China has issued draft regulatory measures for public comment addressing AI systems designed for human-like and emotional interaction.
The proposal emphasizes lifecycle responsibility, algorithm governance, data security, personal information protection, and mitigation of psychological risks.
From an information security perspective, this reflects growing attention to how AI design, data handling, and user interaction intersect with digital safety.
What implications could this have for global AI governance standards?
Engage in the discussion and follow @technadu for factual InfoSec and AI policy updates.
#InfoSec #AIGovernance #DataProtection #ResponsibleAI #CyberPolicy #TechNadu
📘 My new #book via @springernature_ct out!
Datafied Democracies & #AI #Economics Unplugged
Now sharing the #TableOfContents on @ssrn
⬇️🔗 https://papers.ssrn.com/sol3/papers.cfm?abstract_id=5611311
Buy the #book:
🔗 https://link.springer.com/book/10.1007/978-3-032-11888-2
Controllable AI: Lớp hợp lệ tại thời gian chạy cho quản trị AI
Không phải AI xác suất, đây là một cổng kiểm soát thực thi để cho phép/từ chối hành động của AI dựa trên sự kiện và trách nhiệm. Con người giữ quyền phủ quyết cuối, đặc biệt trong lĩnh vực nhạy cảm như y tế/tài chính. Cần thiết để biến quản trị từ lý thuyết thành thực tế.
#ControllableAI #AIGovernance #AIEthics #AIRegulation #AI_có_thể_kiểm_soát #Quản_trị_AI #Đạo_đức_AI #AnToànAI
🛠️ KI-Engagement oder nur Show? Virales Organigramm zeigt: Strategie-Rollen boomen, operative Teams stagnieren.
👉 Meine Einschätzung: Übertrieben, aber mit Tendenz. Mehr Mitarbeitende müssen KI aktiv nutzen nur so entstehen skalierbare Lösungen.
(Picture Credits to Eduardo Ordax, 09.12.2025, via LinkedIn, "The real reason AI is failing inside companies (and nobody wants to say it) ..."; Social Media-Bearbeitung: Confias AI Solutions)
Privacy First, Security Always: The Only Sane Default
“Privacy first, security always” is either a real principle or it is marketing wallpaper.
People can smell the difference now. Not because everyone became a cryptography nerd overnight, but because the consequences turned personal. Accounts get drained. Identities get cloned. A harmless preference turns into a predictive profile. Then a company calls it “personalization” and expects gratitude.
I keep coming back to a simple line: if a system cannot respect boundaries, it does not deserve trust.
The quiet theft is not the breach. It is the business model
Security failures arrive with sirens. Privacy failures arrive with a checkbox.
Teams hide the most invasive defaults behind consent banners, vague policies, and settings buried three menus deep. That is why privacy first has to be architectural. If your product needs intimate data to function, the relationship starts compromised and every debate becomes about permission instead of necessity.
A practical test helps.
Picture your product landing on the desk of a skeptical customer who has already been burned. They ask one question: “Why do you need this data?”
A hand-wavy answer like “we might use it later” reveals the truth. You are not building a service. You are building a warehouse.
Privacy first means you design so the system does not need to know everything about someone in order to work.
Security always is not paranoia. It is respect for entropy
Security is not a feature you bolt on. Security is the discipline you practice.
Most compromises are not clever or dramatic. Routine mistakes create them: misconfigurations, over-permissioned accounts, leaked secrets, and unpatched dependencies.
Permissions sprawl until nobody can map them. Teams ship misconfigurations. Secrets leak because nobody rotates them. Dependencies drag risk into your product like barnacles. Backups fail the one day you need them. Logs exist but never tell a story.
Security always means you assume failure will happen and you engineer the impact down to something survivable.
That mindset can sound pessimistic. In reality, it respects entropy. Systems decay, incentives shift, and people make mistakes. Entropy does not care about your roadmap.
The practical blueprint: collect less, separate, prove
I like frameworks when they sharpen thinking and do not become religious scrolls. The simplest operating model I trust looks like this.
1) Collect less
Collect only what you can defend in one sentence to a skeptical user. Not to your lawyer. To your user.
Reduce identity where you can. Prefer short-lived identifiers over permanent ones. Process locally whenever it makes sense.
A privacy-first system does not brag about protecting your data. It quietly replies, “we never stored it.”
2) Separate what you must store
Treat data like it can explode, because it can.
Separate identifiers, content, metadata, and billing. Force access through clear boundaries. Encrypt sensitive fields at rest. Keep administrative power narrow and observable.
Isolation is also cultural. Engineers should not casually browse production data. A company that must “look inside” to operate has built a fragile machine.
3) Prove what you did
Logging is not glamorous. Auditability is not optional.
Teams earn trust when they can show what happened, who accessed what, and why. If you cannot prove access, you do not control access.
This is where “security always” stops being a vibe and becomes engineering.
Where AI changes the stakes
AI increases the temptation to repurpose data. More data looks like more capability.
That logic has a shadow.
Once the data exists, incentives attack it from every angle. Governments demand it. Attackers leak it. Brokers sell it. Lawyers subpoena it. Insiders misuse it. Product teams pull it into models because it feels convenient.
The old scandal playbook that turned personal information into political influence taught a brutal lesson. People do not hate being measured. People hate being manipulated.
Privacy first, security always refuses to build manipulation pipelines by accident.
The surveillance trade is a false bargain
Leaders keep offering societies the same deal: give up a little privacy for a little security.
The pitch sounds reasonable until you watch the pattern. Privacy leaves first. The promised security rarely arrives.
Real security looks boring in practice. Patching, least privilege, planning for failure, and building systems that do not collapse when one component breaks define it.
Mass surveillance does not deliver security. It delivers power.
That matters if you care about liberal values, because agency needs a private interior. People who feel watched do not explore ideas. They perform. When performance replaces honesty, innovation dies quietly.
What “privacy first, security always” looks like in real products
It looks like choices that feel slightly harder in the short term and far cheaper in the long term.
Open source helps here, not as ideology, but as visibility. Opaque systems force trust to become faith. Visible systems let trust return to engineering.
Shift: trust is becoming a business strategy again
For years, growth came easiest to the companies that treated people as data sources. That era is wearing out, because distrust is becoming expensive.
Customers ask better questions now. Teams tire of cleaning up preventable incidents. Regulators tighten expectations around data usage, especially when AI enters the picture. Investors learn that “move fast” turns expensive when you pay for the mess.
The economics stay simple: trust costs less to build early than to buy back later.
A line I like has stuck with me.
“You don’t need to drive the car to influence the journey. Speak clearly, and the driver might begin to listen. Place a sign on the roadside, and someone behind you will see it. Offer a compass, and you guide even without steering.”
Privacy first, security always is one of those signposts.
A society that shrugs at surveillance becomes a society that cannot breathe. A company that shrugs at security becomes a company that cannot be trusted. The two failures reinforce each other.
“Privacy first, security always” is the design stance that says: we do not need to own people to serve them.
Build systems that deserve users.
Call to action
If you build products, pick one system this week and run a simple trust audit.
Ask:
If you find a gap, fix one thing. Small repairs compound.
If this resonates, share the post with someone who ships software, and leave a comment with the hardest privacy or security tradeoff you are facing right now. I read them and I will reply.
Key Takeaways
🇰🇷 #ArtificialIntelligence #AIGovernance
https://apnews.com/article/south-korea-label-ai-ads-deepfake-6df668ae93489da7d448c66e53905bbb
South Korea will require advertisers to label their ads made with artificial intelligence technologies from next year as it seeks to curb a surge of deceptive promotions featuring fabricated experts or deep-faked celebrities endorsing food or pharmaceutical products on social media. Following a policy meeting chaired by Prime Minister Kim Min-seok on Wednesday, officials said they will ramp up screening and removal of problematic AI-generated ads and impose punitive fines, citing growing risks to consumers, especially older people who struggle to tell whether content is AI-made.
📝 Search Engines and Artificial Intelligence: Between Technological Transformation and Emerging Risks
Artificial intelligence is redefining how we search for information online. From Google's AI Overviews to agentic browsers, the implications for security, privacy, and European regulation require an...
🔗 https://www.nicfab.eu/en/posts/ai-search-engines/
#AIGovernance #AIOverviews #AgenticAI #AIAct #ArtificialIntelligence
Artificial intelligence is redefining how we search for information online. From Google's AI Overviews to agentic browsers, the implications for security, privacy, and European regulation require an integrated governance approach.
IT Insights
TechNadu
ICalzada
DevTo VN Bot
Jan Schmidt-Prüfer
Michael N. Kingsnorth
Renatomancer
Nicola Fabiano