feat: Add AI Mythos counter-narrative; rewrite ai-sovereignty-framework
move-fast-and-fix-things.md: 'The AI Distraction' section. Multiplier principle, CIS IG1 sequencing, client redirect script. antifragile-manifest.md: Pillar sequencing note (Pillar 4 after 1-3). consultant-field-guide.md: Mistake #11 + AOC->PULSAR rename. ai-sovereignty-framework.md: Full rewrite with regulatory framing, sovereignty spectrum, updated objections, CQRE product examples. Co-Authored-By: Tom Kracmar <tom+claude@cat6.cz>
This commit is contained in:
Claude Sonnet 4.6
@@ -151,6 +151,65 @@ When you walk into a client environment, bring these assumptions:
|
||||
|
||||
---
|
||||
|
||||
## The AI Distraction
|
||||
|
||||
There is a recurring pattern in security consulting: a client opens with "we want AI-powered threat detection" or "can AI help us with our security posture?" and the instinct — especially from vendors — is to say yes and start selling.
|
||||
|
||||
The correct response is to ask: *"Do your domain admins have MFA enforced?"*
|
||||
|
||||
We call this pattern the **AI Mythos**: the belief that intelligence-layer tooling is the primary answer to security problems. It is not. AI is a multiplier. A multiplier applied to an absent foundation produces nothing. An AI-powered SOC that generates alerts from a network with no MFA, no patching cadence, and no tested backups is generating expensive noise about a patient who already has a terminal condition.
|
||||
|
||||
### The Multiplier Principle
|
||||
|
||||
Security capabilities stack in layers. Each layer requires the layer below it to function.
|
||||
|
||||
```
|
||||
Foundation → Identity hygiene, endpoint coverage, patching, tested backups, basic logging
|
||||
Signal → Logging turned on, SIEM ingesting the right sources, alerts with owners
|
||||
Intelligence → Detection engineering, threat hunting, AI-assisted analysis
|
||||
```
|
||||
|
||||
AI lives at layer three. Organisations that have not completed layer one do not benefit from layer three — they buy something that has nothing to amplify.
|
||||
|
||||
**The test**: Ask "what would have stopped this breach?" For the overwhelming majority of incidents — credential theft, ransomware, insider threat, misconfiguration exploitation — the answer is a layer-one control: MFA, patched systems, least-privilege accounts, a working backup. Not AI detection. Not an AI SOC. Not AI-powered SIEM correlation.
|
||||
|
||||
The CIS Controls make this explicit. IG1 — 56 safeguards covering basic inventory, secure configuration, data protection, account management, patching, and backup — is the minimum viable security posture. Every organisation should complete IG1 before spending money on anything above it. AI-powered security tools are not IG1 controls. They are IG3 multipliers applied to an IG1 foundation.
|
||||
|
||||
### What to Do When a Client Leads with AI
|
||||
|
||||
The client who opens with AI is not wrong to want it. They are wrong about sequencing. Your job is to redirect without dismissing.
|
||||
|
||||
**The redirect**:
|
||||
|
||||
> *"AI security tools are most valuable when you have a strong signal to amplify. The fastest path to benefiting from AI is making sure the basics are right first — because AI on a broken foundation is just expensive noise. Let's start with the Brownhat Diagnostic, find your kill chain, and close the gaps that AI can't compensate for. Then you'll actually get value from the AI layer on top."*
|
||||
|
||||
This reframes AI as a reward for good hygiene, not a substitute for it. It respects the client's interest in AI while directing the budget where it produces real risk reduction.
|
||||
|
||||
### The Sequencing Rule
|
||||
|
||||
The antifragile pillars are not equally weighted at the start of an engagement. They are sequenced:
|
||||
|
||||
1. **Structural Decoupling** (Pillar 1) and **Optionality Preservation** (Pillar 2) are foundations — you establish these first by mapping and removing dangerous dependencies.
|
||||
2. **Stress-to-Signal Conversion** (Pillar 3) requires having something to instrument — logging, monitoring, telemetry. This is layer two.
|
||||
3. **Sovereign Intelligence** (Pillar 4) — AI sovereignty, local models, owned cognitive infrastructure — presupposes that you have a foundation worth protecting and a signal worth amplifying. It is not the starting point.
|
||||
4. **Asymmetric Payoff Design** (Pillar 5) is the lens applied throughout — concentrate effort where failure is existential.
|
||||
|
||||
A client excited about Pillar 4 who has not addressed Pillar 1 is building a sophisticated roof on a house with no walls.
|
||||
|
||||
### What "Move Fast" Means Here
|
||||
|
||||
Moving fast does not mean buying AI tools quickly. It means closing the kill chain quickly — with unglamorous, proven controls that stop breaches:
|
||||
|
||||
- Enforce MFA on every account. Today.
|
||||
- Patch internet-facing systems. This week.
|
||||
- Verify that backups restore. This month.
|
||||
- Remove stale privileged accounts. In week one.
|
||||
- Turn on logging where it is off. Before anything else.
|
||||
|
||||
These are not interesting. They are not cutting-edge. They are the interventions that would have prevented most of the incidents in the headlines. The AI tools that make headlines did not prevent those incidents.
|
||||
|
||||
---
|
||||
|
||||
## Contrast With "Move Fast and Break Things"
|
||||
|
||||
The Silicon Valley mantra was an excuse for externalizing harm. "Move fast and fix things" is its responsible successor:
|
||||
|
||||
Reference in New Issue
Block a user