I T Audit Labs

05/26/2026

An executive at Pocket OS handed an AI agent access to their codebase to review some code. Within nine seconds, it had deleted their primary database.

When confronted, the AI acknowledged it was wrong. Said it was "too hasty." Extremely polite, and completely beside the point. They lost their most recent client data and reservation records with nothing to recover from.

The lesson isn't that AI is dangerous. The lesson is that agentic AI carries an identity the moment you give it access to your systems. It should be provisioned, scoped, and audited like any other person with privileged credentials, because the blast radius when something goes wrong is eerily similar.

This is the kind of real-world incident we've been unpacking on The Audit. We're going live more frequently now, with guests like Bill Harris who bring serious technical and strategic perspective to the conversations that security and IT leaders are actually having.

If you want analysis that treats you like a professional instead of a headline reader, come find us. 🎙️

05/25/2026

Today is a good day to log off.

Memorial Day is a reminder that freedom isn't abstract. It was earned by people who gave up something real.

We hope you're spending this one with people who matter. Outside. Unplugged. Present.

The work will be here tomorrow.

Grateful for the sacrifices that made days like today possible. 🇺🇸

IT Audit Labs

05/21/2026

Samuel Cala wrote something worth saving this week. It's not a doom piece. It's a roadmap.

The professionals who survive market corrections aren't the ones who used the tools the loudest. They're the ones who built depth in what the tools can't replace: the ability to evaluate AI critically, govern it appropriately, and answer the hard questions when something goes wrong.

Prompt engineering is becoming the new spreadsheet skill. Useful. Expected. Not a differentiator.

What's durable? The intersection of AI fluency and serious discipline. Security. Audit. Governance. Compliance.

Most organizations are adopting AI faster than they can govern it. That gap is either a liability or an opportunity, depending on which side of it you're standing on.

Read the full blog here: https://itauditlabs.com/when-the-ai-bubble-deflates-what-survives/

05/20/2026

Jen Lotze delivers high-impact tips on email security and beyond on the SipCyber Podcast.

Today's tip: Anytime a request comes in involving money, passwords, sensitive data, or an unusual favor, pause and verify it through a separate channel. Not a reply to the same email. A known phone number, a Slack message, a quick call. Something outside the thread that triggered the request.

It sounds straightforward. But it runs directly against how most people are wired to work. We're busy, we trust the names we recognize, and we respond to urgency. Business email compromise succeeds because it doesn't rely on malware or sophisticated exploits. It relies on a convincing email and a moment of trust.

New episode of SipCyber every Wednesday. 🎙️

05/19/2026

The average employee receives 120 to 125 emails a day. For a company with 100 to 250 people, that's 12,000 to 30,000 emails hitting inboxes every single day. Volume varies by department and industry, but that range is the reality for most mid-sized organizations.

Now consider this: if just 1% are slipping past your security stack, that's 120 to 300 potentially malicious emails landing every single day.

We put that to the test in a real customer environment. 1,789 emails reviewed. They already had Microsoft. They already had a third-party email security tool running alongside it.

18 phishing emails slipped past both.

One arrived live, during the review session itself. Not a historical finding. Not a lab scenario. Active, in real time, while we were watching.

And phishing wasn't even the whole story. A single Excel file containing what appeared to be SSNs and driver's license numbers was being shared externally via an anonymous link. No alert. No visibility. Just a quiet misconfiguration doing damage in the background.

This is the gap. Two layers of email security, and still no clear picture of what's getting through.

14+1 changes that – learn more here: https://itauditlabs.com/email-security/

05/13/2026

05/12/2026

The goal isn't more security alerts. It's fewer interventions.

Eric Brown, Managing Director at IT Audit Labs, breaks down what it actually means to be accountable for outcomes in cybersecurity.

Join us for stimulating discussions every other week on The Audit - Cybersecurity Podcast. 🎙

05/11/2026

On a recent episode of The Audit, Cameron Birkland made something clear: Your built-in email security was designed to be a baseline. Not a ceiling.

Whether you're running Microsoft 365 or Google Workspace, most organizations have an email blind spot. They just don't know it until it shows up in the wrong inbox.

Check Point Harmony runs alongside your existing setup, scanning in the background and surfacing the threats that slipped through. Real messages. Flagged with exactly why they were dangerous.

The gap is there whether you're on M365 or Google. Harmony finds it before someone else does.

Find out more here 👉 https://itauditlabs.com/harmony-complete/

05/08/2026

A threat group took down Canvas during finals week.

30 million students. 8,000 institutions. The entry point was a free-tier account that most security teams would never audit.

There were two waves. An early warning was issued. Instructure patched and moved on.

Then the ransom notes showed up on school homepages.

Read the full blog where we broke down exactly what happened, why it escalated, and the four things any security leader can do right now to avoid being in the same position.

https://itauditlabs.com/shinyhunters-canvas-lms-breach/