hacker news shipped a piece this week - '2026: the year of ai-assisted attacks'. it's the headline every ciso in my inbox forwarded. the panic narrative isn't wrong. it's just expensive to respond to after the fact. the price ladder of an ai breach before-the-breach: $997 audit, 4 hours, procurement-ready report during-the-breach: $50k-$300k incident response retainer + counsel after-the-breach: regulatory fines (gdpr is 4% of global revenue), class action, reputational damage the difference between rung 1 and rung 3 is whether you had a log and a policy when the incident started. what the audit covers that the panic narrative misses the headlines focus on offensive ai - phishing kits, deepfake call centers, autonomous lateral movement. the real exposure for most companies is defensive - their own agents, deployed without governance, doing things their security team doesn't see. the attacker doesn't need a state-sponsored deepfake.…