Coastie AI
Back to all articles
18 April 2026By Kristina AgustinPublished on Coastie AI9 min read

Steer deliberately into disruption, what an AI security landmark means for a Coast business

When a single AI model quietly uncovers thousands of unknown security flaws, including one that had been hiding inside trusted software for 27 years, the question for a small business in Erina, Gosford or Woy Woy is not whether to panic. It is how to navigate it deliberately.

Steer deliberately into disruption, what an AI security landmark means for a Coast business

I help Central Coast businesses adopt AI calmly. Calm, in my mind, does not mean waiting for the storm to pass. It means staying clear-headed under pressure, reading the conditions as they actually are, and steering deliberately into the disruption rather than away from it.

This month, Anthropic previewed its most capable model to date, internally codenamed Mythos. The model autonomously identified thousands of previously unknown security vulnerabilities across every major operating system and every major web browser. One of those vulnerabilities had been sitting undetected inside a widely trusted, security-hardened system for twenty-seven years.

Access was restricted to a small group of partner organisations working on defensive cybersecurity. In the same week, the US Federal Reserve Chair and the US Treasury Secretary convened the heads of the major American banks to discuss what this model means for the financial system. That is not a regular Tuesday in the AI news cycle.

For a Coast business owner, the natural reaction is to read a headline like that and put it firmly in the "not my problem" pile. I want to make a careful case for why it is, and what to actually do about it this month.

The dual-use problem, in plain English

In cybersecurity there is a long-standing principle called dual-use risk. The tool that defends a system is the same tool that can be used to attack it. A model capable of finding twenty-seven year old security flaws inside hardened software is, by definition, also a model capable of finding fresh holes in the software your business runs on every day.

Researchers have been clear on this for years. AI removes the old trade-off between the scale of an attack and how effective it is. What used to require a well-resourced team can now be attempted by a single person with the right toolkit. The defender, meanwhile, has to guard every surface continuously, including the surfaces they have not yet identified.

Your Coast business handles a lot of those surfaces without thinking about it. Customer details. Quoting history. Invoicing data. Staff records. Bank logins inside Xero or MYOB. Client documents inside Microsoft 365 or Google Workspace. A photo of a driver licence on someone's phone. None of that feels like "cybersecurity infrastructure". All of it is.

The honest question is not "are we a target?". It is "if we were breached this week, what data belongs to other people, and who would we have to tell?".

Invisible AI adoption is the bigger story

The more uncomfortable part of this is not the headline model. It is what is already happening quietly inside the tools your team uses every day.

McKinsey research has found that employees are roughly three times more likely to be using generative AI at work than their leaders think they are. Most of that adoption is invisible. It is not a deliberate decision. It is a feature that turned up in an Adobe Acrobat update, a Copilot toggle that switched on inside Microsoft 365, a "Help me write" button inside Gmail, an AI summary that started appearing on top of the team's Slack threads.

If nobody reviewed the terms of that update, the business may already be processing client documents, contracts and crew details through AI systems that no one made a conscious decision to use. That is what invisible adoption looks like in practice. It arrives inside tools you already trust, through updates you did not fully read, enabling AI capabilities you did not specifically choose.

Your supply chain widens this further. Every vendor and platform you connect to is another door. The more integrated your stack becomes, the bigger the surface area you are responsible for. If you have procured a tool from a third party, their vulnerabilities become yours.

Every technical decision is also an ethical one

When you decide which app gets to read your client emails, that is a security control. It is also a governance decision about other people's data.

When you decide whether to tell a customer that something has gone wrong, that is a legal question. It is also an act of accountability to the person who trusted you with their information.

These are the same question, asked two ways. Treating them as one, instead of two separate compliance exercises, is what makes the decisions simpler. It also makes the accountability cleaner: it lands with you.

The relevant external standard here is contextual integrity, a concept from the legal scholar Helen Nissenbaum. The idea is simple. Data should only flow in ways that are consistent with the context in which it was given. A customer who hands you their licence to verify a quote did not consent to that licence being summarised by an AI tool that retains it for model training. A staff member who fills in a safety form did not consent to that form being used to evaluate their performance.

The useful question to sit with: are the AI tools we use today operating within the norms of the conversation in which our data was originally collected?

What to actually do this month

For a Coast business, I do not think the answer is a giant cybersecurity programme. It is a short, structured conversation, and a small number of practical decisions that come out of it. Six questions are enough to get started.

  1. What AI tools are being used in our business right now, with or without formal approval, and what data are they touching? Include the tools you already pay for. Microsoft 365 Copilot. Gmail's smart features. Acrobat AI. Canva Magic. Notion AI. ChatGPT or Claude logins your staff opened on their own.
  2. If we manage data on behalf of clients, is there a single AI policy that says how we handle that data across every job? If not, each staff member is quietly setting their own.
  3. Which platforms and vendors touch our data, and what AI features have been turned on inside those agreements? Read the updates that came through this year. Many will surprise you.
  4. If we were breached today, whose data would be exposed, and across how many jurisdictions would we have to notify? From 10 December 2026, Australian privacy law tightens significantly. Mapping this is not optional.
  5. Do our vendor agreements say what happens to our data if a vendor is acquired, restructures, or is breached themselves? Most are silent. Close that gap before extending any AI tool further into your operations.
  6. Have the people whose data we hold been told how AI tools handle it? Update your privacy notice, client terms and staff agreements to reflect what is actually happening, not what was happening when the policy was last written.

The sea state has changed

The maritime industry has a phrase for the moment the conditions change underneath you and the chart you were navigating from stops being accurate. The sea state has changed.

It has changed for AI security. Governance that waits for a crisis to define it arrives too late, and the crisis is no longer hypothetical. Calm digital navigation, for a Coast business, means making a small number of deliberate decisions this quarter, before the headline model becomes the headline incident.

Our Blueprint runs these six questions across your operation in a single workshop. If you want a hand getting started, the Find your AI quick wins email is the place to start.

This article adapts an earlier piece originally published under Kristina's international maritime brand, Southern Sky AI, for Central Coast businesses.

Back to all articles