Quote for the day:
"The bad news is time flies, The good news is you're the pilot." -- Elizabeth McCormick
Europe’s AI Challenge Runs Deeper Than Regulation
European firms may welcome a lessening of their regulatory burden. But
Europe's problem isn’t merely regulatory drag. There's the structural gulf
between what modern AI development requires and what Europe currently has the
capacity to deliver. The Omnibus, helpful as it may be for legal alignment,
cannot close those gaps. ... Europe has only a handful of companies, such as
Aleph Alpha and Mistral, developing large-scale generative AI models
domestically. Even these firms face steep structural disadvantages. A European
Commission analysis has warned that such companies "require massive investment
to avoid losing the race to U.S. competitors," while acknowledging that
European capital markets "do not meet this need, forcing European firms to
seek funding abroad." The result is a persistent leakage of ownership, control
and strategic direction at precisely the moment scale matters most. ... This
capital asymmetry produces powerful second-order effects. It determines who
can absorb the high costs of large-scale model training, sustain loss-leading
platform expansion and iterate continuously at the frontier of AI development.
Over time, these dynamics create self-reinforcing structural advantages for
capital-rich ecosystems. Advantages compound over time and remain largely
beyond the corrective reach of regulation. These gaps are not regulatory
problems. How to Pivot When Digital Ambitions Crash into Operational Realities
Transformation usually begins with ambition. Leaders imagine a future where
the bank operates more efficiently and interacts with customers the way modern
platforms do. But the more I speak with people running these programs, the
more I see that banks are trying to build the future without fully
understanding the present. They push forward with new digital products,
new interfaces, new journeys, while the actual work happening across branches,
operations centers and back offices remains something of a mystery, even to
the teams responsible for changing it. ... what’s less widely discussed is
that banks do not fail because change is impossible, they do because too much
of the real work remains invisible. Many institutions still rely on
assumptions about how processes run, assumptions based on documentation that
no longer reflects reality. And when a transformation is built on assumptions,
the project begins to drift. What banks need is an honest picture of their
operational baseline. Once leaders see how their organization works today (not
how it was designed years ago and not how it is described in flowcharts) the
conversation changes. Priorities become clearer. Bottlenecks reveal
themselves. Entire categories of work turn out to be more manual than anyone
expected. And what looked like a technology problem often turns out to be a
process problem that has been accumulating for years.Six Lessons Learned Building RAG Systems in Production
Something ships quickly, the demo looks fine, leadership is satisfied. Then
real users start asking real questions. The answers are vague. Sometimes
wrong. Occasionally confident and completely nonsensical. That’s usually the
end of it. Trust disappears fast, and once users decide a system can’t be
trusted, they don’t keep checking back to see if it has improved and will not
give it a second chance. They simply stop using it. In this case, the real
failure is not technical but it’s human one. People will tolerate slow tools
and clunky interfaces. What they won’t tolerate is being misled. When a system
gives you the wrong answer with confidence, it feels deceptive. Recovering
from that, even after months of work, is extremely hard. ... Many teams rush
their RAG development, and to be honest, a simple MVP can be achieved very
quickly if we aren’t focused on performance. But RAG is not a quick prototype;
it’s a huge infrastructure project. The moment you start stressing your system
with real evolving data in production, the weaknesses in your pipeline will
begin to surface. ... When we talk about data preparation, we’re not just
talking about clean data; we’re talking about meaningful context. That brings
us to chunking. Chunking refers to breaking down a source document, perhaps a
PDF or internal document, into smaller chunks before encoding it into vector
form and storing it within a database.Enterprise reactions to cloud and internet outages
Those in the c-suite, not surprisingly, “examined” or “explored” or “assessed”
their companies’ vulnerability to cloud and internet problems after the news.
So what did they find? Are enterprises fleeing the cloud they now see as risky
instead of protective? ... All the enterprises thought the dire comments
they’d read about cloud abandonment were exaggerations, or reflected an
incomplete understanding of the cloud and alternatives to cloud dependence.
And the internet? “What’s our alternative there?” one executive asked me. ...
The enterprise experts pointed out that the network piece of this cake had
special challenges. Its critical to keep the two other layers separated, at
least to ensure that nothing from the user-facing layer could see the resource
layer, which of course would be supporting other applications and, in the case
of the cloud, other companies. It’s also critical in exposing the features of
the cloud to customers. The network layer, of course, includes the Domain Name
Server (DNS) system that converts our familiar URLs to actual IP addresses for
traffic routing; it’s the system that played a key role in the AWS problem,
and as I’ve noted, it’s run by a different team. ... Enterprises don’t see the
notion of a combined team or an overlay, every-layer team, as the solution.
None of the enterprises had a view of what would be needed to fix the
internet, and only a quarter of even the virtualization experts express an
opinion on what the answer is for the cloud. Offering more AI tools can't guarantee better adoption -- so what can?
After multiple years of relentless hype around AI and its promises, it's no
surprise that companies have high expectations for their AI investments. But
the measurable results have left a lot to be desired, with studies repeatedly
showing most organizations aren't seeing the ROI they'd hoped for; in a
Deloitte research report from October, only 10% of 1,854 respondents using
agentic AI said they were realizing significant ROI on that investment,
despite 85% increasing their spend on AI over the last 12 months. ... At face
value, it seems obvious that the IT leadership team should be responsible for
all things AI, since it is a technical product deployed at scale. In practice,
this approach creates unnecessary hurdles to effective adoption, isolating
technical decision-making from daily department workflows. And since many AI
deployments are focused on equipping the workforce with new capabilities,
excluding the human resources department is likely to constrain the effort.
... "If you focus on the tool, it's going to become procedural,"
Weed-Schertzer warned. "'Here's how to log in. This is your account.'" While
technically useful, she added that she sees the biggest rewards coming from
training employees on specific applications and having managers demonstrate
the utility of an AI program for their teams, so that workers have a clear
model from which to work. Seeing the utility is what will prompt long-term
adoption, as opposed to a demo of basic tool functionality.Why Cybersecurity Awareness Month Should Include Personal Privacy
Cybersecurity awareness campaigns tend to focus on email hygiene, secure logins, and network defense. These are key, but the boundary between internal threats and external exposure isn’t clear. An executive’s phone number leaked on a data broker’s site can become the first step in a targeted spear-phishing attack. A social media post about a trip can tip off a burglar. Forward-thinking entities know this. They tie personal privacy to enterprise risk. They integrate privacy checks into executive protection, threat monitoring, and insider-risk programs. Employees’ digital identities are treated as part of the attack surface. ... Removing data from your social profiles is only half the fight. The real struggle lives in data broker databases. These brokers compile, package, and resell personal data (addresses, phone numbers, demographics), feeding dozens of downstream systems. Together, they extend your reach into places you never directly visited. Most individuals never see their names there, never ask for removal, and never know about the pathways. Because every broker has its own rules, opt-outs require patience and effort. One broker demands forms, another wants ID, and a third ignores requests entirely. ... Awareness without action fades. However, when employees internalize privacy practices, they extend protection during their off hours and weekends. That’s when bad actors strike, during perceived downtime.How CIOs can break free from reactive IT
Invisible IT is emerging as a practical way for CIOs to minimize disruption
and improve the performance of the digital workplace. At its simplest, it’s an
approach that prevents many issues from becoming problems in the first place,
reducing the need for users to raise tickets or wait for help. As ecosystems
scale, the gap between what organizations expect and what legacy workflows can
deliver continues to widen. Lenovo’s latest research highlights invisible IT
as a strategic shift toward proactive, personalized support that strengthens
the performance of the digital workplace. ... In a workplace where devices,
applications and services operate across different locations and conditions,
this approach leaves CIOs without the early signals needed to prevent
interruption. Faults often emerge gradually through performance drift or
configuration inconsistencies, but traditional workflows only respond once the
impact is visible to users. ... Invisible IT draws on AI to interpret device
health, behavioral patterns and performance signals across the organization,
giving CIOs earlier awareness of degradation and emerging risks. ... Invisible
IT gives CIOs a clearer path to shaping a digital workplace that strengthens
productivity and resilience by design. By shifting from user-reported issues
to signal-driven insight, CIOs gain earlier visibility into risks and greater
control over how disruptions are managed.AI isn’t one system, and your threat model shouldn’t be either
The right way to partition a modern AI stack for threat modeling is not to treat “AI systems” as a monolithic risk category, we should return to security fundamentals and segment the stack by what the system does, how it is used, the sensitivity of the data it touches, and the impact its failure or breach could have. This distinguishes low risk internal productivity tools from models embedded in mission critical workflows or those representing core intellectual property and ensures AI is evaluated in context rather than by label. ... Threat modeling is a driver of higher quality that extends beyond security, and the best way to convey this to business leaders is through analogies rooted in their own domain. For example, in a car dealership, no one would allow a new salesperson to sign off on an 80 percent discount. The general manager instantly understands why that safeguard exists because it protects revenue, reputation, and operational stability. ... Tool calling patterns are one key area to incorporate into threat modeling. Most modern LLM implementations rely on external tool calls, such as web search or internal MCPs (some server side, and some client side). Unless these are tightly defined and constrained, they can drive the model to behave in unexpected or partially malicious ways. Changes in the frequency, sequence, or parameters of tool calls can indicate misuse, model confusion, or an attempted escalation path.The Convergence Challenge: Architecture, Risk, and the Urgency for Assurance
If there was a single topic that drew the sharpest concern, it was the way
organizations are adopting AI. Hayes described AI as a new threat vector that
many companies have rushed into without architectural planning or governance.
In his view, the industry is creating a new category of debt that may exceed
what already exists in legacy systems. “AI is being adopted haphazardly in
many organizations,” Hayes said. Marketing teams connect tools to mail
systems. Staff paste corporate content into public models. Guardrails are
light or nonexistent. In many cases no one has defined how to test models, how
to check for poisoning, or how to verify that outputs remain reliable over
time. Hayes argued that the field has done a poor job securing software in
general, and is now repeating the same mistakes with AI, only faster. The
difference is that AI systems can act and adapt at a pace human attackers
cannot match. Swanson added that boards and senior leaders still struggle with
their role in major technology shifts. They do not want to manage details, but
they are responsible for strategy and oversight. With AI, as with earlier
changes, many boards have not yet decided how to oversee investments that
fundamentally reshape business operations. Ominski put a fine point on it. “We
are moving into risks we have not fully imagined,” he said. “The pace alone
forces us to rethink how we govern technology.”AI Coding Agents and Domain-Specific Languages: Challenges and Practical Mitigation Strategies
DSLs are deliberately narrow, domain-targeted languages with unique syntax
rules, semantics, and execution models. They often have little representation
in public datasets, evolve quickly, and include concepts that resemble no
mainstream programming language. For these reasons, DSLs expose the
fundamental weaknesses of large language models when used as code generators.
... Many DSLs, especially new ones, lack mature Language Server Protocol (LSP)
support, which provide syntax and error highlighting in the code editor.
Without structured domain data for Copilot to query, the model cannot check
its guesses against a canonical schema. ... Because the problem stems from
missing knowledge and structure, the solution is to supply knowledge and
impose structure. Copilot’s extensibility, particularly Custom Agents,
project-level instruction files, and Model Context Protocol (MCP) make this
possible. ... Structure matters: AI systems chunk documentation for retrieval.
Keep related information proximate – constraints mentioned three paragraphs
after a concept may never appear in the same retrieval context. Each section
should be self-contained with necessary context included. ... AI coding agents
are powerful, but they are pattern-driven tools. DSLs, by definition, lack the
broad pattern exposure that enables LLMs to behave reliably.
