Okay, so, you know, I was driving up here thinking about, like, the shadow nose. That certainly dates me more than a little. But in this particular case, it's applicable. So I don't know how I got it titled, like, whatever, how to make people feel terrible about IT. That's really not the point. of this presentation. I think Shadow AI is very interesting, both as a former renegade IT guy that didn't follow rules, I still don't follow rules very well. And as a CIO in biotech with some very sensitive instrumentation and some really high-end intellectual property and a lot of really heavy dependence on uptime, it's a curious trade-off. Shadow IT and your classical IT. The crazy part is that often in shadow IT, your best ideas came from that group of renegade pain in the *** employees who didn't do things the way they were supposed to. So you have a hell of a quandary here, right? Like, what do I do with the best and brightest in my organization that refuses to follow rules? And how do I get them to help me to do what I need to do? and harness that capability rather than just telling them no until they quit and go somewhere else. Shadow AI is that on steroids. And it's coming from all different directions. So I think it's a fascinating kind of intractable problem right now. It's a very today kind of thing. Me, yeah, I was the guy dumb enough to drag that thing up here last year. I was thinking about that coming up earlier today with Doug and both of us had like our laptops. Like this is a much smarter approach to doing a conference. The reason I included him is that he is reasonably smart. He's integrated into 11 labs. It's actually Vlad Tempish. So If you have a conversation with him, he's actually really kind of unpleasant. He's rude to my daughter. Jaw moves and the whole 9 yards. So I like AI for vibe coding and clod code and that kind of thing. In cybersecurity work, obviously, it's really changed how we do what we do. And frankly, why we do what we do. This is some stuff about per-circular. We do offense and defense and that sort of thing. Incident response is usually when I'm on the phone with the bureau. Hey, we have this bad guy and they look this way or that way. What are you seeing? That's a pretty common conversation with those folks. So, we do cybersecurity, and it gives us an interesting view into this sort of artificial intelligence world. The fastest growing security risk is definitely not an attacker. It's something your own people are doing to be helpful. And I think that's a really important part of this. IT directors, CIOs, anybody in a decision-making capability tend to view users as **** ants. or a pain or something that you just have to keep track of, it's easy to lose track of the fact that those are the sources of most of the innovation in the organization. And again, I'll come back to it. Typically, a lot of your larger pain in the *** employees are the ones who are able to contribute the most. So what do your people do? This is really what we see in the real world. There are many, many presentations on how to properly implement Microsoft stack, the Copilot stack. There's plenty of guidance, or some of it at least, in enterprise things like Claude. But for the time being, like today, this is a total train wreck. And what we're seeing in organizations is people pasting whatever the hell they want into GPT, AI browsers that nobody, browser extensions that nobody's approved, automated no-code tools, you see all that sort of thing. Everything on the left, how about this? How about by show of hands, how many of you are guilty of 1 or all of those things on the left? Yeah, yeah, right. Kind of defines this. It's part of how you end up at this conference. The other interesting piece of this, and this wasn't happening back in shadow IT days, is that a lot of these features are turning on, whether you like it or not. Things inside of your CRM have become very, very smart. Things inside of your HRIS have become very smart. Anybody who's using QuickBooks, you can pop QuickBooks open and take a really good look at, geez, your cash flow looks good this quarter, you should do that. That's all AI. And often it's not something you opted into. It happens inside of the application. So no matter how tight your controls are, around whatever is happening on the left here, no matter how badly you try to put the screws to employees, all of these other things are going to continue to happen. Here's some interesting IBM data. Something like 97% of AI related breaches lacked a proper AI access controls. I don't know what proper access controls look like. I think I need to go call Pella. It sounds like he's doing some fascinating things in that perspective. But again, you know, What's that one? I just, I always think about the edge case. What's that one really brilliant guy in manufacturing who has a copy of clog code? Like, what's that dude up to? That guy in shadow AI world has the resources that somebody in shadow IT 20 years ago would have been like 30 people gone rogue. Now it's one guy, a really great piece of software to build the thing that they need to get that out the door this week. Best of intentions, right? Other interesting piece of this, and we're seeing this from a cybersecurity perspective, phishing volume, voice phishing, audio. We've seen a few of those. In fact, I was on the phone last week because, here's a little tip, DPRK, our friends in North Korea, are really busy trying to get jobs here in Iowa. have had three of them in the last month. Person A interviews for the job. Person B, person A applies for the job. Person B interviews for the job. Person C shows up. Person C is not person A or B. Meanwhile, Pella, I'll pick on him, thought they were hiring one person. There are three folks involved. One of them is the guy you do not want in your organization. That is a North Korean spy. I'll go off on this a little bit. In one particular case, they hired an individual as an IT help Desk person. Think about that for a moment. Like if you've got a bad guy in your computer system, what kind of keys does a help desk have to have to do their job, right? That's tough. Even worse than that, another one was a development position. Like they write all the core code for this organization, it's a manufacturer. That's another place you really don't want. A bad guy hanging out. We caught one of them by photo. We did get him to show up for a Team meeting, and we got a picture and worked with the people who do those things, and it's that guy. In the other case, we tracked it down. He forgot to turn his VPN on. and they showed up in Lahore, Pakistan. People make mistakes, even hackers. So anyway, that's the sort of weird thing, the weird world that I live in. And AI is making cybersecurity attacks much easier, much deeper, and more vibrant. They are all about customer delight. They have figured that. **** out. And the number of attacks that you can implement is sort of limitless, dependent upon how much time you have to design. So these attacks are becoming as real as anything anybody has really sent you. Full disclosure, I fell for one last week. You might know, Elaine Shen is a woman who works at a really large law firm in Hong Kong. And I got an email from her saying, hey, we really like your practice. We love to work with you, cybersecurity firm. This is a, she's like a heavy hitter in our industry. Emailed her back, Elaine, thank you so much for taking interest in ProCircular and so on and so forth. And then I get an email from our DCO group like 2 minutes later, like, hey boss, that's not Elaine. That's this other thing. It wasn't easy to catch, but I fell for it. And I do this stuff for a living. Imagine what my grandparents are up to, right? So it's a perfect example of this kind of AI attack. They knew that I was a CEO. They knew that I owned a cybersecurity company. They knew that I did, and they mentioned very specifically what's called panel work within the insurance industry to do incident response. How the hell it figured that out? I don't know. There are many people in our company that couldn't have written that email. Somebody out there did. And they did it with AI. And then I got another one from another legal scholar from a different law firm the following week. Same bad guys for sure. But it's just fascinating how well they can design these things and how quickly they can implement them. So I don't have all good news to share. Sorry. A. Three vectors. You got your employees who are pasting things and copying P&Ls and design documents from customers and all sorts of things into this hole that is AI. You have some vendor embedded AI. I mentioned that your CRM and HR systems are full of it now. Where those data go is a question for each one of those vendors and very likely a different answer from each one of those vendors. EC2 is not an acceptable answer, and it's rarely going to be that straightforward. And autonomous agents, and this is a thing that you're hearing more and more often here at the conference where We've had a conversation with HR about how to register agents as employees, because in some cases, we're going to need to track them. There is some in cybersecurity, there are some jurisdictional or geographic topics related to like, when a bad thing happens, you have to let people know in a certain geographic area. Where we locate some of this stuff can affect how some of that law reads. It's going to get awesome. Send your kids to law school and have them specialize in AI. They will be busy forever. And then you can go borrow their boat or something. So Where does it hurt most? This isn't going to surprise anybody in this room. Healthcare, that's the obvious one. Here's a question. Why do hackers steal healthcare records? We all know they do it, right? Why? I'll go one step further. Why is a healthcare record, PHI, worth 300 bucks for one account and a credit card is worth, if it's fresh, maybe 10, if it's old, maybe $2.00? Why the differential? What are they doing with the healthcare record. Anyone? Doug's not allowed to play. He actually quite literally wrote the book on the subject. Yeah, there's a lot of Medicare fraud. The other thing that we'll see is opioid crisis is a big part of this. People will go take your identity, register you at five or six shady pharmacies, get your 150 opioid OxyContin delivered, and then they go sell those in suburbia for about 100 bucks a pill. If you're hooked and you don't know where to call to get heroin, you'll spend whatever. And that is not lost on the bad guys. So part of the reason your medical records are so valuable is that you can get that one record and turn it into, in less than a week, thousands of dollars. So that's part of the reason healthcare is hit so hard. Financial services, I mean, that's the age old, why do you steal from banks? That's where the money is. And manufacturing, I think the manufacturing one is a little bit distinct perhaps from these other two in the case, I come from high speed, high transactional volume manufacturing, uptime is the thing. That is the lever that bad guys use against you in any situation they can. They know you have to ship and they know it's very, very expensive when people are standing around staring at each other. So manufacturing, it tends to be a temporal lever that they use to cause trouble. And I should mention this, and Doug's talk has quite a bit more on the legal aspects of this than mine, but the I'll generalize it this way. When governments get nervous about a thing, which is usually because their constituents are complaining about it, or they don't have a good answer for the question, they create legislation. Part of the problem with legislation, yes, that's cynical, but it's also true. I'm the author of like 3 bills, so I got to see all this firsthand. The legislation, particularly that legislation around technology, is almost immediately outdated when it's passed. There are, if you look through IO code, all kinds of stuff that was a sort of response to the social media MySpace revolution, right? Those laws don't just evaporate after they've been passed. They hang around and they... AI legislation is being discussed in every state in the union, including this one. It is, I am not involved with Technology Association of Iowa or the legislative committee, so this is not the thoughts or opinions of that organization. It's a train wreck. It's, yeah, it's a, yeah, there are very smart people who I trust involved in trying to shape that legislation, and it is still a galactic train wreck. And the problem is it's legislators trying to frame in a thing that is changing every day and that they don't understand. And it's probably, I don't know what end they're trying to seek. Good luck controlling it, right? So these are the places where a lot of this shadow AI really affects you the most. Your talk in earlier today, your keynote, mentioned a lot of the places in manufacturing where both the conflict of innovation and renegade sort of meet with one another. I think this is a really fascinating place where that happens. Three stories. You got to have your horror stories in this line of work, right? This is my story. This is a true story. Halloween sucked last year. I spent 2 1/2 years writing software to get my robots running. And the punchline here is that on Halloween night, I was using Visual Studio with Cloud Code integrated and a whole bunch of MCP connections. and it like choked, just died. My code was solid, passes all the Git import, all the functional things work. Yeah, my design tool doesn't work, and then one thing broke. You find out very quickly where that dependency is, especially when you have trick-or-treaters waiting at your front door. You're like, *** **** it, why can't I get this running? I spent the whole night swearing at my computer instead of watching my cool animatronics talk to kids and say fun stuff. So I had not worked out that that dependency, you develop a really, really intense dependency on the tool or tool set that you're using. It used to be your dependency was on the people in the project itself or the technology that you're trying to deploy, Microsoft ERP or what have you. In this particular case, it's the tools you're using to build the tools is where you've moved the risk and they're... delicate. MCP is delicate. Authentication is delicate. All integration of cloud code into Visual Studio is delicate. So in some ways, we've kind of replaced the nice, safe world of C and Visual Studio in sort of a well-understood approach to computer software development. With. Who knows? It generates major risk. And because of that, that is just me complaining. I had to sit and watch trick-or-treaters be disappointed. Here's an actual case. Drift sells a chat bot that integrates into SFDC. It holds really long OPFIN tokens. They tagged Sales Ops GitHub, moved into AWS, and walked out with all of the active customer tokens, and they used those customer tokens to log directly into Salesforce. That's just because that chat bot sort of slopped those tokens over. That's one. Asana, MCP, everybody, somebody, anyone familiar with MCP in here? Generally speaking, MCP is kind of a cool new method of connecting up dissimilar systems, in this particular case, chat bots. It is a mixed blessing from a security perspective. It tends to be set up as like you get everything or you get nothing unless you're working in his environment. I'd love to see how that's set up. But MCP is a method of sharing data between. systems. They set up an MCP, which everybody is doing, by the way, setting up an outbound MCP connection so you can plug Claude into it, so you can ask whatever questions, right? A bit of a problem, caused cross-tenant access, and customers could just query pretty much everything about any customer. That is a bad thing. I used to work in biotech, and let me tell you that Dow was very interested in what their competitors were doing. And if their competitors had figured out that Dow had access to the work I was doing at Integrated DNA, that would have been a very, very bad thing. Pfizer versus Wyeth, or take your pick, right? Customer A shouldn't be able to see customer B's data. Bad day. Slack. So they added a, this is kind of funny. They added a paragraph to their privacy policy saying, by the way, we analyze customer messages, content, and files to develop AI. They probably threw that in on like a Tuesday, and I'm sure that everybody took careful care to read through their EULA and accepted that. Every workspace was defaulted, was opted in by default, and the opt-out was an email with a specific subject line. Nine months they sat and consumed Pretty much everybody, everybody's conversations in Slack. on a number of topics, I'm sure. So when this breaks, this breaks big. And the data that are shared or made accessible aren't always, we talk a lot about like, well, what happens when you drop your data into the cloud, it's someone else's computer, or into GPT and that's someone else's computer. That's really not what we're talking about here. We're talking about the vendors that you're using, allowing outside people to view your data. This isn't even, Slack probably didn't mind this very much. I doubt they have reversed it, unless their lawyers had an opinion on it. They probably still have those graph tables laid around somewhere. Because it would be super useful to know what people talk about on Slack. So when these things break, they tend to break big. What do they have in common? AI integrations, cross-tenancy, and cross-tenancy for anybody who's built those sorts of structures is very difficult to get right on a good day. Cross-tenancy leaks are becoming a huge category here. And Default on AI changes, which is kind of how they get you to buy the product. They turn it on, they get you hooked on it, and then you need the $10 a month, whatever, subscription. Those default on changes, in addition to being a fiscal risk, also have some security implications as well. particularly when they're in the hands of employees. Here's a shadow IT example. I worked in a place that had a gene synthesis, so very cutting edge. We built whole genes for clients. Think like environmental sciences, think cancer cures and that. that sort of stuff. I found out, I was the CIO, I found out the hard way they were using this new piece of software called Trello. Anybody use Trello? Yeah, they had the whole frigging everything we were ever going to do in synthetic biology, which was very proprietary, right there in Trello. And by the way, it was the free Sub. Shadow IT. That was, however, another example, those pain in the *** employees went from a $4 million loss to a $35 million gain, a 60% net in three years when they got their **** together. So those renegades, those pain, they were a complete pain. They also revolutionized how the company did what it does. So, good with the bad. What is the market doing about any of this? Paul was very upset with me for not submitting this presentation, like, I don't know, three months ago or something. I submitted it last night at midnight, mostly because Microsoft was releasing some new things. And there are a bunch of new changes. It's the nature of the industry, right? Some of this is in the last day. Data lineage - oops, did I miss? Oh, I'm sorry. So these are really the four different approaches. You can think of them as, rather than four different approaches, four different layers of security as it applies to how to secure and monitor agents within your environment. This is a very moving target. Like I said, Microsoft just released their version of this into production like last night. So super, super new stuff. Data lineage is about tracking where the data came from. It is also, I don't like that description. It's also more about tracking data where it exists as opposed to, no matter where it exists, so data in transit as opposed to data Your data needs to know who it belongs to and where it belongs. That data lineage component is a really important part of building a security program around this. It also makes the assumption that you know what data you have and who owns it. Nobody does that. Data governance is very hard to do, to do right. But if you can take a swing on it, data lineage is one of the methods of keeping track of the things that are happening within the organization. Endpoint discovery, you guys are used to EDR. You put little guys out that listen and tell you what people, what applications people are running. AISPM and runtime is sort of the inspection approach. It is not DLP. It's a little different than data loss prevention, classic data loss prevention, in that it tends to be integrated. There are a couple of ways to do this, but it tends to be integrated into the prompts themselves. The other big thing that a lot of these make the assumption of is VPN. If you have clients or if you have employees with VPNs inside, they can skip. right over the top of a lot of this. And identity and gateways. I'll tell you the thing that keeps me up at night most about AI, the thing I think bad thoughts about more often than not is identity. I don't know how to do identity. And I work for a company where it's very, very important. I mentioned the YF doesn't need to see Pfizer's stuff. In my world, this customer does not need to see the recipe for how to hack that customer. That would be good not to share. In order to separate those things, I have to know very well that that person is who they say they are, and this person is who they say they are. That is undiscovered country on the. information superhighway and it is made far more complex by AI where you can fake it. Identity, identity, then maybe that'll be my next talk. Yes, sir. I mentioned it, so I mentioned VPN, is it a good safeguard to have? That's a good question. In this context, what I'm talking about is somebody inside of an organization hiding what they're up to with a VPN. Some IT shops will detect that, some won't. But if you have employees who are using VPNs internally inside of the environment, They can skip over some of the protections that you have in place to inspect their traffic. That's really what I was referring to here. VPNs in general, big fan. Big fan, although it's becoming increasingly difficult not to look like a spam bot. My ProtonMail gets me kicked off of a lot of stuff, or Proton VPN. Three new releases, all within the last 30 days. It's actually like the last three days. Prompt security, Sentinel One bot prompt security is a fantastic tool. It allows you to take a look into real-time prompt injection so you can catch people who are trying to do bad things while they're doing it. Sentinel One also has the benefit of many, many years of XDR and EDR and all of the data that they have collected on threat intelligence. The same applies to CrowdStrike as well. So their models are pretty vertically trained to do just this one thing. Sentinel One only sells security. Microsoft, they sell a couple of other things. Toasters. Agent 365, that released yesterday. I have not played with it yet. I'd love to talk to anybody who got to play with it in pre-release, because I didn't fiddle around with it. My guess, and that's because I'm old and... Definitely stubborn. Microsoft tends to release a product and then let us figure out how the hell it works. Microsoft Service Center is like my favorite CIO's example of that. Here's a cool piece of software we can sell you that you can use to run your entire organization. Now configure it. just like your organization. It's like, dude, you were supposed to do that. Why did I pay you $100,000? Microsoft is good at giving software out to the world that has functionality that you get to figure out how to use. I'm not holding my breath for that. The biggest advantage that this has right now, as far as I can tell, is that it's Microsoft. That's like their whole sales pitch. Well, it's good. Well, why is it good? Well, because it's Microsoft and it integrates into the Microsoft stack. Cool. Why else is it good? Well, your whole system is a Microsoft stack. It's like, yeah, that's awesome too. I know that. Why is it better than Prompt? Well, we're integrated directly into your Exchange Server and Office 365. So, like... Thanks. CrowdStrike has another set of really fascinating tools to sort of approach this. You can expect this to be the thing that everybody announces every quarter. There will be updates on this. If for no other reason than probably the first step in getting your arms around this problem is to figure out how bad it is in your organization. Any one of those tools might give you some insight there. Certainly better insight than you have by sending an email saying, hey, is anybody using Claude code? A, the guy using clog code doesn't reply to that email. Oh, and you see this? This is brand new to E7. Apparently this is like 3 months old. I just found this last night. I'm like, oh ****. I didn't find the air fryer. I think it's one of those. But there is like everything under the sun in this package and it's only $99 per user. per month. If it included Adobe Creative Suite, I might pay it. But yeah, so E7 is the new AI-ified version of the really expensive E5 license. Open your checkbooks. So if you're just starting, per view labels in Agent, you're already paying for that. That's one way to try that out to make sure that you can sort of detect where people reside within the organization. If you have CrowdStrike or Sentinel One, that Shadow AI module, I think that it is still reasonably pre-release-ish, but you can beg them into, thank you, into giving them a look. Give me a call if you'd like to see it, because it's cool stuff. If you build AI applications in-house, SPM platforms, I'm going to recommend kind of a different approach to that. And if you're starting from zero, endpoint discovery. And I would tell you that just to protect your organization. If you don't have endpoint out there anyway, you should. Um... The whole ecosystem, there's no shortage of new entrants in this, and there will continue to be. This is going to be a, watching people use AI is going to be an important and popular part of what we do. And this was going to be my sort of punchline. Build a culture and not a cage. So I work with, I don't even know how many CIOs in my capacity in cybersecurity. Some of them care about culture, others less so, but they tend to be awfully prescriptive and skeptical of what their employees get up to. I would argue that you get a lot further by being open about the risks. You want people to understand why. Not don't do this, but why don't you do this? Or why would this be a problem? Sharing examples, telling the examples like that SalesLoft story so that people have a concrete example of why Any of this stuff matters, because that guy in shipping doesn't care unless you can give them something to really think about. Make the safe path the easiest path. So find a tool or a tool set and give it a budget. I got in big trouble with, well, I know this is more #4, train your people to protect the firm, not to fear breaking the rules. Think 1000 people making very cool custom DNA things and a lot of them very sharp and able to use technology. Our IT department, We owned, this will date me, 2 million lines of Delphi code, which is object-based Pascal. Go Delphi. We had this huge system up and running, and we started to notice that people were writing things against it. And we would see these queries run against production, like, wow, what are you doing here? The IT team's response, particularly the DBAs, and I'm sorry if there are DBAs or whatever that is today in the room, freaked out, wanted to shut everybody off always because it's their DBAs and that's kind of their thing. Instead, I threw a conference. It got me in big trouble with the development team. I'm like, you guys, we're going to show them how to use production, and how to query customer, and how to query order, and how to get access to all of these systems, and you're going to tell them how. Because we want to bring these people into the fold. If you can show them, instead of don't do it, show them how to do it right. You're bringing these folks to the organization. You're helping us to build and contribute. And frankly, those renegades that take the time to go cause trouble like that, they're not doing it just because they're a pain in the ***. They want to help. So let's harness that. This is no different. And those renegades tools are so much better than they used to be. Bring them into the fold. Train them to protect the firm. Show them how to do it right. Treat AI procurement like security review. Invite the security folks into the things that you're buying to make sure that they have an opinion. I would argue as well, as a security guy, please mention to them their job is not just to say no. Because they'll just do that. You know, I have an outcome and the outcome needs to outweigh the security implications of that. That would be a good thing to work through. But inviting those folks to the conversation at least gets them involved in the purchasing so that they can't say, well, this department, they don't even pay attention to me because, you know, I wasn't even invited to that decision. So I rolled out this tool. Shadow AI O. I'm not saying shadow AI is a bad thing at all. I think it's one of the most promising parts of companies growing in the future. It gives people a force multiplier technology that they've never had before. You just have to treat them like humans and treat them like contributors rather than a problem within the organization. Yeah, except that it's being used and help people to use it right. So that's what I got. I don't know how I am on minutes left. So if we have any questions that we want to take. Oh, I'm headed way. Thank you for being patient. Thank you for the presentation. You talked about the pain in the *** renegades. I am that pain in the *** renegade. You go, man. What tips may you have for approaching, like I have many problems with the IT department, trying to figure out how to best interact so we can push innovation within the company. You seem to have a lot of experience with that. I would love to get your point. I'll tell you the, I'll give you the formal answer and then I'll give you the crafty answer. The formal answer is that you probably need to go find whatever change control, how large is the organization? Big, you're at Craig. Okay, yeah, there'll be some group that decides on changes. and so forth. I wouldn't go to the CIO. That woman or man's job is going to be to create and follow policy maybe more than foster innovation. I would go find somebody in development, somebody who's writing software in the organization and get to be BFFs with that person. so that then they can go up through their chain of command and say, hey, I've got this really smart guy over here who's writing stuff. Let's bring him into the fold. If you take that sort of bottom-up approach, most organizations, I would guess you'll have better luck than if you went to find, unless you're a Pella, you should go talk to them. Talk to this guy. I'm so impressed with that presentation. Yeah, that would be that would be my the other thing. Executives like tangible examples showing like this is, I wouldn't talk a lot about architecture. I probably were transformers or how you've got here. I would talk more about outcomes. Consider the audience. That's always the case. What is the person you're talking to care about? Speak to that. A little social engineering goes a long way in getting a budget justified. It's a good question. Other questions? Oh, wait. Oh, you're going to make me earn my keep today. This is good. So I tested a new software that just implemented a new AI feature to it. How would you go approaching putting governance on some of that stuff? Because it's built in. It's not like I can shut it off, but I can say you should shut it off until you're confident to use it. Sure. Is that more of a governance rule in your head or? How do you approach it from a security risk? I think it, ideally, the purchasing process would have included a review, or is this one of those like it just turned? It just got implemented in the newer version of the software. If you're looking for an example, Revit 2027. I'll give you 2 answers. than one, if it's one that gives you concern from a security perspective, and as much as I love quantitative approaches to things, if it's a qualitative thing, if it makes you feel not right, go call the security group and tell them, and I would treat it just as if you had found something bad I'm doing betting and testing right now. Yeah, there's a process that they will tend to have kind of down for evaluating an existing risk. Yes. If you point them at that, the downside to that is that you've maybe raised an emergency flag that, I mean, it may not be a thing, but you're using those. very expensive emergency result. But I think the longer term question is to have something similar to what was described at Pella, which is a real governance program that includes that sort of reporting mechanism. Yeah, and I'm going through that right now, making sure like my governance rules adhere to certain aspects of the AI assistant that I found work and then some that do not, I say, don't do that. Yeah, I have not seen what I guess I would call like an ideal example. I think we're still figuring a lot of it out. Thank you. Yeah, yeah.