Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

One recurring theme in my research and writing on agentic AI security has been the distinction between soft guardrails and hard boundaries. As someone who serves on the Distinguished Review Board for the OWASP Agentic Top 10, and who spends every day thinking about how to secure agents across enterprise environments at Zenity, this distinction is not academic. It is potentially the single most important conceptual framework practitioners need to internalize right now.

Scattered Spider–style attacks increasingly target airline loyalty accounts, where stolen credentials can be used to hijack frequent flyer accounts and redeem miles for fraud. Investigations associated with the Scattered Spider ecosystem show how attackers manipulate impersonation campaigns, phishing infrastructure, and account recovery workflows to gain control of customer accounts. For airline security teams, the lesson is not limited to one threat group.

Google Photos is a popular app by Google to store, share, sync, and backup your photos, albums, and keep your memories in the cloud. Like Google Drive and its lack of privacy features, many are wondering whether Google Photos and privacy are possible with a Photos account.

Sure, they would vastly prefer targeting organizations in the opponent’s supply chain (which is why new requirements like CMMC are absolutely crucial), but every organization that is affiliated with or operates in the adversary’s territory becomes a target no matter how large or small.

As organizations manage sensitive data across endpoints, cloud platforms, and a growing number of SaaS applications, having clear visibility into where data lives and how it moves has become increasingly important. For companies operating in highly sensitive and IP driven environments, the ability to understand data access and respond quickly to risk is essential.

The real challenge for MSPs isn’t growth, it’s scaling effectively. As MSPs increase their client base and expand their service portfolios, managing multiple tools, consoles and vendors becomes progressively more complex, impacting operational efficiency and margins. In many cases, this isn’t the result of poor decision-making, but rather the evolution of the business.

Permission creep rarely looks dangerous at first. It starts as a temporary fix, such as granting an admin role to unblock a deployment. Over time, those temporary decisions become permanent standing permissions. The result is an AWS estate littered with high-privilege roles that sit idle for months, expanding your attack surface without anyone actively noticing. It takes organizations an average of 277 days to identify and contain a breach.

Across the Webex link is the 3PAO team sent to pass judgment on your adherence with FedRAMP 20x. Like all auditors, they're diligent, professional, and particularly unnerving when they’re trying to be disarming. It’s the first interview where you explain what the product does.

Matthew Smith is a vCISO and management consultant specializing in cybersecurity risk management and AI. Over the last 15 years, he has authored standards, guidance and best practices with ISO, NIST, and other governing bodies. Smith strives to create actionable resources for organizations seeking to minimize technological risk and increase value to customers.

For SaaS providers, trust is a core part of the offering. Customers rely on software platforms to process data, support business operations, and integrate with wider technology ecosystems. As a result, demonstrating effective security and governance controls using frameworks like SOC 2 has become an increasingly important requirement when selling to enterprise customers. SOC 2 has emerged as one of the most widely recognised frameworks for demonstrating product security assurance.