<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Spoiledlunch</title><link>https://33bf27a7.spoiledlunch.pages.dev/</link><description>Nerdy Stuff. Tech Talk. Zero Freshness. Analysis and commentary on GRC, security, and AI.</description><generator>Hugo 0.160.1</generator><language>en-us</language><lastBuildDate>Thu, 02 Jul 2026 12:00:00 +0000</lastBuildDate><atom:link href="https://33bf27a7.spoiledlunch.pages.dev/topics/ai/" rel="self" type="application/rss+xml"/><item><title>CubeSpace CW0057 Reaction Wheel</title><link>https://33bf27a7.spoiledlunch.pages.dev/news/2026-07-02-cubespace-cw0057-reaction-wheel/</link><pubDate>Thu, 02 Jul 2026 12:00:00 +0000</pubDate><guid>https://33bf27a7.spoiledlunch.pages.dev/news/2026-07-02-cubespace-cw0057-reaction-wheel/</guid><description>News Brief • July 2, 2026 | Topics: AI | Summary: View CSAF Summary Successful exploitation of this vulnerability could allow an attacker to upload arbitrary malicious firmware to the device. …</description><content:encoded>&lt;![CDATA[<p><strong>Summary:</strong> View CSAF Summary Successful exploitation of this vulnerability could allow an attacker to upload arbitrary malicious firmware to the device.</p><p><strong>Why it matters:</strong> This matters if it changes how teams think about model governance, safety work, monitoring, or regulatory exposure around deployed AI systems.</p><p><strong>What to watch:</strong> Watch for follow-on technical guidance, deployment constraints, evaluation details, or signs that the announcement changes actual production practice rather than just policy language.</p><p><strong>Source:</strong><a href="https://www.cisa.gov/news-events/ics-advisories/icsa-26-183-02">[Critical Advisories] CISA Cybersecurity Advisories</a></p>
]]></content:encoded><author>Spoiledlunch</author><category>AI</category><category>ai</category><category>user-state-com-google-reading-list</category><category>user-label-spoiledlunch-news</category><category>user-state-org-freshrss-main</category><category>critical-advisories-cisa-cybersecurity-advisories</category></item><item><title>FTC and DOJ Issue Fiscal Year 2025 Hart-Scott-Rodino Annual Report</title><link>https://33bf27a7.spoiledlunch.pages.dev/news/2026-07-02-ftc-and-doj-issue-fiscal-year-2025-hart-scott-rodino-annual-report/</link><pubDate>Thu, 02 Jul 2026 12:00:00 +0000</pubDate><guid>https://33bf27a7.spoiledlunch.pages.dev/news/2026-07-02-ftc-and-doj-issue-fiscal-year-2025-hart-scott-rodino-annual-report/</guid><description>News Brief • July 2, 2026 | Topics: AI | Summary: The Federal Trade Commission and the Department of Justice’s (DOJ) Antitrust Division released their 48th Annual Hart-Scott-Rodino (HSR) …</description><content:encoded>&lt;![CDATA[<p><strong>Summary:</strong> The Federal Trade Commission and the Department of Justice’s (DOJ) Antitrust Division released their 48th Annual Hart-Scott-Rodino (HSR) Report.</p><p><strong>Why it matters:</strong> This matters if it changes how teams think about model governance, safety work, monitoring, or regulatory exposure around deployed AI systems.</p><p><strong>What to watch:</strong> Watch for follow-on technical guidance, deployment constraints, evaluation details, or signs that the announcement changes actual production practice rather than just policy language.</p><p><strong>Source:</strong><a href="https://www.ftc.gov/news-events/news/press-releases/2026/07/ftc-doj-issue-fiscal-year-2025-hart-scott-rodino-annual-report">[Executive Risk] FTC Competition Press Releases</a></p>
]]></content:encoded><author>Spoiledlunch</author><category>AI</category><category>ai</category><category>user-state-com-google-reading-list</category><category>user-label-spoiledlunch-news</category><category>user-state-org-freshrss-main</category><category>executive-risk-ftc-competition-press-releases</category></item><item><title>FTC Approves Final Order Against Publishing.com, Settling Allegations It Misled Consumers</title><link>https://33bf27a7.spoiledlunch.pages.dev/news/2026-07-02-ftc-approves-final-order-against-publishing-com-settling-allegations-it-misled-consumers/</link><pubDate>Thu, 02 Jul 2026 12:00:00 +0000</pubDate><guid>https://33bf27a7.spoiledlunch.pages.dev/news/2026-07-02-ftc-approves-final-order-against-publishing-com-settling-allegations-it-misled-consumers/</guid><description>News Brief • July 2, 2026 | Topics: AI | Summary: The Federal Trade Commission finalized an order with Publishing.com LLC and its two principals, settling allegations that they misled …</description><content:encoded>&lt;![CDATA[<p><strong>Summary:</strong> The Federal Trade Commission finalized an order with Publishing.com LLC and its two principals, settling allegations that they misled consumers about how much money consumers were likely to earn using their self-publishing products.Under the order finalized by the Commission, Publishing.com and its principals, CEO Christian Mikkelsen and Chief &hellip;</p><p><strong>Why it matters:</strong> This matters if it changes how teams think about model governance, safety work, monitoring, or regulatory exposure around deployed AI systems.</p><p><strong>What to watch:</strong> Watch for follow-on technical guidance, deployment constraints, evaluation details, or signs that the announcement changes actual production practice rather than just policy language.</p><p><strong>Source:</strong><a href="https://www.ftc.gov/news-events/news/press-releases/2026/07/ftc-approves-final-order-against-publishingcom-settling-allegations-it-misled-consumers">[Executive Risk] FTC Consumer Protection Press Releases</a></p>
]]></content:encoded><author>Spoiledlunch</author><category>AI</category><category>ai</category><category>user-state-com-google-reading-list</category><category>user-label-spoiledlunch-news</category><category>user-state-org-freshrss-main</category><category>executive-risk-ftc-consumer-protection-press-releases</category></item><item><title>Gardyn IoT Hub</title><link>https://33bf27a7.spoiledlunch.pages.dev/news/2026-07-02-gardyn-iot-hub/</link><pubDate>Thu, 02 Jul 2026 12:00:00 +0000</pubDate><guid>https://33bf27a7.spoiledlunch.pages.dev/news/2026-07-02-gardyn-iot-hub/</guid><description>News Brief • July 2, 2026 | Topics: AI | Summary: View CSAF Summary Successful exploitation of these vulnerabilities could allow unauthenticated users to access and control IoT Hub managed …</description><content:encoded>&lt;![CDATA[<p><strong>Summary:</strong> View CSAF Summary Successful exploitation of these vulnerabilities could allow unauthenticated users to access and control IoT Hub managed devices.</p><p><strong>Why it matters:</strong> This matters if it changes how teams think about model governance, safety work, monitoring, or regulatory exposure around deployed AI systems.</p><p><strong>What to watch:</strong> Watch for follow-on technical guidance, deployment constraints, evaluation details, or signs that the announcement changes actual production practice rather than just policy language.</p><p><strong>Source:</strong><a href="https://www.cisa.gov/news-events/ics-advisories/icsa-26-183-03">[Critical Advisories] CISA Cybersecurity Advisories</a></p>
]]></content:encoded><author>Spoiledlunch</author><category>AI</category><category>ai</category><category>user-state-com-google-reading-list</category><category>user-label-spoiledlunch-news</category><category>user-state-org-freshrss-main</category><category>critical-advisories-cisa-cybersecurity-advisories</category></item><item><title>ST Engineering iDirect iQ-Series Terminals</title><link>https://33bf27a7.spoiledlunch.pages.dev/news/2026-07-02-st-engineering-idirect-iq-series-terminals/</link><pubDate>Thu, 02 Jul 2026 12:00:00 +0000</pubDate><guid>https://33bf27a7.spoiledlunch.pages.dev/news/2026-07-02-st-engineering-idirect-iq-series-terminals/</guid><description>News Brief • July 2, 2026 | Topics: AI | Summary: View CSAF Summary Successful exploitation of these vulnerabilities could allow an attacker to gain unauthorized access to device information …</description><content:encoded>&lt;![CDATA[<p><strong>Summary:</strong> View CSAF Summary Successful exploitation of these vulnerabilities could allow an attacker to gain unauthorized access to device information or cause a denial-of-service condition.</p><p><strong>Why it matters:</strong> This matters if it changes how teams think about model governance, safety work, monitoring, or regulatory exposure around deployed AI systems.</p><p><strong>What to watch:</strong> Watch for follow-on technical guidance, deployment constraints, evaluation details, or signs that the announcement changes actual production practice rather than just policy language.</p><p><strong>Source:</strong><a href="https://www.cisa.gov/news-events/ics-advisories/icsa-26-183-01">[Critical Advisories] CISA Cybersecurity Advisories</a></p>
]]></content:encoded><author>Spoiledlunch</author><category>AI</category><category>ai</category><category>user-state-com-google-reading-list</category><category>user-label-spoiledlunch-news</category><category>user-state-org-freshrss-main</category><category>critical-advisories-cisa-cybersecurity-advisories</category></item><item><title>Travel App Hopper to Pay $35 Million to Settle FTC Allegations It Charged Fees Without Consent and Deceived ...</title><link>https://33bf27a7.spoiledlunch.pages.dev/news/2026-07-02-travel-app-hopper-to-pay-35-million-to-settle-ftc-allegations-it-charged-fees-without-consent-and-deceived/</link><pubDate>Thu, 02 Jul 2026 12:00:00 +0000</pubDate><guid>https://33bf27a7.spoiledlunch.pages.dev/news/2026-07-02-travel-app-hopper-to-pay-35-million-to-settle-ftc-allegations-it-charged-fees-without-consent-and-deceived/</guid><description>News Brief • July 2, 2026 | Topics: AI | Summary: The companies that operate the Hopper travel apps have agreed to pay $35 million and will be prohibited from deceiving consumers about fees …</description><content:encoded>&lt;![CDATA[<p><strong>Summary:</strong> The companies that operate the Hopper travel apps have agreed to pay $35 million and will be prohibited from deceiving consumers about fees to settle the Federal Trade Commission’s allegations that they unfairly charged consumers hidden fees and misrepresented the total prices consumers would pay and the benefits &hellip;</p><p><strong>Why it matters:</strong> This matters if it changes how teams think about model governance, safety work, monitoring, or regulatory exposure around deployed AI systems.</p><p><strong>What to watch:</strong> Watch for follow-on technical guidance, deployment constraints, evaluation details, or signs that the announcement changes actual production practice rather than just policy language.</p><p><strong>Source:</strong><a href="https://www.ftc.gov/news-events/news/press-releases/2026/07/travel-app-hopper-pay-35-million-settle-ftc-allegations-it-charged-fees-without-consent-deceived">[Executive Risk] FTC Consumer Protection Press Releases</a></p>
]]></content:encoded><author>Spoiledlunch</author><category>AI</category><category>ai</category><category>user-state-com-google-reading-list</category><category>user-label-spoiledlunch-news</category><category>user-state-org-freshrss-main</category><category>executive-risk-ftc-consumer-protection-press-releases</category></item><item><title>SEC Publishes Updated Market Statistics, Highlighting Increase in IPOs and Proceeds Raised</title><link>https://33bf27a7.spoiledlunch.pages.dev/news/2026-07-01-sec-publishes-updated-market-statistics-highlighting-increase-in-ipos-and-proceeds-raised/</link><pubDate>Wed, 01 Jul 2026 12:47:58 +0000</pubDate><guid>https://33bf27a7.spoiledlunch.pages.dev/news/2026-07-01-sec-publishes-updated-market-statistics-highlighting-increase-in-ipos-and-proceeds-raised/</guid><description>News Brief • July 1, 2026 | Topics: AI | Summary: The Securities and Exchange Commission’s Division of Economic and Risk Analysis (DERA) published updated statistics and data visualizations …</description><content:encoded>&lt;![CDATA[<p><strong>Summary:</strong> The Securities and Exchange Commission’s Division of Economic and Risk Analysis (DERA) published updated statistics and data visualizations covering key segments of the U.S.</p><p><strong>Why it matters:</strong> This matters if it changes how teams think about model governance, safety work, monitoring, or regulatory exposure around deployed AI systems.</p><p><strong>What to watch:</strong> Watch for follow-on technical guidance, deployment constraints, evaluation details, or signs that the announcement changes actual production practice rather than just policy language.</p><p><strong>Source:</strong><a href="https://www.sec.gov/newsroom/press-releases/2026-61-sec-publishes-updated-market-statistics-highlighting-increase-ipos-proceeds-raised">[Executive Risk] SEC Press Releases</a></p>
]]></content:encoded><author>Spoiledlunch</author><category>AI</category><category>ai</category><category>user-state-com-google-reading-list</category><category>user-label-spoiledlunch-news</category><category>user-state-org-freshrss-main</category><category>executive-risk-sec-press-releases</category></item><item><title>CISA Adds One Known Exploited Vulnerability to Catalog</title><link>https://33bf27a7.spoiledlunch.pages.dev/news/2026-07-01-cisa-adds-one-known-exploited-vulnerability-to-catalog/</link><pubDate>Wed, 01 Jul 2026 12:00:00 +0000</pubDate><guid>https://33bf27a7.spoiledlunch.pages.dev/news/2026-07-01-cisa-adds-one-known-exploited-vulnerability-to-catalog/</guid><description>News Brief • July 1, 2026 | Topics: AI | Summary: CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
Why it …</description><content:encoded>&lt;![CDATA[<p><strong>Summary:</strong> CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.</p><p><strong>Why it matters:</strong> This matters if it changes how teams think about model governance, safety work, monitoring, or regulatory exposure around deployed AI systems.</p><p><strong>What to watch:</strong> Watch for follow-on technical guidance, deployment constraints, evaluation details, or signs that the announcement changes actual production practice rather than just policy language.</p><p><strong>Source:</strong><a href="https://www.cisa.gov/news-events/alerts/2026/07/01/cisa-adds-one-known-exploited-vulnerability-catalog">[Critical Advisories] CISA Cybersecurity Advisories</a></p>
]]></content:encoded><author>Spoiledlunch</author><category>AI</category><category>ai</category><category>user-state-com-google-reading-list</category><category>user-label-spoiledlunch-news</category><category>user-state-org-freshrss-main</category><category>critical-advisories-cisa-cybersecurity-advisories</category></item><item><title>CISA Announces New Advisory Council to Strengthen Partnerships and Secure Critical Infrastructure</title><link>https://33bf27a7.spoiledlunch.pages.dev/news/2026-07-01-cisa-announces-new-advisory-council-to-strengthen-partnerships-and-secure-critical-infrastructure/</link><pubDate>Wed, 01 Jul 2026 12:00:00 +0000</pubDate><guid>https://33bf27a7.spoiledlunch.pages.dev/news/2026-07-01-cisa-announces-new-advisory-council-to-strengthen-partnerships-and-secure-critical-infrastructure/</guid><description>News Brief • July 1, 2026 | Topics: AI | Summary: CISA Announces New Advisory Council to Strengthen Partnerships and Secure Critical Infrastructure
Why it matters: This matters if it changes …</description><content:encoded>&lt;![CDATA[<p><strong>Summary:</strong> CISA Announces New Advisory Council to Strengthen Partnerships and Secure Critical Infrastructure</p><p><strong>Why it matters:</strong> This matters if it changes how teams think about model governance, safety work, monitoring, or regulatory exposure around deployed AI systems.</p><p><strong>What to watch:</strong> Watch for follow-on technical guidance, deployment constraints, evaluation details, or signs that the announcement changes actual production practice rather than just policy language.</p><p><strong>Source:</strong><a href="https://www.cisa.gov/news-events/news/cisa-announces-new-advisory-council-strengthen-partnerships-and-secure-critical-infrastructure">[Critical Advisories] CISA News</a></p>
]]></content:encoded><author>Spoiledlunch</author><category>AI</category><category>ai</category><category>user-state-com-google-reading-list</category><category>user-label-spoiledlunch-news</category><category>user-state-org-freshrss-main</category><category>critical-advisories-cisa-news</category></item><item><title>EDPB and AMLA to develop Joint Guidelines on partnerships for information sharing</title><link>https://33bf27a7.spoiledlunch.pages.dev/news/2026-07-01-edpb-and-amla-to-develop-joint-guidelines-on-partnerships-for-information-sharing/</link><pubDate>Wed, 01 Jul 2026 12:00:00 +0000</pubDate><guid>https://33bf27a7.spoiledlunch.pages.dev/news/2026-07-01-edpb-and-amla-to-develop-joint-guidelines-on-partnerships-for-information-sharing/</guid><description>News Brief • July 1, 2026 | Topics: AI | Summary: Brussels/Frankfurt, 1 July – The EDPB and the Anti-Money Laundering Authority (AMLA) are working together to bring greater clarity to a …</description><content:encoded>&lt;![CDATA[<p><strong>Summary:</strong> Brussels/Frankfurt, 1 July – The EDPB and the Anti-Money Laundering Authority (AMLA) are working together to bring greater clarity to a question of growing importance for industry and authorities alike: how to share information to fight financial crime while protecting personal data.Why information sharing mattersThe fight against financial &hellip;</p><p><strong>Why it matters:</strong> This matters if it changes how teams think about model governance, safety work, monitoring, or regulatory exposure around deployed AI systems.</p><p><strong>What to watch:</strong> Watch for follow-on technical guidance, deployment constraints, evaluation details, or signs that the announcement changes actual production practice rather than just policy language.</p><p><strong>Source:</strong><a href="https://www.edpb.europa.eu/news/edpb-and-amla-to-develop-joint-guidelines-on-partnerships-for-information-sharing_en">EDPB News</a></p>
]]></content:encoded><author>Spoiledlunch</author><category>AI</category><category>ai</category><category>user-state-com-google-reading-list</category><category>user-label-spoiledlunch-news</category><category>user-state-org-freshrss-main</category><category>edpb-news</category></item><item><title>FTC Seeks Public Comment on Policy Statement Addressing AI Accuracy</title><link>https://33bf27a7.spoiledlunch.pages.dev/news/2026-07-01-ftc-seeks-public-comment-on-policy-statement-addressing-ai-accuracy/</link><pubDate>Wed, 01 Jul 2026 12:00:00 +0000</pubDate><guid>https://33bf27a7.spoiledlunch.pages.dev/news/2026-07-01-ftc-seeks-public-comment-on-policy-statement-addressing-ai-accuracy/</guid><description>News Brief • July 1, 2026 | Topics: AI | Summary: The Federal Trade Commission is seeking public comment on a proposed policy statement addressing concerns that AI companies may be …</description><content:encoded>&lt;![CDATA[<p><strong>Summary:</strong> The Federal Trade Commission is seeking public comment on a proposed policy statement addressing concerns that AI companies may be manipulating the behavior of their AI systems contrary to reasonable consumer expectations for objectivity and accuracy.As the proposed policy statement explains, the FTC Act prohibits businesses from engaging &hellip;</p><p><strong>Why it matters:</strong> This matters if it changes how teams think about model governance, safety work, monitoring, or regulatory exposure around deployed AI systems.</p><p><strong>What to watch:</strong> Watch for follow-on technical guidance, deployment constraints, evaluation details, or signs that the announcement changes actual production practice rather than just policy language.</p><p><strong>Source:</strong><a href="https://www.ftc.gov/news-events/news/press-releases/2026/07/ftc-seeks-public-comment-policy-statement-addressing-ai-accuracy">[Executive Risk] FTC Consumer Protection Press Releases</a></p>
]]></content:encoded><author>Spoiledlunch</author><category>AI</category><category>ai</category><category>user-state-com-google-reading-list</category><category>user-label-spoiledlunch-news</category><category>user-state-org-freshrss-main</category><category>executive-risk-ftc-consumer-protection-press-releases</category></item><item><title>SEC Seeks Public Comment on Novel Exchange-Traded Funds</title><link>https://33bf27a7.spoiledlunch.pages.dev/news/2026-06-30-sec-seeks-public-comment-on-novel-exchange-traded-funds/</link><pubDate>Tue, 30 Jun 2026 14:15:05 +0000</pubDate><guid>https://33bf27a7.spoiledlunch.pages.dev/news/2026-06-30-sec-seeks-public-comment-on-novel-exchange-traded-funds/</guid><description>News Brief • June 30, 2026 | Topics: AI | Summary: The Securities and Exchange Commission today issued a request for public comment on exchange-traded funds (ETFs) seeking to invest in …</description><content:encoded>&lt;![CDATA[<p><strong>Summary:</strong> The Securities and Exchange Commission today issued a request for public comment on exchange-traded funds (ETFs) seeking to invest in innovative asset classes or engage in novel investment strategies.</p><p><strong>Why it matters:</strong> This matters if it changes how teams think about model governance, safety work, monitoring, or regulatory exposure around deployed AI systems.</p><p><strong>What to watch:</strong> Watch for follow-on technical guidance, deployment constraints, evaluation details, or signs that the announcement changes actual production practice rather than just policy language.</p><p><strong>Source:</strong><a href="https://www.sec.gov/newsroom/press-releases/2026-60-sec-seeks-public-comment-novel-exchange-traded-funds">[Executive Risk] SEC Press Releases</a></p>
]]></content:encoded><author>Spoiledlunch</author><category>AI</category><category>ai</category><category>user-state-com-google-reading-list</category><category>user-label-spoiledlunch-news</category><category>user-state-org-freshrss-main</category><category>executive-risk-sec-press-releases</category></item><item><title>AI Usage Discovery Is the New Shadow IT Problem</title><link>https://33bf27a7.spoiledlunch.pages.dev/articles/2026-05-01-why-ai-usage-discovery-is-becoming-the-new-shadow-it-problem/</link><pubDate>Tue, 30 Jun 2026 09:00:00 -0400</pubDate><guid>https://33bf27a7.spoiledlunch.pages.dev/articles/2026-05-01-why-ai-usage-discovery-is-becoming-the-new-shadow-it-problem/</guid><description>Article • June 30, 2026 • 4 min read | Topics: AI, GRC | For years, shadow IT meant unsanctioned SaaS, unmanaged devices, and business teams adopting systems faster than central governance could track them.
Now the same pattern is happening again through …</description><content:encoded>&lt;![CDATA[<p>For years, shadow IT meant unsanctioned SaaS, unmanaged devices, and business teams adopting systems faster than central governance could track them.</p><p>Now the same pattern is happening again through AI.</p><p>Employees use public chat tools for work tasks. Teams wire AI features into workflows through vendor platforms. Product groups buy embedded AI capabilities that legal, security, and compliance only discover later. Internal tools call external models through lightweight integrations nobody formally registered because the work felt too small to justify process.</p><p>This is not a future problem. It is already normal enterprise behavior.</p><p>That is why AI usage discovery is becoming the new shadow IT problem.</p><h2 id="ai-adoption-is-easier-to-hide-than-traditional-software-adoption">AI adoption is easier to hide than traditional software adoption</h2><p>Old shadow IT often left visible traces. Someone bought a tool. A domain appeared. A contract existed. A login pattern changed. A device showed up.</p><p>AI usage can be much lighter weight and therefore easier to miss.</p><p>A team might:</p><ul><li>paste internal data into a public AI interface</li><li>turn on an AI assistant inside an existing SaaS platform</li><li>build a low-code workflow that calls a model API</li><li>use browser extensions or productivity plugins with AI features</li><li>start relying on embedded generation or classification without any standalone procurement signal</li></ul><p>Each decision may feel small. Collectively they create a new layer of operational dependence and data movement that many organizations are only partially able to see.</p><h2 id="governance-cannot-work-on-systems-it-does-not-know-exist">Governance cannot work on systems it does not know exist</h2><p>This should sound familiar because it is the same failure pattern seen in other domains.</p><p>You cannot review what you have not discovered.</p><p>You cannot assign ownership to a workflow nobody declared.</p><p>You cannot assess data handling, vendor posture, prompt risk, retrieval behavior, or model dependency if the use case entered production through convenience and stayed there through habit.</p><p>That is why<a href="/articles/2026-05-02-why-enterprises-keep-confusing-ai-access-control-with-ai-governance/">AI access control is not the same thing as AI governance</a>. Restricting tool access does not help much if the actual workflows and dependencies were never discovered in the first place.</p><p>Many organizations are already trying to govern AI with intake forms, review committees, and policy language while lacking a credible inventory of where AI is actually being used. That is not a small gap. It means the formal governance program is operating on a curated subset of reality.</p><h2 id="the-real-issue-is-not-forbidden-use-it-is-invisible-dependence">The real issue is not forbidden use. It is invisible dependence.</h2><p>Some AI governance conversations are still stuck on prohibition: how do we stop people from using unsanctioned tools?</p><p>That matters, but it is not the whole problem.</p><p>The deeper issue is invisible dependence. Workflows start leaning on AI outputs before anyone has decided whether the use is important enough to govern differently. Internal expectations change. Customer responses get shaped by generated text. Analysts rely on model summaries. Support teams trust AI-assisted search. The organization acquires hidden dependencies before it acquires visibility.</p><p>That is exactly what made shadow IT hard the first time. The technology was not just present. It became useful before governance arrived.</p><h2 id="discovery-has-to-include-platforms-vendors-and-workflows">Discovery has to include platforms, vendors, and workflows</h2><p>AI usage discovery is also harder than traditional software inventory because &ldquo;the AI system&rdquo; is often not a single product.</p><p>It may be:</p><ul><li>a feature inside a major SaaS platform</li><li>a vendor workflow powered by a hidden foundation model</li><li>a prompt layer inside an internal application</li><li>an API dependency attached to a business automation</li><li>a retrieval system grounded in internal documents</li></ul><p>If the discovery model only looks for direct model contracts, it will miss a large share of the real exposure.</p><p>This is really the AI version of the older inventory failure described in<a href="/articles/2026-05-01-why-asset-inventory-is-still-the-most-embarrassing-security-problem-in-large-organizations/">why asset inventory remains so embarrassing in large organizations</a>: the systems of record feel mature right up until someone asks what is actually in use.</p><p>This is why AI governance inventories need to look more like a combination of software inventory, third-party risk mapping, and workflow discovery. They have to ask not just which models are approved, but where AI-mediated behavior is now influencing decisions, content, support, or operations.</p><h2 id="what-serious-discovery-looks-like">What serious discovery looks like</h2><p>A better AI discovery program usually combines several questions:</p><ul><li>where are public AI tools being accessed from managed environments?</li><li>which enterprise SaaS platforms have enabled AI features?</li><li>which internal systems call model APIs directly or through vendors?</li><li>where is internal or customer data being routed into AI-assisted workflows?</li><li>which business processes now depend on AI output, even informally?</li></ul><p>This is not about building a perfect inventory on day one. It is about admitting that AI governance without usage discovery is mostly ceremonial.</p><h2 id="bottom-line">Bottom Line</h2><p>AI usage discovery is becoming the new shadow IT problem because adoption is diffuse, low-friction, and increasingly embedded inside tools the enterprise already trusts.</p><p>The organizations that handle this well will not be the ones with the prettiest policy documents. They will be the ones that can actually see where AI is being used, what data and workflows it touches, and which dependencies have formed before those dependencies become governance surprises.</p>
]]></content:encoded><author>Spoiledlunch</author><category>AI</category><category>GRC</category><category>shadow ai</category><category>ai governance</category><category>usage discovery</category><category>inventory</category></item><item><title>Frangoteam FUXA SCADA/HMI</title><link>https://33bf27a7.spoiledlunch.pages.dev/news/2026-06-30-frangoteam-fuxa-scada-hmi/</link><pubDate>Tue, 30 Jun 2026 12:00:00 +0000</pubDate><guid>https://33bf27a7.spoiledlunch.pages.dev/news/2026-06-30-frangoteam-fuxa-scada-hmi/</guid><description>News Brief • June 30, 2026 | Topics: AI | Summary: View CSAF Summary Successful exploitation of this vulnerability could allow an unauthenticated remote attacker to enumerate all user accounts …</description><content:encoded>&lt;![CDATA[<p><strong>Summary:</strong> View CSAF Summary Successful exploitation of this vulnerability could allow an unauthenticated remote attacker to enumerate all user accounts and role assignments on a FUXA SCADA/HMI instance.</p><p><strong>Why it matters:</strong> This matters if it changes how teams think about model governance, safety work, monitoring, or regulatory exposure around deployed AI systems.</p><p><strong>What to watch:</strong> Watch for follow-on technical guidance, deployment constraints, evaluation details, or signs that the announcement changes actual production practice rather than just policy language.</p><p><strong>Source:</strong><a href="https://www.cisa.gov/news-events/ics-advisories/icsa-26-181-02">[Critical Advisories] CISA Cybersecurity Advisories</a></p>
]]></content:encoded><author>Spoiledlunch</author><category>AI</category><category>ai</category><category>user-state-com-google-reading-list</category><category>user-label-spoiledlunch-news</category><category>user-state-org-freshrss-main</category><category>critical-advisories-cisa-cybersecurity-advisories</category></item><item><title>FTC Requires Amazon to Pay $2.25 Million to Resolve Charges It Knowingly Violated the Fair Credit Reporting ...</title><link>https://33bf27a7.spoiledlunch.pages.dev/news/2026-06-30-ftc-requires-amazon-to-pay-2-25-million-to-resolve-charges-it-knowingly-violated-the-fair-credit-reporting/</link><pubDate>Tue, 30 Jun 2026 12:00:00 +0000</pubDate><guid>https://33bf27a7.spoiledlunch.pages.dev/news/2026-06-30-ftc-requires-amazon-to-pay-2-25-million-to-resolve-charges-it-knowingly-violated-the-fair-credit-reporting/</guid><description>News Brief • June 30, 2026 | Topics: AI | Summary: Amazon will pay $2.25 million in civil penalties to settle Federal Trade Commission allegations that the online retail giant knowingly …</description><content:encoded>&lt;![CDATA[<p><strong>Summary:</strong> Amazon will pay $2.25 million in civil penalties to settle Federal Trade Commission allegations that the online retail giant knowingly violated the Fair Credit Reporting Act (FCRA) by refusing to provide transaction records to consumers whose personal information was used by identity thieves to commit fraud.The complaint, filed &hellip;</p><p><strong>Why it matters:</strong> This matters if it changes how teams think about model governance, safety work, monitoring, or regulatory exposure around deployed AI systems.</p><p><strong>What to watch:</strong> Watch for follow-on technical guidance, deployment constraints, evaluation details, or signs that the announcement changes actual production practice rather than just policy language.</p><p><strong>Source:</strong><a href="https://www.ftc.gov/news-events/news/press-releases/2026/06/ftc-requires-amazon-pay-225-million-resolve-charges-it-knowingly-violated-fair-credit-reporting-act">[Executive Risk] FTC Consumer Protection Press Releases</a></p>
]]></content:encoded><author>Spoiledlunch</author><category>AI</category><category>ai</category><category>user-state-com-google-reading-list</category><category>user-label-spoiledlunch-news</category><category>user-state-org-freshrss-main</category><category>executive-risk-ftc-consumer-protection-press-releases</category></item><item><title>Mitsubishi Electric MELSOFT Update Manager SW1DND-UDM-M</title><link>https://33bf27a7.spoiledlunch.pages.dev/news/2026-06-30-mitsubishi-electric-melsoft-update-manager-sw1dnd-udm-m/</link><pubDate>Tue, 30 Jun 2026 12:00:00 +0000</pubDate><guid>https://33bf27a7.spoiledlunch.pages.dev/news/2026-06-30-mitsubishi-electric-melsoft-update-manager-sw1dnd-udm-m/</guid><description>News Brief • June 30, 2026 | Topics: AI | Summary: View CSAF Summary Successful exploitation of these vulnerabilities could allow a local attacker to tamper with or destroy information in the …</description><content:encoded>&lt;![CDATA[<p><strong>Summary:</strong> View CSAF Summary Successful exploitation of these vulnerabilities could allow a local attacker to tamper with or destroy information in the affected product, cause a denial-of-service condition in the affected product, or execute arbitrary code when a specially crafted archive file is decompressed by the 7-Zip component included &hellip;</p><p><strong>Why it matters:</strong> This matters if it changes how teams think about model governance, safety work, monitoring, or regulatory exposure around deployed AI systems.</p><p><strong>What to watch:</strong> Watch for follow-on technical guidance, deployment constraints, evaluation details, or signs that the announcement changes actual production practice rather than just policy language.</p><p><strong>Source:</strong><a href="https://www.cisa.gov/news-events/ics-advisories/icsa-26-181-01">[Critical Advisories] CISA Cybersecurity Advisories</a></p>
]]></content:encoded><author>Spoiledlunch</author><category>AI</category><category>ai</category><category>user-state-com-google-reading-list</category><category>user-label-spoiledlunch-news</category><category>user-state-org-freshrss-main</category><category>critical-advisories-cisa-cybersecurity-advisories</category></item><item><title>OFFIS DCMTK Toolkit</title><link>https://33bf27a7.spoiledlunch.pages.dev/news/2026-06-30-offis-dcmtk-toolkit/</link><pubDate>Tue, 30 Jun 2026 12:00:00 +0000</pubDate><guid>https://33bf27a7.spoiledlunch.pages.dev/news/2026-06-30-offis-dcmtk-toolkit/</guid><description>News Brief • June 30, 2026 | Topics: AI | Summary: View CSAF Summary Successful exploitation of these vulnerabilities could allow an attacker to write files, access unauthorized information, …</description><content:encoded>&lt;![CDATA[<p><strong>Summary:</strong> View CSAF Summary Successful exploitation of these vulnerabilities could allow an attacker to write files, access unauthorized information, exhaust memory, or crash affected DCMTK client or server processes.</p><p><strong>Why it matters:</strong> This matters if it changes how teams think about model governance, safety work, monitoring, or regulatory exposure around deployed AI systems.</p><p><strong>What to watch:</strong> Watch for follow-on technical guidance, deployment constraints, evaluation details, or signs that the announcement changes actual production practice rather than just policy language.</p><p><strong>Source:</strong><a href="https://www.cisa.gov/news-events/ics-medical-advisories/icsma-26-181-01">[Critical Advisories] CISA Cybersecurity Advisories</a></p>
]]></content:encoded><author>Spoiledlunch</author><category>AI</category><category>ai</category><category>user-state-com-google-reading-list</category><category>user-label-spoiledlunch-news</category><category>user-state-org-freshrss-main</category><category>critical-advisories-cisa-cybersecurity-advisories</category></item><item><title>Schneider Electric EasyLogic T150 and Saitel DP RTU</title><link>https://33bf27a7.spoiledlunch.pages.dev/news/2026-06-30-schneider-electric-easylogic-t150-and-saitel-dp-rtu/</link><pubDate>Tue, 30 Jun 2026 12:00:00 +0000</pubDate><guid>https://33bf27a7.spoiledlunch.pages.dev/news/2026-06-30-schneider-electric-easylogic-t150-and-saitel-dp-rtu/</guid><description>News Brief • June 30, 2026 | Topics: AI | Summary: View CSAF Summary Successful exploitation of these vulnerabilities can allow an attacker to cause unauthorized access and exposure of …</description><content:encoded>&lt;![CDATA[<p><strong>Summary:</strong> View CSAF Summary Successful exploitation of these vulnerabilities can allow an attacker to cause unauthorized access and exposure of sensitive information when the unauthenticated attacker accesses credentials stored within firmware or system files.</p><p><strong>Why it matters:</strong> This matters if it changes how teams think about model governance, safety work, monitoring, or regulatory exposure around deployed AI systems.</p><p><strong>What to watch:</strong> Watch for follow-on technical guidance, deployment constraints, evaluation details, or signs that the announcement changes actual production practice rather than just policy language.</p><p><strong>Source:</strong><a href="https://www.cisa.gov/news-events/ics-advisories/icsa-26-181-04">[Critical Advisories] CISA Cybersecurity Advisories</a></p>
]]></content:encoded><author>Spoiledlunch</author><category>AI</category><category>ai</category><category>user-state-com-google-reading-list</category><category>user-label-spoiledlunch-news</category><category>user-state-org-freshrss-main</category><category>critical-advisories-cisa-cybersecurity-advisories</category></item><item><title>Schneider Electric EcoStruxure IT Data Center Expert</title><link>https://33bf27a7.spoiledlunch.pages.dev/news/2026-06-30-schneider-electric-ecostruxure-it-data-center-expert/</link><pubDate>Tue, 30 Jun 2026 12:00:00 +0000</pubDate><guid>https://33bf27a7.spoiledlunch.pages.dev/news/2026-06-30-schneider-electric-ecostruxure-it-data-center-expert/</guid><description>News Brief • June 30, 2026 | Topics: AI | Summary: View CSAF Summary Schneider Electric is aware of a vulnerability in its EcoStruxure™ IT Data Center Expert.
Why it matters: This matters if …</description><content:encoded>&lt;![CDATA[<p><strong>Summary:</strong> View CSAF Summary Schneider Electric is aware of a vulnerability in its EcoStruxure™ IT Data Center Expert.</p><p><strong>Why it matters:</strong> This matters if it changes how teams think about model governance, safety work, monitoring, or regulatory exposure around deployed AI systems.</p><p><strong>What to watch:</strong> Watch for follow-on technical guidance, deployment constraints, evaluation details, or signs that the announcement changes actual production practice rather than just policy language.</p><p><strong>Source:</strong><a href="https://www.cisa.gov/news-events/ics-advisories/icsa-26-181-03">[Critical Advisories] CISA Cybersecurity Advisories</a></p>
]]></content:encoded><author>Spoiledlunch</author><category>AI</category><category>ai</category><category>user-state-com-google-reading-list</category><category>user-label-spoiledlunch-news</category><category>user-state-org-freshrss-main</category><category>critical-advisories-cisa-cybersecurity-advisories</category></item><item><title>StoneFly Storage Concentrator</title><link>https://33bf27a7.spoiledlunch.pages.dev/news/2026-06-30-stonefly-storage-concentrator/</link><pubDate>Tue, 30 Jun 2026 12:00:00 +0000</pubDate><guid>https://33bf27a7.spoiledlunch.pages.dev/news/2026-06-30-stonefly-storage-concentrator/</guid><description>News Brief • June 30, 2026 | Topics: AI | Summary: View CSAF Summary Successful exploitation of these vulnerabilities could allow attackers to gain broad unauthorized access, execute arbitrary …</description><content:encoded>&lt;![CDATA[<p><strong>Summary:</strong> View CSAF Summary Successful exploitation of these vulnerabilities could allow attackers to gain broad unauthorized access, execute arbitrary commands with root privileges, steal sensitive data, and perform actions on behalf of legitimate users across interconnected systems.</p><p><strong>Why it matters:</strong> This matters if it changes how teams think about model governance, safety work, monitoring, or regulatory exposure around deployed AI systems.</p><p><strong>What to watch:</strong> Watch for follow-on technical guidance, deployment constraints, evaluation details, or signs that the announcement changes actual production practice rather than just policy language.</p><p><strong>Source:</strong><a href="https://www.cisa.gov/news-events/ics-advisories/icsa-26-181-06">[Critical Advisories] CISA Cybersecurity Advisories</a></p>
]]></content:encoded><author>Spoiledlunch</author><category>AI</category><category>ai</category><category>user-state-com-google-reading-list</category><category>user-label-spoiledlunch-news</category><category>user-state-org-freshrss-main</category><category>critical-advisories-cisa-cybersecurity-advisories</category></item></channel></rss>