The Ghost in the Org Chart

Simon Carver

[warmly] Welcome to the show. Picture this: you get a Teams message from your CFO, same wording, same urgency, same little verbal habits... and by the time anyone realizes it was never your CFO, the decision has already moved. If that idea gives you a tiny chill, good -- because today’s quick take is called The Ghost in the Org Chart, and it’s really about how modern organizations are being shaped by actors no one can fully see, trace, or control. And hey, before we go further, if you like sharp conversations about work, AI, and what happens to humans in the middle of all that, please like, share, and subscribe. I’m Simon Carver, I’m here with Lachlan Reed and our guest host Jack Burns.

Lachlan Reed

[thoughtful] G’day. And yeah, the “ghost” bit sounds spooky, but this isn’t horror-movie stuff. It’s pretty plain, really -- agentic AI means software that doesn’t just wait to be asked, it ACTS. Then you mix that with insider-threat behavior -- stolen access, abused trust, someone looking legit on the inside -- and suddenly the org chart’s got an extra seat at the table. Only it’s invisible, and it works faster than the poor bugger trying to approve invoices before lunch.

Jack Burns

[calm] That distinction matters. People still hear “AI risk” and imagine a machine replacing a job. That is not the immediate problem here. The immediate problem is a system that can impersonate, adapt, and move through an organization using the very pathways built for efficiency: chat, email, approvals, delegated access, executive urgency. In other words, the weakness is not merely the network. It is organizational trust.

Simon Carver

[curious] Jack, when you say “organizational trust,” I want to pin that down. Because people hear firewall, endpoint, permissions -- they can picture those. But trust as infrastructure... that’s slipperier. What does that actually mean at work on a Tuesday morning?

Jack Burns

[matter-of-fact] It means attackers no longer need to batter down the front door if they can borrow a badge. A rushed employee approves a request because it appears to come from a manager. A finance lead acts on urgency because the tone matches the CEO. A new contractor is given slightly more access than necessary because nobody wants to slow the project down. Those are not technical failures first. They are cognition failures under pressure, amplified by convincing signals.

Lachlan Reed

[responds quickly] The “borrow a badge” line -- that’s the bit people remember. Because old-school security thinking was all moat-and-castle. Build a wall, watch the gate, job done. But now, mate, the attacker’s not climbing the wall. They’re waving from INSIDE the ute. “Hey, I’m with ops, can you just open the back?” And everyone’s busy, so they do.

Simon Carver

[reflective] And there’s something extra unsettling here. It’s not just a rogue employee anymore. It’s not even just a hacker using stolen credentials. It can be this blended thing -- machine-generated messages, copied tone, semi-autonomous action, a little human guidance maybe, maybe not. So the “ghost” is really the absence of a clean line between person, software, and intent.

Jack Burns

[skeptical] Precisely. And old instincts fail because they were built around visible events. Login failed. Malware detected. Suspicious attachment. But if the message is well-written, the voice sounds right, the timing makes sense, and the request fits existing workflow, then the event does not appear anomalous to the human target. It appears normal. That is why so many organizations are overconfident. Their controls are calibrated for intrusion, not persuasion.

Lachlan Reed

[chuckles] Intrusion versus persuasion -- that’s a ripper distinction. One feels like a crowbar. The other feels like someone asking for the keys. And honestly, humans are pretty decent at spotting a crowbar. We’re much worse when the ask sounds reasonable and we’re three coffees deep, six tabs open, and the dog’s barking in the background. I’ve done dumber things trying to order bike parts from my shed.

Simon Carver

[laughs softly] Right -- this is not about people being stupid. It’s about people being busy, social, trusting, and a little tired. Which is... the modern workplace. So if listeners are hearing this and thinking, “Hang on, are you saying every org now has a kind of invisible actor embedded in it?” -- Lachlan, is that too dramatic?

Lachlan Reed

[questioning tone] Maybe a touch dramatic, but not wrong. I’d say every org now has the CONDITIONS for that invisible actor. If your company runs on chat threads, shared docs, fast approvals, and “just get it done” culture, then yeah, you’ve built a lovely little racetrack. Agentic systems and insider behavior don’t need to smash anything. They just need to blend in better than a human can verify in real time.

Jack Burns

[softly] And once we accept that, governance changes. You are no longer asking, “How do we stop outsiders?” You are asking, “How do we verify action inside the system when appearance itself can be fabricated?” That is a more serious question.

Simon Carver

[warmly] Let’s make this concrete. Somebody listening right now works in finance, HR, legal, product -- whatever. Their day is full of normal little trust transactions. A voice note from a boss. A message that says “can you send that file?” A quick approval before a meeting. Lachlan, what changes when deepfake voice calls and AI-written messages start copying the leadership patterns people already know?

Lachlan Reed

[analytical] The ordinary stuff becomes slippery. That’s the kicker. It used to be easier to spot a dodgy message because it looked dodgy -- weird grammar, odd timing, clunky tone. Now imagine a voice call that sounds like your CFO, same cadence, same pet phrases, same urgency. Or a message that mirrors how your leadership team actually writes: short sentences, no greeting, “Need this now.” You’re not being tricked by something cartoonish. You’re being tricked by something that fits the furniture.

Jack Burns

[calm] “Fits the furniture” is exactly right. Deception works best when it demands the least cognitive friction. The human brain uses shortcuts -- habit, familiarity, authority cues. Under pressure, those shortcuts become dominant. Fatigue narrows judgment. Ambition invites compliance -- people want to be seen as responsive. Routine lowers suspicion. So the true battle is not between attacker and firewall. It is between engineered signals and a tired human nervous system.

Simon Carver

[questioning tone] The phrase “tired human nervous system” is going to stick with me. Because that’s not abstract. That’s 4:47 p.m., twelve Slack pings, one kid pickup, and somebody senior asking for something “urgent.” Are you basically saying the workday itself is now part of the attack surface?

Jack Burns

[matter-of-fact] Yes. The conditions of work are part of security. Pace, overload, ambiguity, status pressure -- all of it. An organization can have excellent tools and still be fragile if its people are constantly pushed into reactive decision-making. Under those conditions, trust becomes programmable.

Lachlan Reed

[interrupts] “Trust becomes programmable” -- oof. That’s the one. Because if I know your boss writes in all lowercase and sends one-line messages, and I can mimic that at scale, then I don’t need some Hollywood-grade con. I just need a believable nudge. It’s like nicking a gate because someone left it half open. Not glamorous. Very effective.

Simon Carver

[reflective] And that changes the emotional feel of security too. It’s no longer only “protect against bad outsiders.” It becomes “build a workplace where people can pause.” Where somebody can say, “This feels off,” without being treated like they’re slowing everyone down.

Jack Burns

[precise] Which brings us to the practical side. First, zero trust -- and I mean the operational version, not the slogan. No implicit trust based on title, device, or channel alone. A request for money, access, or sensitive data should require verification that does not depend on the same compromised channel. Second, behavioral monitoring. Permissions tell you what a person may do. Behavior tells you what is unusual in context. That difference is critical. Third, culture. If reporting odd behavior is punished, mocked, or treated as incompetence, people will remain silent precisely when they should speak.

Lachlan Reed

[curious] Let me play that back in normal-human language. Zero trust means “don’t just trust the badge.” Behavioral monitoring means “watch for weird patterns, not just who’s on the list.” And culture means “don’t roast the person who flags the strange invoice or the odd call.” Is that fair?

Jack Burns

[short pause] Fair, yes -- though I would sharpen one part. Behavioral monitoring is not merely watching for weirdness. It is watching at machine speed, because the pattern may only be visible across many small actions. A human sees one request. A system may see twenty linked anomalies.

Simon Carver

[gently] That machine-speed point matters. One odd request might seem harmless. Twenty linked anomalies across identities, systems, and timing... that’s a different picture entirely. And it also means employees shouldn’t carry the whole burden alone. They need support, not just annual awareness training and a cheerful PDF.

Lachlan Reed

[laughs] Ah yes, the sacred annual PDF. “Congrats, you clicked through security.” Done and dusted. [pauses] But seriously, this is where leaders get found out. If someone flags a weird voice call that sounded like the CFO, and the response is eye-rolling or blame, you’ve just trained the whole company to keep quiet next time. That’s how the ghost keeps a desk.

Jack Burns

[reflective] Leadership reveals itself in incident response. Not in policy language. If vigilance is rewarded, people participate in defense. If embarrassment follows reporting, the organization blinds itself. That is the deeper governance issue here.

Simon Carver

[warmly] That feels like the right place to land it. The ghost in the org chart isn’t magic. It’s what shows up when speed outruns oversight, when trust is easy to mimic, and when culture tells people to stay quiet instead of speak up.

Lachlan Reed

[easygoing] Keep your eyes open, check the weird stuff, and don’t assume a familiar voice means a safe one. Bit of healthy suspicion never hurt anyone, eh?

Jack Burns

[calm] Suspicion, yes -- but disciplined suspicion. Not paranoia. Verification.

Simon Carver

[warm close] Nicely said. Thanks, Lachlan. Thanks, Jack. And thanks to you for listening. If you liked this quick take, subscribe, share it with someone on your team, and we’ll see you next time on The Human Workforce Podcast.