In this episode of the Distilled Security Podcast, we break down three converging forces reshaping how organizations manage AI risk — and what you need to do about it now.

🔹 BIPA + AI Notetakers — A class action lawsuit exposes unauthorized biometric data collection, why a single Illinois meeting participant creates liability, the Shopify wiretapping dismissal, and the steps you should take today to audit your AI tools
🔹 GRC Engineering Meets AI — Real AI compliance tools vs. vaporware, using LLMs for policy drafting and control mapping, the hallucination accountability problem, building AI guardrails as code, and the NIST RFI on AI Agent Security (comments due March 9, 2026)
🔹 ISO 42001 Deep Dive — The first AI Management System standard, how it differs from ISO 27001, AI Impact Assessments vs. traditional risk assessments, stakeholder engagement requirements, and why certification is becoming essential for EU AI Act compliance

🥃 Spirit Review: Redbreast 12 Cask Strength
https://www.redbreastwhiskey.com/en-us/whiskey-collections/redbreast-cask-strength-whiskey/

⏱️ Timestamps

0:00 Intro & Episode Overview
2:04 BIPA & AI Notetakers
25:08 GRC Engineering Meets AI
1:07:15 🥃 Spirit Review: Redbreast 12 Cask Strength (Irish Whiskey)
1:11:17 ISO 42001
1:49:30 Outro & wrap-up

🎙️ Hosts
Justin Leapline – @justinleapline
Joe Wynn – @wynnjoe
Rick Yocum – @rickyocum

🌐 Connect with Us
Website: distilledsecuritypodcast.com
X: @DisSecPod
Email: hello@distilledsecuritypodcast.com

👍 Like, comment, and subscribe for weekly security and compliance insights.

In the first episode of 2026, the Distilled Security team kicks off the year with a practical discussion on security priorities, key compliance dates to watch in 2026, and why misleading the government on cybersecurity compliance can have serious consequences.

The conversation focuses on simplifying security programs, returning to core fundamentals, and learning from real-world enforcement and regulatory cases. The episode closes with a holiday pour and a preview of format changes coming next.

⏱️ Timestamps

• 0:00 Intro & episode overview
• 0:33 2026 security resolutions: simplify & back to basics
• 5:45 “Science projects”: removing emotion from decisions
• 8:36 Justin’s goals: family, travel, business & AI workflows
• 17:52 EOS + Atomic Habits workbook (goal planning)
• 23:54 Key compliance dates to watch in 2026
• 31:45 California privacy updates & risk assessments (CCPA)
• 35:39 EU AI Act + NIS2 enforcement ramp-up
• 42:48 Drink break: High West “A Midwinter Night’s Dram.”
• 45:04 Don’t mislead the feds: FedRAMP, SolarWinds, CMMC—wrap-up to 1:20:12

🎙️ Hosts

• Justin Leapline – @justinleapline
• Joe Wynn – @wynnjoe
• Rick Yocum – @rickyocum

🌐 Connect with Us

• Website: distilledsecuritypodcast.com
• X: @DisSecPod
• Email: hello@distilledsecuritypodcast.com

🥃 Drink of the episode: High West A Midwinter Night’s Dram

In this episode, we break down a major Cloudflare outage, explore how a nation-state used AI agents to automate a cyberattack, and discuss the growing risks around MCP integrations. We also highlight why GRC Engineering is becoming essential to modern security programs and wrap up with key regulatory updates, including CMMC changes affecting thousands of contractors.

Topics covered:
• Cloudflare outage impact and root cause
• Nation-state attack using AI agents to automate intrusion steps
• MCP (Model Context Protocol): power, risks, and examples
• Why GRC Engineering is the future of compliance and automation
• Updates on GDPR, ISO 27701, California AB 5866, and SEC rules
• CMMC assessor shortages and what organizations must prepare for

Spirit of the Episode
• Knob Creek 21-Year Limited Release – rich caramel notes, heavy char, smooth for 100 proof

Timestamps

• 0:02- Cloudflare Outage Stories & Global Impact
• 3:07- Root Cause, Not a Cyberattack & Third-Party Risk Reality
• 10:38 - China Uses Anthropic’s Claude + MCP for Automated Cyberattacks
• 14:17 - Full AI Attack Lifecycle Explained
• 27:18 - MCP: The API for AI & Its Security Risks
• 44:05 - Bourbon Break: Knob Creek 21-Year Review
• 50:02 - GRC Engineering Deep Dive: Automation & Controls-as-Code
• 1:24:13 - Regulatory Roundup: GDPR, ISO 27701, California AB 566, SEC SP
• 1:44:27 - CMMC 2.0 Crisis: Auditor Shortages & DoD Contract Impact
• 2:11:20 - Closing Thoughts & Episode Wrap-Up

Hosts

• Justin Leapline – @justinleapline
• Joe Wynn – @wynnjoe
• Rick Yocum – @rickyocum

Connect with Us

• Website: distilledsecuritypodcast.com
• X: @DisSecPod
• Email: hello@distilledsecuritypodcast.com