From Logins to Espionage: AI, Deepfakes, and Zero Trust

Simon Carver

[warmly] Welcome to the show. A finance team gets what looks like a normal login, a normal employee, a normal workday... and that's the point. Espionage used to feel like an incident, some dramatic breach, a smashed window in the night. Now it looks like Tuesday.

Lachlan Reed

[matter-of-fact] Yeah, and that's the bit that can trip people up. Most leaders still picture a Cold War bloke in a trench coat, passing a folder under a park bench. But modern espionage is less spy movie, more background process. It's continuous, it's industrial, and with AI in the mix, it scales like rabbits in a veggie patch.

Jack Burns

[calm] The word I'd use is systemic. Once advantage can be extracted continuously, espionage stops being an exception to competition. It becomes part of the competitive model itself. Quietly, persistently, and often without any visible threshold being crossed.

Simon Carver

[curious] "Systemic" is the part I want to slow down on. Because if a listener hears that, they might think we're exaggerating. Are we saying every company is under some kind of permanent low-grade intrusion attempt?

Jack Burns

We are saying that the environment behaves that way, yes. Not every firm is being dramatically compromised every hour. But the posture of adversaries has changed. The old model was episodic: choose a target, break in, steal something, leave. The newer model is closer to constant probing, credential theft, identity compromise, reconnaissance, waiting. It runs.

Lachlan Reed

[questioning tone] And that phrase from the research really nails it: we've moved from breaking in... to logging in. That's not just tidy wording. It's the whole game. If I steal your password, your token, your session, whatever gives me your digital face, I don't need to smash the front door. I just stroll through reception with your badge on.

Simon Carver

[pauses] "Your digital face" -- that's gonna stick with me. Because it explains why the old defenses feel a bit, I dunno, museum-piece. Firewalls, perimeter walls, all that. Useful, sure. But if the attacker is wearing your face, the wall isn't the scene anymore.

Lachlan Reed

Exactly. Perimeter security still matters, but it's not the whole barbecue. If the attacker looks legitimate, heaps of traditional controls just wave them through. And AI makes the setup faster. Recon that used to take days or weeks -- mapping who works where, who approves payments, who reports to whom, what language they use -- now happens in minutes.

Jack Burns

[skeptical] That compression of time is the strategic change. People talk about AI as if it merely improves quality. Often the more consequential shift is speed. Faster reconnaissance. Faster tailoring. Faster iteration. An attacker no longer needs proportionally more humans to run proportionally more campaigns. Machine assistance removes friction.

Simon Carver

So when we say "machine speed," we're not being poetic. We mean the old human bottlenecks are thinning out. The phishing email isn't generic anymore. It's written in the style of your manager, sent at the hour your team usually messages, referencing the project you're actually on.

Lachlan Reed

[chuckles] Yeah -- it's not "Dear valued employee" anymore. It's "Hey Simon, just before the 3 p.m. check-in, can you review the revised vendor doc?" That's why people get caught. Not because they're silly. Because the fake now looks annoyingly real.

Jack Burns

And that changes responsibility. If organizations continue defending against yesterday's dramatic break-ins while today's adversary simply authenticates as a trusted user, then the failure is not only technical. It is conceptual. They are modeling the threat incorrectly.

Simon Carver

[reflective] That's the tension, isn't it? A lot of companies still imagine danger as noise -- alarms, malware, visible disruption. But the dangerous version is often silence. No explosion. No smashed glass. Just normal-looking access patterns, normal-looking behavior, and value being extracted underneath the surface.

Lachlan Reed

Spot on. The crook who rattles the windows is yesterday's problem. The one who logs in, blends in, and lets automation do the boring bits? That's today's problem. And if your mental model's still stuck on the old one, well... even a kangaroo could trip over that.

Simon Carver

[softly] The part that unsettles me most isn't even the tooling. It's that the soft underbelly is us. Our voices, our habits, our assumptions about who is real. Trust used to be the grease in the machine. Now it can be the breach path.

Jack Burns

[matter-of-fact] Trust is the most exploitable system organizations have. Social engineering has always mattered, but AI changes the fidelity. Deepfakes, cloned voices, generated faces, synthetic presence in a video call -- these tools convert human confidence into attack infrastructure.

Lachlan Reed

And there was that case -- over $25 million transferred after a finance worker joined a video call where every participant was AI-generated. Twenty-five MILLION. That's not a dodgy email with bad spelling. That's a whole fake room full of fake authority.

Simon Carver

[sharply] A fake room. That's the image. Not one fake CEO voice -- a whole meeting. Which means the old advice, "just be careful what you click," suddenly feels way too small.

Jack Burns

Correct. Because the failure there was not merely someone clicking recklessly. It was an institutional assumption: if I can see colleagues, hear them, and the context seems right, the event is authentic. That assumption is deteriorating. Visibility is no longer verification.

Lachlan Reed

Let me try to say that back in plain English. We used to say, "Don't trust random links." Now it's more like, "Don't automatically trust a face, a voice, or a meeting either." Which is grim, frankly. That's a rough way to run a workplace.

Jack Burns

Almost. I would refine one point. It is not "trust nothing" in the emotional sense. Organizations cannot function that way. It is: design verification so it does not depend on human intuition alone. In other words, Zero Trust is not paranoia. It is a baseline operating discipline.

Simon Carver

[curious] And when you say Zero Trust, you're not doing the buzzword thing. You mean continuous verification -- identity, access, context -- over and over, not just once at the front gate.

Jack Burns

Exactly. Not a slogan. A recognition that trust must be earned repeatedly, not inherited by default.

Lachlan Reed

And this is where it jumps from company headache to national headache. Intellectual property theft isn't just some internal IT drama. The source material puts economic espionage at something like 1 to 3 percent of GDP lost annually. One to three percent! That's not a leak. That's a slow bleed out the side of the boat.

Simon Carver

[pauses] One to three percent of GDP... that's the number that changes the mood of the whole conversation. Because now we're not talking about annoying cyber incidents. We're talking about economic power -- research, designs, methods, advantage -- being siphoned away without a declared war.

Jack Burns

That is the proper frame. Economic warfare without announcement and without spectacle. If years of research can be copied instantly, the theft is not only of assets. It is theft of time. Time invested, time financed, time hoped for. Competitive advantage collapses because the distance between creator and imitator narrows violently.

Lachlan Reed

And then there's the next nasty wrinkle: harvest now, decrypt later. Data stolen today might be unreadable today... but not forever. So if quantum capability improves down the track, that old stolen data can be opened like a tin of peaches.

Simon Carver

[quietly] "Your future breach may already have happened." That's the line, isn't it? Because harvest-now-decrypt-later means the theft date and the damage date aren't the same thing.

Jack Burns

Yes. And that delay distorts governance. Leaders assess risk based on visible harm in the present. But strategic adversaries can extract encrypted material now, hold it, and wait for the economics or physics to change. The absence of immediate pain does not indicate safety.

Lachlan Reed

Which brings us to the awkward finish. If the threat runs through logins, meetings, trust, culture, habits -- all the everyday stuff -- then security can't just live with the IT crew downstairs next to the server rack and stale biscuits. It's gotta be how the whole place behaves.

Simon Carver

[reflective] Yeah. Not security as a department with a ticket queue. Security as a social practice. How you verify. How you escalate. How you challenge a weird request from someone senior. How comfortable people feel saying, "Hang on -- call me back on the known number." That's culture.

Jack Burns

[calm] And that is the uncomfortable question worth leaving open: if the modern attack surface is partly human judgment, partly institutional habit, and partly economic strategy, are organizations prepared to treat security as a cultural discipline rather than a technical service? Because if not, they are defending infrastructure while neglecting behavior.

Lachlan Reed

[dryly] Which is a bit like locking the shed and leaving the keys in the bike, mate.

Simon Carver

[warmly] And maybe that's the real shift: silence doesn't mean safety anymore. Sometimes it just means the system is working -- for someone else.