Authorized to Destroy
The most dangerous hacker is the one on the payroll.
For the last twenty years, we have focused on building digital walls. We set up strong passwords, used special login codes (MFA), and secured our phones. We looked at our outer walls and thought we were safe.
We were wrong.
While we were busy locking the front door, we gave the keys to the people inside. In 2026, the biggest risk to your company isn’t a hacker in a dark hoodie breaking through a firewall. It is a hardworking engineer copying code into ChatGPT to finish a project on time.
We spent billions securing our devices, but we forgot to secure the humans. Here is why the old way of doing things is broken and what you need to do now.
The Cost of Cutting Corners
For years, we treated “Insider Threat” like a movie. We looked for the secret spy or the angry employee trying to hurt the company. But the data shows this is rarely the case.
According to the 2025 Fortinet Insider Risk Report, 62% of incidents are caused by simple mistakes or stolen passwords. Only about 16% are actual bad guys acting on purpose.
The problem is usually a negligent super-user or a tired employee trying to cut corners. But these mistakes are expensive. The Ponemon Institute’s 2025 figures show the average cost of these accidents is $17.4 million per company. If it takes you more than 90 days to fix it, the cost goes up to $18.7 million.
Why Old Security Tools Don’t Work
If you are still using old “Data Loss Prevention” (DLP) tools, you are fighting a modern war with outdated weapons.
Old tools look for content like a file that has the word “Confidential” in it. They fail because they don’t look at context. A perfect example is the case of Linwei Ding, a Google software engineer who allegedly stole over 500 secret files.
How did he do it? He didn’t just email the files. He copied code into Apple Notes, turned them into PDFs, and then uploaded them to his personal Google Drive. The old security tools didn’t stop him because “uploading a PDF” looked like normal behavior.
The lesson is simple: You can’t just block specific words. You must watch behavior. Instead of just blocking a file, you need to ask: “Why is Clark from Engineering uploading 5 gigabytes of data at 3:00 AM on a Sunday?”
The Rise of the Robot
As if people weren’t hard enough to manage, IT leaders in 2026 have a new problem: insiders that aren’t even human.
We are seeing the rise of “Agentic AI” smart AI bots that can do tasks and move data without a human clicking “approve”. Palo Alto Networks calls this the biggest risk of 2026.
These bots are like “superusers.” If a hacker tricks one of these bots, they don’t just get a laptop; they get a system that can silently steal your customer database in seconds. You now need to track your AI bots just like you track your employees.
The Regulators Are Watching: New Directives You Cannot Ignore
For years, “Insider Risk” was a suggestion. As of late 2025, it is a mandate.
The White House: The “AI & Quantum” Executive Order (June 2025)
The biggest shift in policy since EO 14028.
The Directive: On June 6, 2025, the Administration released Executive Order 14306 (amending previous orders).
What does it mean? It explicitly targets AI-enabled software vulnerabilities. It directs agencies to prioritize investments in network visibility and security controls, specifically around how AI is used in defense. If your developers are using unauthorized AI tools to write code, that is now a federal concern.
CISA & NITTF: The “Maturity” Mandate (2026)
The National Insider Threat Task Force (NITTF) and CISA have changed the scoreboard. They don’t care if you have a policy document anymore; they care about maturity.
The Shift: In 2026, Insider Threat programs are evaluated on a Maturity Framework.
The New Standard: You can no longer silo this in “Security.” The new guidance pushes for a “Mature” level where behavioral analytics (Risk Scoring) replaces manual log reviews.
Why it matters: Programs at Level 1 (Ad Hoc) cost $24.6 million annually to run due to inefficiencies, while Level 5 (Optimized) programs cost only $10.6 million.
DoD: The “Continuous Vetting” Strategy (2025-2030)
The Defense Counterintelligence and Security Agency (DCSA) released its 2025-2030 Strategic Plan in March 2025.
The Goal: They are integrating “Personnel Security” directly with “Insider Threat” missions.
The Tech: They are moving to a “Continuous Vetting” model. They aren’t just checking your background once every 5 years; they are checking it constantly.
The Solution: Watch Behavior, Not Just Files
We need to stop using the phrase “Trust but Verify.” In 2026, the new standard is Adaptive Trust.
You cannot treat the front desk receptionist the same way you treat a lead engineer/Super Admin with full access to your systems. Security needs to move to tools that look at intent.
This means:
The “Resignation” Protocol: When an employee puts in their two-week notice, the risk is high. You must check what they downloaded recently. Tesla, for example, focuses on data theft in the 30 days before an employee quits.
Context Matters: If the time of day, job role, or amount of data doesn’t match what the user normally does, stop the action.
Watch the Prompts: Old tools looked at files; modern tools need to look at prompts to see what users are asking AI to do.
We spent decades locking the front door. It is time we started watching what is happening in the living room.
