Most OT security writing comes from vendors. Here are five lessons from someone who's actually deployed it — including the four nobody warns you about.

Two weeks ago Anthropic announced Claude Mythos , an AI model so powerful at finding software vulnerabilities that releasing it publicly would be reckless. They restricted it to twelve trusted partners. A Discord group walked through the door in 24 hours. Here's what happened, and what nobody is saying about it.

Every AI vendor in 2026 has a slide that says they offer 'agent governance.' Very few of those slides mean the same thing. Here are the four questions that separate real governance from a dashboard.

Lovable, the Swedish vibe-coding platform valued at $6.6 billion, spent 48 days sitting on a flaw that exposed thousands of users' source code, credentials, and chat histories. Their response made things worse. But the deeper question is who owns security when an AI platform builds your software; is the one every business leader needs to answer.

Anthropic judged Claude Mythos Preview too dangerous to release publicly. It has already found thousands of zero-day vulnerabilities, including a flaw in OpenBSD that sat undiscovered for 27 years, at a cost of under fifty dollars per run. The tech giants are getting a defensive head start. SMBs who were barely hanging on will fall further behind.

Business owners who are somewhere between excited and anxious about AI agents. The conversation follows a pattern. They tell me about a workflow they've automated. Ten minutes later we've uncovered an access path nobody knew existed. This isn't carelessness. It's governance that hasn't caught up.