Episode description:
Show notes:
- AI in your third parties. Amazon's recent downtime, linked to engineers being mandated to use AI on production systems, raises a question most TPRM programs aren't equipped to answer: do you even know which of your vendors are using AI, which models, and how much agency those models have over customer data? Alexandre walks through AWS's generative and agentic AI scoping matrix — from no-agency to full autonomy — as a useful framework for architectural follow-up conversations. The pair also push back on Anthropic's "Mythos" vulnerability research claims, arguing the economics don't hold up against cheaper models, or against the real bottleneck: remediation, not discovery.
- The FCC's ban on non-US routers. Adrian and Alexandre argue this is a thinly veiled economic measure dressed up as security policy. If this were really about backdoors, the US would mandate minimum security controls (as it does for medical devices and aviation) rather than country-of-origin rules. Netgear's mysterious exemption, the Salt Typhoon breaches that needed no backdoors, and the collapsed consumer labeling program all get airtime.
- Is your third party a military target? Two AWS regions in Bahrain and the UAE were damaged during the Iran conflict, with one data center indefinitely down. Separately, a pro-Iran group compromised Stryker's Intune tenant and issued wipe commands across managed devices — including employees' BYOD phones. The takeaway: centralized management tools (Intune, MDM, patch management, AD) are high-value targets that TPRM questionnaires rarely probe deeply enough, and kinetic ceasefires don't extend to cyberspace.
Links:
https://aws.amazon.com/pt/ai/security/agentic-ai-scoping-matrix/
https://aws.amazon.com/pt/ai/security/generative-ai-scoping-matrix/
https://www.defendersinitiative.com/p/from-this-point-on-it-only-gets-rougher
https://www.scworld.com/podcast-episode/2673-esw-310-shamim-naqvi-grace-burkard
