Cloud Security Office Hours Banner

Friday, May 29, 2026 - Meeting Recap

AI's impact on cybersecurity, Microsoft Red Sun zero-day, HSBC password controversy

- AI guardrails, token-cost reality, and Microsoft's MSRC zero-day feud

Quick recap. The 175th session dug into how enterprises are actually governing AI use - MDM controls, proxies, and AI gateways to enforce acceptable-use policies - and the widening gap between promised and real token costs as newer models get less token-efficient. Neil closed with Microsoft's handling of an anonymous researcher publishing zero-days, and the group weighed how the MSRC has shifted from deep technical expertise toward crisis communications.

2026-05AIGovernanceVulnerabilitiesIndustry News
Show 3 discussion topics

AI governance and guardrails

Participants compared approaches to keeping employees inside acceptable-use boundaries for AI: mobile device management (MDM) controls, network proxies, and AI-specific gateways that restrict which models and data can be reached. Matt argued that containing both user access and agent actions matters. The group distinguished unintentional bypasses - an employee working around a control to fix a technical problem - from intentional ones, which warrant a disciplinary response rather than a purely technical fix.

The real cost of AI tokens

Jay noted that effective enforcement of AI usage really needs a central purchasing function and mature HR controls that smaller companies lack. The group observed that current token limits still sit below actual costs, even as recent changes cut available tokens, and that newer models such as Opus 4.7 and 4.8 are less token-efficient, pushing costs up. The takeaway: performance metrics can accidentally reward token-maxing rather than meaningful output.

Microsoft, MSRC, and the zero-day researcher

Neil walked through the public feud between Microsoft and an anonymous researcher releasing zero-days, including a BitLocker bypass. He argued Microsoft's response has been inadequate and that the Microsoft Security Response Center (MSRC) has drifted from deep technical expertise toward being primarily a crisis-communications team - a regression in how it engages security researchers compared with years past.

↑ All meeting recaps