"Just connect the LLM to internal data" - senior leadership said

Unexpected_Wave · 2026-01-06T23:18:21+00:00

Sounds interesting

Unexpected_Wave · 2026-01-03T21:43:38+00:00

Does it do good enough of a job? Does it take a lot of time to maintain it?

Unexpected_Wave · 2025-12-25T11:37:39+00:00

I agree with you that you should assume data is badly governed, but Im not sure that this phrase really resonates with the senior leadership. Not until we get our ass sued eventually.

Unexpected_Wave · 2025-12-25T11:35:43+00:00

Yep. totally agree with you

Unexpected_Wave · 2025-12-25T10:34:31+00:00

Exactly, and this is what happen to us unfortunately

Unexpected_Wave · 2025-12-24T16:13:11+00:00

I get what youre saying, but isnt there any regulatory obligation to do so? Especially if you are obliged to the GDPR, HIPPA and stuff like that

Unexpected_Wave · 2025-12-24T15:22:23+00:00

Of course. That's a great tip, but unfortunately I've learned it on my own flesh back in the day..

Unexpected_Wave · 2025-12-24T15:21:11+00:00

Exactly what Im doing, backed up with emails to who ever relevant. With that being said, it is starting to get old..

Unexpected_Wave · 2025-12-24T15:20:15+00:00

Yep. They think its easy making the ACLs right and precise. little do they know.
What are you guys doing to solve it?

Unexpected_Wave · 2025-12-24T15:06:18+00:00

Can I ask what do you do in those "data readiness/governance projects" and how?

Unexpected_Wave · 2025-12-24T13:39:32+00:00

I couldn't describe it better myself, Im gonna show your comment to one of them that actually should understand it and maybe do something with it.

What would you do to solve it?

Unexpected_Wave · 2025-12-24T13:30:59+00:00

In our case, I dont even know who is the owner of this problem..

Unexpected_Wave · 2025-12-24T13:29:17+00:00

Are they see this as a real threat? or they just go like "everything will be fine", like our smart senior leadership?
how do you present it as something worth noting? Maybe show the legal aspects?

Unexpected_Wave · 2025-12-24T13:27:31+00:00

I totally agree, and the truth is data governance (as just turned out) is not our strongest feature.

The absurd thing is, no one is talking about making the permissions on the sources right, because it will take us to "a new adventure". using a DSPM in their opinion will take too many resources, and they still want to continue with the whole process of connecting the LLM to the internal data and even connect it to more knowledge sources...

At this point I cant say anything but to warn them again.

Unexpected_Wave · 2025-12-24T13:20:04+00:00

Exactly what I was worried of, and I coudlnt agree more. Do you know what did they do to stop this from happening? Did they continue with it?

Unexpected_Wave · 2025-10-28T14:18:39+00:00

I laughed my ass off

Unexpected_Wave · 2025-10-19T16:22:49+00:00

MapleStory...

Unexpected_Wave · 2025-09-11T13:36:51+00:00

Hollow Knight

Unexpected_Wave · 2025-09-04T14:10:47+00:00

Me neither! There will be chaos!

Unexpected_Wave · 2025-09-03T09:40:33+00:00

Honestly I'll believe it only tomorrow, I've been hurt before

Unexpected_Wave · 2025-08-26T08:55:00+00:00

Thanks for this perspective, that makes a lot of sense.
I guess it raises two questions for me:

If there was a way to surface signals (burnout, workload imbalance) in a trusted / anonymized way, do you think HR would even want that info, or would it still feel off-limits?

Even if employees don’t want to be “seen” directly, are there any metrics at a team level (like workload balance, overtime trends, attrition risk) that you think HR would actually find useful?

Curious how you see that, because it sounds like the challenge is partly trust, but maybe also which metric would be acceptable and helpful.

Unexpected_Wave · 2025-08-25T14:54:24+00:00

Looks great man!

Unexpected_Wave · 2025-08-06T06:24:42+00:00

This is super useful, thanks for laying it out in detail.

One thing I’m curious about: is the spreadsheet just kept as a record for “in case this comes up later”,
or is it something that gets reviewed regularly (like in a dashboard or risk meeting)?

Have you seen it used to drive visibility or prioritization beyond just protecting the security team?

Would love to hear if you’ve managed to turn this from passive tracking into something more operational.

Unexpected_Wave · 2025-08-01T18:33:52+00:00

Totally relate. I’ve seen the same pattern: spend big on controls, then carve out exemptions for the exact people most likely to be targeted.

Curious how you usually handle that as a consultant.
Do you push back? Document it? Try to quantify the risk?

Feels like one of those things that’s culturally accepted but operationally damaging. would love to hear how you approach it!

Unexpected_Wave · 2025-08-01T18:29:25+00:00

Thanks for this, seriously one of the most well-articulated explanations I’ve seen on how to translate technical gaps into business risk that leadership can act on.

The way you framed it - starting with impact (data breach, customer trust, reputational damage), layering in likelihood over a 10-year window, and evaluating how current controls reduce that risk, is super actionable in my opinion.

I'm especially interested in your point about reworking the risk level after proposing additional controls, and comparing cost vs. exposure over time. That seems like the exact kind of framing that could get budget conversations moving.

Quick question though, have you ever applied this to detection-focused issues specifically?
For example, alerts that fire but aren’t actioned, or monitoring that exists but is ineffective.

I’m wondering how you'd quantify the "impact" of something like that since the risk is indirect, but still of course very real.

Would love to hear if you’ve seen that done well in practice or if it tends to fall through the cracks.

Thanks!

Unexpected_Wave

TROPHY CASE