Cybersecurity failures now happen beyond the OSI stack. Faulty governance, the human factor, and AI tools create new attack surfaces.
After seven years working across cybersecurity, cloud infrastructure, and Zero Trust architecture, Jayal Yadav explains how we got here and what organizations still get wrong.
“The original seven layers of the OSI model still matter. But today, the biggest risks sit beyond them.”
Those risks live in what Jayal frames as two overlooked attack surfaces beyond the traditional OSI model: human behavior as Layer 8, and AI interfaces as Layer 9. Jayal further explains both.
“People joke about layer 8 being the human layer,” says Jayal. “But Verizon’s 2024 DBIR found that 68% of breaches involved a non-malicious human element”. That’s a part people keep underestimating: there’s almost always a human operator in the loop.
Everything from phishing to social engineering, credential misuse, misconfiguration, and faulty decisions is rooted in human behavior.
Jayal gave an example of a founder whose business collapsed after a breach.
He had some terms and condition issues with his cloud vendor. He hosted customer data, backups, and infrastructure with that same provider.
There was no risk assessment, no governance, no exit strategy. When things failed, they couldn’t recover.
That experience reshaped how Jayal thinks about modern security risk. In his own words, at this moment “The freedom to leave a vendor is now part of security.”
Regarding AI usage, Jayal says the human factor is also key to success or failure.
“We all talk about AI slop,” he says. “But AI slop isn’t an AI problem. It’s a human problem.”
Jayal explains that AI simply mirrors the quality, clarity, and intent of human input.
If people outsource both their work and their chaos to AI, they just automate more chaos.
The right way to use AI is to treat it like a verification layer, not a replacement for judgment.
I check outputs against research, cybersecurity principles, science, and market signals before sharing anything publicly.
Jayal also shows why context matters more than most people realize. Context details can help or confuse AI and humans alike.
We operate through context, memory, and identity. You communicate differently with colleagues than with family. AI reflects that same behavior.
Not offering enough context data in your prompt might have a negative impact on the outcome.
Bad workflows can turn worse with AI.
Many companies onboard new AI tools simply because they are shiny new objects. Even when their current processes work, they pile on more tools, increase complexity, and end up in chaos.
One of Jayal’s strongest warnings is against rushing into AI automation before checking and understanding existing workflows.
He advises evaluating daily processes and overall operations before translating them into AI, whether through automation or hybrid models.
Before automating anything, make sure the manual process actually works.
Automating a faulty workflow will generate chaos.
Jayal says governance is now the defining factor in cybersecurity resilience. He warns against treating compliance like a checklist.
This box is checked and that box is checked, but there is no actual governance behind it. Cybersecurity starts with real governance, not compliance theater.
Jayal remembers working with an organization that suffered a breach despite having certifications and compliance requirements in place.
The MSP identified and communicated the risks. So did the internal IT team. Yet, leadership delayed action because they didn’t want the cost.
Then the breach happened.
Certifications and compliance requirements were in place, but proper governance was lacking. Although the risks had already been identified by both the IT team and the MSP, decision lag left the company exposed.
That was a clear layer 8 issue. However, it was not the leadership that took responsibility.
The operator became a scapegoat. Accountability without authority is a massive issue across the industry.
With Layer 9 – AI, human error risks are becoming even harder to control.
Jayal highlights that
We’re already seeing cases where AI systems are manipulated into actions like issuing massive refunds. These kinds of social engineering attacks will increasingly target public-facing AI connected to company infrastructure.
The solution is stronger governance.
He adds that organizations are moving too fast when adopting AI tools and shares a real-life example.
The story is about a founder who connected an AI meeting summarizer to his entire Google Workspace.
He just signed in to that AI summarizer tool and clicked ‘approved’ in just 6 minutes. He had no AI policy for it. He had no governance around it. No risk assessment.
The problem in that case wasn’t the tool itself, but how Layers 8 and 9 intertwined.
The MSP secured layers one to seven. But when you open a completely new gate into AI, that’s layer 9.
In many cases, that new AI access path sits outside the scope of a traditional MSP contract.
Jayal understands why parts of the industry resist changing the OSI model.
Some people built the systems we still rely on today. That deserves respect.
But he believes security frameworks must evolve alongside technology.
“This isn’t about replacing the old system,” Jayal explains. “It’s about updating security to reflect where the real risks exist now.”
That is the thread Jayal is now developing through his work on verification architecture: how organizations prove what happens between human intent, AI output, and business action.
Adam is the Cybersecurity Advisor at Heimdal. With over 15 years in law enforcement, where he served as a Detective Sergeant leading Covert Operations and Cyber Crime teams, Adam transitioned to cybersecurity in 2016. Known for simplifying complex topics, Adam leverages his investigative and communication experience to engage leaders and end users alike, driving stronger cyber resilience.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。