Everyone Is a Regulated Industry Now

Everyone Is a Regulated Industry Now An employee with no clearance to your PII can now assemble it from data they're each allowed to see — on a laptop, offline. Here's why your access model never saw

I got a chance to participate in a Cisco Live lunch conversation hosted by my friends at the Velocity Room. A K-12 education practitioner raised a concern I hadn’t considered. He discussed how to manage the unavoidable influx of AI-enabled personal computers and control the flow of data from the edge to the cloud.

I not only found this a fascinating real-world question, but it also led to a realization: organizations that never had to worry about traditional regulated-industry controls may have to start adopting some of those same controls to prevent the leakage of information to and from unauthorized compartments.

Before AI-enabled devices, traditional data access controls were sufficient to govern the flow of data in non-regulated environments. In regulated environments, we’ve long applied process-level controls down to the device level. We have the tools to implement policy that prevents the installation of OpenClaw, or even Docker, on a workstation.

But what happens when an employee lacking the clearance to access PII can now use AI to create that data from dispersed sources they each have legitimate access to?

Yes, we can place gateways between these users and the foundation models. But what about the employee with a MacBook Pro and 24GB of RAM? They can load Gemma 4 26B and run some pretty serious correlation experiments.

This is the security-by-obscurity problem in a new form. We never had to paint the other side of the fence, because no one ever looked. But now it isn’t just external threats that expose us. The curious power user — simply trying to get work done — has eliminated the obscure defense.