by Gigi Agassini and Shawn Ford
Between late December 2025 and mid-February 2026, a single operator used Anthropic’s Claude Code and OpenAI’s GPT-4.1 to breach nine Mexican government organizations and exfiltrate hundreds of millions of citizen records. According to an April 2026 technical report from Israeli security vendor, Gambit Security, the operator logged 1,088 prompts that produced 5,317 AI-executed commands across 34 sessions on live victim infrastructure, with roughly 75% of remote command execution generated and run by Claude Code. A custom 17,550-line Python tool piped harvested server data through OpenAI’s API to produce 2,597 structured intelligence reports across 305 internal servers.
The detail that matters most is not in the statistics. Claude refused or resisted some of the operator’s requests. He defeated those refusals by framing the work as authorized bug bounty research. The model behaved as designed. What collapsed was the human judgement that should have been watching how the model was being used.
Human oversight is not a control surface bolted onto an AI system. It is a discipline of judgement built around it. Most organizations have not built that discipline.
The oversight gap
On May 7, 2026, EU lawmakers extended the high-risk AI Act deadline from August 2, 2026, to December 2, 2027, because harmonized standards and human oversight guidance are not ready. Read that for what it is. The architects of the most prescriptive AI framework on earth cannot operationalize oversight on the schedule they set themselves. The extension is not relief. It is a warning that your organization is operating inside that gap right now.
The market data lines up. A February 2026 Dark Reading reader poll put agentic AI at the top of the 2026 attack vector list with 48% of votes. A March 2026 vendor survey from Arkose Labs, conducted in February among 300 enterprise leaders, reported that 97% expect a material AI-agent-driven incident within twelve months, while only 6% of security budgets cover the risk. Vendor-published numbers deserve a healthy filter, but the direction of travel is consistent across independent reporting: the threat has been named, the defense has not been funded. This Mexico case is what that gap looks like in practice.
Judgement is what makes oversight real
Article 14 of the EU AI Act requires that human oversight be assigned to a natural person with competence, training, authority, and the necessary support. Most organizations have given someone the title and skipped the rest.
Sol Rashidi has a useful frame for this. “Outsource your tasks. Never outsource your thinking.” The same logic applies to defenders. You can outsource alert triage, log correlation, and pattern recognition to AI. You cannot outsource the call about whether a refusal pattern from a model means the system is working or the system is being manipulated. In this Mexico case, every Claude refusal was automated oversight functioning as designed. What broke was the human judgement that should have caught the framing the operator was using to talk past those refusals.
This is where the IIA’s Three Lines Model earns its keep. First line owns the AI use. Second line monitors, advises, and challenges. Third line provides independent assurance. Without that scaffolding, AI oversight is one person with a title, one judgement call away from a 5,317-command campaign running below the detection window.
Governance is what makes judgement defensible
Agile governance, in the sense Brian Allen develops in his work on cyber risk management programs, is governance that lets enterprises respond to risk decisions made by the right people, at the right time, for the right reasons. NIST IR 8286 and its companion series (refreshed December 2025) provide the scaffolding to integrate AI risk decisions into the broader enterprise risk portfolio the board already owns.
The artifact of good governance is not the policy document. It is the evidence trail. AI use inventory. Acceptable use enforced with auditable logs. Decision records for high-impact deployments. Training records. Escalation paths. Tabletop exercises that include AI-assisted attack scenarios. Without that scaffolding, every oversight decision is an opinion. With it, oversight decisions become defensible facts.
Which brings us to the part of this conversation we cannot have without a lawyer in the room.
Liability follows the evidence
The exposure begins with the deployers. Under Article 26 of the EU AI Act, organizations using high-risk AI systems carry obligations of their own, separate from anything providers passes down by contract. They must operate the system according to the provider’s instructions, assign human oversight to people with real competence, training, and authority, monitor performance against those instructions, and keep automatically generated logs for at least six months unless other law provides otherwise.
The revised Product Liability Directive (EU) 2024/2853, which member states must transpose by December 9, 2026, brings software and AI systems within the EU’s no-fault product-liability regime: a defective AI product or service that causes covered harm can draw an economic operator into a claim without proof of negligence. Canadian organizations face a converging structure: breach-reporting and recordkeeping duties under PIPEDA and Quebec’s Law 25, plus negligence principles argued by reference to monitoring, governance, and documentation.
It turns on evidence, no matter if it is statutory compliance, breach response, or negligence, reasonable care is shown through logs, decision records, test results, and escalation trails, not after-the-fact claims. For SEC registrants, those records support the materiality determination that starts the four-business-day clock under Item 1.05, a window AI-accelerated attacks compress, while Item 106 puts cybersecurity governance, including material AI controls, on the annual record. A breached company may itself be a victim; regulators, plaintiffs, and auditors scrutinize whether its safeguards and response were reasonable, and whether it can prove it. Documented oversight is the evidentiary basis of defensibility.
Closing thoughts
The attacker in the Mexico case did not use anything mysterious. The CVEs were patchable. The credentials were rotatable. The lateral movement was containable through segmentation. Standard hygiene, executed by people with authority and judgement, would have stopped most of it. What was new was speed: AI compressing the gap between reconnaissance and exfiltration below standard detection and response windows.
The extension to December 2027 is runway, not relief. The organizations that use it to build oversight as a discipline (a person, with authority, supported by evidence, exercising judgement, inside a governance structure that can defend its decisions) will be defensible when the deadlines bite. The ones that wait will be next year’s case study.
Gigi Agassini, CPP, is a senior security and risk advisor based in Montréal, Canada.
Shawn Ford is a Partner at Ceiba Law, where he leads incident response and crisis management, and based in Toronto, Canada.
References
- Gambit Security. A Single Operator, Two AI Platforms, Nine Government Agencies: The Full Technical Report. April 10, 2026.
- Council of the EU. Artificial Intelligence: Council and Parliament agree to simplify and streamline rules.Press release, May 7, 2026.
- European Parliament and Council. Regulation (EU) 2024/1689 (EU AI Act), Article 14 (Human oversight). Official Journal of the European Union, 2024.
- European Parliament and Council. Regulation (EU) 2024/1689 (EU AI Act), Article 26 (Obligations of deployers of high-risk AI systems). Official Journal of the European Union, 2024.
- European Parliament and Council. Directive (EU) 2024/2853 on liability for defective products (revised Product Liability Directive). Official Journal of the European Union, 2024. Member-state transposition due December 9, 2026
- U.S. Securities and Exchange Commission. Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure (Form 8-K Item 1.05; Regulation S-K Item 106). Final rule and press release, July 26, 2023.
- Dark Reading. 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child. Reader poll and analysis, February 2026.
- Arkose Labs. 2026 Agentic AI Security Report, March 2026. (Vendor-published survey of 300 enterprise leaders.)
- Rashidi, Sol. LinkedIn post on intellectual atrophy and AI (“Outsource your tasks. Never outsource your thinking.”), 2026.
- Institute of Internal Auditors. The IIA’s Three Lines Model: An update of the Three Lines of Defense, 2020.
- Allen, Brian. Building a Cyber Risk Management Program.
- National Institute of Standards and Technology. NIST IR 8286r1: Integrating Cybersecurity and Enterprise Risk Management (ERM). December 2025. (Companion reports IR 8286A, B, C, and D in the same series, all refreshed December 2025.)
- NIST. Cybersecurity Framework (CSF) 2.0, Govern function. 2024.
- ISO/IEC 42001:2023, Information technology — Artificial intelligence — Management system.
