July 7, 2026
Everyone’s bolting Claude onto everything. Nobody’s asking the boring question.
Companies are racing to wire AI assistants into every tool, inbox, and workflow they own. The risk isn’t the model. It’s what they…

By h@shtalk
4 min read
Companies are racing to wire AI assistants into every tool, inbox, and workflow they own. The risk isn't the model. It's what they connected it to.
Every company I talk to right now is doing some version of the same thing: plugging Claude, or whatever model they've standardized on, into Slack, email, ticketing systems, internal docs, CRMs, sometimes production infrastructure — anything that moves. The pitch is obvious and not wrong: an assistant that can read your context and take action across tools genuinely saves time. What's missing from almost every rollout I've seen is someone asking the unglamorous question before the integration ships: what exactly did we just give this thing access to, and what happens if it's tricked into misusing it.
This isn't really about the model
It's worth being precise here, because the instinct is to treat this as "is the AI safe," which is the wrong frame. The model itself isn't the attack surface. The integrations are. A well-built assistant connected to nothing dangerous is, at worst, occasionally wrong in a low-stakes way. The same assistant connected to your email, your calendar, your internal wiki, and a tool that can actually send messages or modify records on your behalf is now a system with real permissions, operating on instructions it reads from text and text, as anyone who's looked at prompt injection knows, isn't a channel you can fully trust just because it showed up in a document instead of a terminal.
This is the part that gets skipped in most rollout conversations: every new integration is a new place where an instruction-shaped piece of content, a malicious email, a poisoned document, a calendar invite with the wrong line buried in the description can reach a system that's now empowered to act on it.
What "added to everything" actually expands
When a company connects an AI assistant to a tool, it's not just adding a feature. It's adding three things at once, and only one of them gets discussed.
Capability — what the assistant can now technically do. This is the part everyone's excited about and the only part most teams evaluate.
Reach — what other systems that capability touches, often transitively. An assistant with read access to a shared drive and write access to a ticketing system can, in combination, do things neither integration was individually designed to allow.
Trust boundary — what untrusted input the assistant is now exposed to as a side effect of having that reach. An assistant that summarizes incoming support tickets is now reading content written by literally anyone who can submit a ticket, and treating that content as something to process, not as something to be suspicious of by default.
Most security review, where it happens at all, focuses entirely on capability, meaning does this feature do what it's supposed to do. Almost nobody is mapping reach and trust boundary with the same rigor, which is exactly backwards, because reach and trust boundary are where the actual incidents come from.
A realistic failure mode, not a hypothetical one
Picture an assistant wired into a support inbox with permission to draft and send replies, plus read access to internal account data so it can personalize responses. A support ticket comes in containing text specifically crafted to look like an internal instruction rather than a customer message , something researchers have already demonstrated working against deployed systems. If the assistant doesn't have a hard boundary between "instructions I should follow" and "content I'm summarizing," that ticket can manipulate it into disclosing account information it had access to, or sending a reply it was never supposed to send. Nobody compromised a server. Nobody stole a password. A customer-facing text box was the entire attack surface, because that's where the assistant's trust boundary actually lived, even though nobody had drawn it that way on a diagram.
Why this is happening anyway
Speed. The competitive pressure to ship AI-powered features is real, and the organizations moving fastest are, almost by definition, the ones spending the least time on the question of what they've actually exposed. This isn't a criticism of the technology, it's the same pattern every fast-moving technology shift produces, where capability outpaces the governance needed to deploy it safely, and the bill comes due later, usually for someone who wasn't in the room when the integration was approved.
What a more honest rollout actually looks like
Before connecting an assistant to anything, map what it can reach, not just what it's meant to do — permissions have a way of compounding across integrations in ways no single team fully owns. Treat any content the assistant processes that originated outside your organization like emails, tickets, documents, scraped pages, as untrusted input, the same way you'd treat unsanitized user input in application code, because functionally, that's what it is. Separate read access from write access wherever the integration allows it, and require explicit confirmation for anything irreversible, the same caution you'd apply to a junior employee with broad access and an eagerness to be helpful.
The part that's still entirely a human decision
No vendor, no model, no amount of safety tuning can tell your organization how much risk is acceptable for a given integration, that's a judgment call specific to what the integration touches and what it would cost you if it went wrong. The companies handling this well aren't the ones with the most cautious assistant. They're the ones who had someone in the room willing to ask "what's the actual blast radius here" before the integration shipped, instead of after something went sideways and everyone reconstructed the access map for the first time during an incident review.
"We added AI to everything" is a roadmap slide. "We mapped what everything can now reach" is the actual security review. Be smart, do the second thing. Or reach out to me if you need a reliable security consultant that will help you do that. My Calendly is open: https://calendly.com/evaincybersec/h-shtalks.