainable into novel attack paths. The comfort of "discovered but not exploited" is gone.

The longer-term view is more optimistic. Matt expects the quality of code to improve as AI-driven testing and analysis tighten the release pipeline. But for the near term, his counsel is direct: fasten your seatbelts.

Matt's position on board engagement is blunt: treating cybersecurity as a single-slide, five-minute agenda item is borderline negligence. Boards, like CISOs, need to lean into this moment — educating themselves on the rapidity and scale of the risks their organizations face.

The failure, though, runs both directions. CISOs have historically been too technical in how they describe risk to boards. The fix is not more slides — it is better translation. Matt grounds this in the business impact analysis: a two-page BIA template that maps how the organization derives enterprise value, what threatens that value, and what controls are in place. The BIA becomes the vehicle for converting technical risk into business language. When Conor describes tying his risk program to each of six product lines at his last organization, it is the same principle: meet the business in the language of the business, not the language of the security team.

The through-line: CISOs who communicate in business terms earn the seat. CISOs who communicate in technical terms lose the audience — and the budget that follows.

This is the section Matt flags as the one that genuinely concerns him. Most incident response programs have not modeled AI-speed attacks into their playbooks. The 555 benchmark — five seconds to detect, five minutes to triage, five minutes to respond — landed as a visceral gut blow when Matt first encountered it, because he has reviewed hundreds of IR plans and playbooks, and most do not contemplate those timescales.

The coordination problem compounds the speed problem. When the first move in a response is to determine whether to operate under legal privilege, find an attorney, and stand up the engagement — that process alone burns minutes the organization no longer has. The old SOAR promise of hands-off-keyboard response was technically available but culturally rejected. Matt's position: organizations will have to revisit that rejection. Agentic defense — trusting automated systems to counter automated attacks — is no longer optional for environments operating at machine speed.

The tabletop question Matt now puts to organizations: are you comfortable with an agent countering a swarm of agents in a response to critical infrastructure? If the answer is no, and the runbook still assumes human coordination in the first five minutes, the plan does not match the threat.

Conor anchors this with Sysdig's research showing threat actors achieving full cloud account compromise in under eight minutes using AI — a timeline no human-speed runbook reaches. The conclusion is not that tabletops are obsolete. It is that they need to model the right scenarios: agent compromise, agent-to-agent communication, spoofed profiles, cascading failures across interconnected services.

The second half of the conversation pivots from defense to durability. Matt's frame: the CISO's mandate is evolving from risk mitigation to resilience engineering. The question is no longer just "how do we prevent the breach" but "how do we take a punch and keep operating."

He draws the analogy from his AT&T days, where gigabit switch routers carried only 40% capacity so that if the A-side failed, the B-side could absorb the load with headroom to spare. Everything was designed identically — same source code, same IOS — so failover was seamless. Cloud-native companies already build this way: fault tolerance, auto-scaling, container orchestration that isolates failures. The gap is in legacy critical infrastructure — manufacturing, healthcare, operational technology — where these patterns have not been adopted and the blast radius of a single failure can be catastrophic.

Stuart raises the business continuity angle: organizations have gamified disaster scenarios without taking them seriously. Matt agrees, and extends the argument across three concurrent risk categories — technological disruption from AI, geopolitical instability, and climate-driven physical events — all happening simultaneously. The organizations that survive will be the ones that design for continuity of operations across all three vectors, not the ones that treat each as an isolated planning exercise.

The practical counsel: use key risk indicators to identify single points of failure, instrument systems for continuous monitoring, and build recovery automation before the crisis demands it. Resilience is expensive. A single-threaded architecture is cheaper right up until it fails.

Conor coins the operational frame that runs through the back half of the episode: continuous zero day. If you accept that as fact and build accordingly, the second and third order effects clarify themselves. Vulnerability management stops being a 30-60-90 cadence and becomes continuous remediation. Mitigation must happen before the vendor ships the patch. Assume breach becomes the baseline, not the edge case.

Matt connects this to the transparency argument for open source. When an organization depends on a closed-source vendor to disclose a vulnerability, the vendor's legal team reviews the disclosure before it ships — adding time to a process where time is the resource the defender no longer has. Open-source communities, by contrast, offer full traceability, full explainability, and a culture of rapid collaborative response. Matt expects the continuous zero-day environment to accelerate adoption of open-source, community-driven tooling over closed-loop proprietary environments.

Matt closes with counsel drawn from his InfraGard work across a thousand CISOs in critical infrastructure. Three shifts:

First, internalize the new timescales. The CIA triad — confidentiality, integrity, availability — remains the frame, but every element now operates on a clock measured in seconds or minutes. IR plans that do not reflect this are plans for a threat environment that no longer exists.

Second, build for autopilot. The analogy is an aircraft: the autopilot makes thousands of micro-adjustments the pilot never sees, and the human intervenes at a few critical decision points. Security operations need to move toward the same model — continuous, automated, probabilistic response with human oversight at defined thresholds.

Third, collaborate without blame. The industry's instinct to blame breached organizations — they should have implemented this control, they should have patched faster — is counterproductive when the real constraint is resources, budget, and organizational priority. Matt's InfraGuard chapter in San Diego runs a collaborative model where CISOs share intelligence in real time when incidents hit. His call: scale that model across every sector, and stop treating breach disclosure as an invitation to litigate.

Guest — Matt Stamper, CEO and CISO Advisor at Executive Advisors Group; former Gartner Research Director covering incident response; National Chair of the FBI InfraGard CISO Cross-Sector Council (~1,000 CISOs across critical infrastructure); co-author of the CISO Desk Reference Guide and Mastering Third-Party Risk.

Books mentioned — CISO Desk Reference Guide (Matt Stamper, co-author); Mastering Third-Party Risk (Matt Stamper).

Frameworks / models / tools named — CIA triad; Business Impact Analysis (BIA); 555 benchmark (5 seconds detect / 5 minutes triage / 5 minutes respond); Glasswing; Mythos; SOAR; SBOMs and AI BOMs; zero-day clock (Sysdig); FBI InfraGard; Cloud Security Alliance; ISACs (Financial Services, Health, Multi-State).

Other people / shows / resources referenced — Sysdig Threat Research Team (sub-8-minute cloud account compromise; zero-day clock research); Sergey (Sysdig, zero-day clock); Hayim Mazal (Chief AI Security Officer, Gigamon; attacker advantage analysis); Daniel Meisler (Mythos as "Commodore 64" of future capability); Gaudi and Cloud Security Alliance (Glasswing/Mythos response coordination); CISA; National Association of Corporate Directors; Private Directors Association; Unprompted Conference; San Diego CISO Roundtable; Roger Bannister four-minute mile analogy.