The ISM has been updated again, and this time AI is front and centre. In this episode of Secured, Cole Cornford is joined by returning guest Toby Amodio, Practice Lead at Fujitsu Cybersecurity Services, for another instalment of Policy Wonks and Gronks, cutting through the vendor noise to talk about what the March 2026 update actually means in practice.

They explore where AI is genuinely delivering value for cyber professionals, from automating compliance mapping and vendor assessments to streamlining pen test reporting and SOC triage. But they are equally candid about the risks: the erosion of foundational skills as junior roles get outsourced to AI, the creeping fatigue of reviewing outputs at scale, and the danger of skipping straight to full automation without the expertise to validate what the machine is doing.

The conversation also tackles bigger picture concerns unique to Australia, sovereign AI capability, the risk of a brain drain to the US, and whether a small country can afford to decentralise its AI infrastructure. Toby closes with a sharp reminder for government CISOs: AI is just another system, and how people use it matters far more than the certifications attached to it.

00:00 Episode Trailer

01:01 Chainguard ad

01:28 Intro and the March 2026 ISM update

03:00 AI hype vs real world utility

05:00 Governance and compliance use cases

08:00 Vendor assessments and knowledge base automation

11:00 Skill erosion and the junior roles question

14:00 AI in pen testing: reporting, scoping and customer experience

17:30 The maturity model for AI adoption

21:00 Vibe coding, slop assurance and fatigue at scale

25:00 Agents watching agents and the bot vs bot future

28:30 Australian AI sovereignty and the brain drain risk

32:00 Top tip for government CISOs on AI risk

35:00 Shadow AI and DNS log visibility

37:00 Closing remarks

🐙 Secured is grateful to be sponsored and supported by Chainguard.

Chainguard is the trusted source for open source. Get hardened, secure, production-ready builds so your team can ship faster, stay compliant, and reduce risk. Download your free CVE Reduction Assessment at https://dayone.fm/chainguard

To learn more, join our newsletter to be notified of new First Cheque episodes and upcoming shows.

Tara Whitehead is Security Engagement Manager at MYOB. Prior to becoming a cybersecurity specialist, Tara had an eclectic career, including working in advertising and international relations. In this episode Tara chats with Cole about how her non-technical background has in many ways been an asset working in security, leading change management in large enterprises, the importance of great communication skills, and plenty more.

7:15 - Tara's first days in AppSec

10:00 - How to influence people

12:30 - Why we should dial back on the doomsday conversation

14:10 - Find your change champions

21:30 - Is a non-technical background help or hindrance?

23:30 - Communication and influencing key skills

26:00 - Communicating with execs

28:20 - Rapid fire questions

🐙 Secured is grateful to be sponsored and supported by Chainguard.

Chainguard is the trusted source for open source. Get hardened, secure, production-ready builds so your team can ship faster, stay compliant, and reduce risk. Download your free CVE Reduction Assessment at https://dayone.fm/chainguard

To learn more, join our newsletter to be notified of new First Cheque episodes and upcoming shows.

Mentioned in this episode:

Download your free CVE Reduction Assessment

Chainguard is the trusted source for open source. Get hardened, secure, production-ready builds so your team can ship faster, stay compliant, and reduce risk.

December 2025 - Chainguard

Artificial intelligence is dominating headlines in cybersecurity, but how much of it holds up under scrutiny? In this solo episode of Secured, Cole Cornford, founder and CEO of Galah Cyber, shares his unfiltered take on three of the biggest AI narratives making waves in the AppSec space right now.

Cole breaks down the Claude Code security announcement and why the market reaction dramatically overstated its real-world impact, arguing that the most meaningful security vulnerabilities have never been the ones static analysis tools can easily catch. He then examines Aikido's continuous penetration testing proposition, raising serious questions around noise, cost, resilience, and whether most organisations are even architected to support it.

Finally, Cole tackles the AI job displacement narrative head-on, making the case that most high-profile tech layoffs are less about AI capability and more about mismanaged businesses using automation as convenient cover for decisions driven by poor performance and investor pressure.

00:00 – Intro & Cole's hot take on AI hype

01:30 – Claude Code Security: what it is and why markets overreacted

03:30 – Why meaningful vulnerabilities need context, not static analysis

05:30 – Autofix, token waste, and who's actually using Claude Code

08:00 – Aikido Infinite: the continuous pen testing promise

10:00 – Cost, resilience, and noise concerns with Aikido

12:49 – The AI jobs narrative: Cole's verdict

14:30 – WiseTech, Block, and the smokescreen theory

16:00 – Jobs shift, not job loss

17:03 – Closing thoughts and solo format feedback

🐙 Secured is grateful to be sponsored and supported by Chainguard.

Chainguard is the trusted source for open source. Get hardened, secure, production-ready builds so your team can ship faster, stay compliant, and reduce risk. Download your free CVE Reduction Assessment at https://dayone.fm/chainguard

To learn more, join our newsletter to be notified of new First Cheque episodes and upcoming shows.

Mentioned in this episode:

Call for Feedback