By Javvad Malik, Lead CISO Advisor at KnowBe4

There is a specific moment in every security professional’s career when they realise the traditional rulebook hasn’t just been ignored—it’s been torn to pieces. Mine arrived last week while watching a colleague engage in a debate with an AI agent over expense policy, while simultaneously being phished by what was almost certainly another AI posing as IT support.

For decades, the cybersecurity industry has clung to a comfortable, binary premise: humans work inside the walls, threats exist outside, and our job is to keep the two apart. It was a tidy worldview that made for excellent spreadsheets, even if we knew it was fiction.

Then, AI walked into the office without knocking. It’s a reboot of the classic 2010 iPad launch, where executives demanded connection to the corporate network, heralding the age of “Bring Your Own Disaster”.

The Multi-Species Workforce

The most uncomfortable truth facing modern organizations is that they no longer employ just humans.

Your current headcount includes Peter from Accounts Payable, his three AI assistants (two sanctioned, one very much ‘shadow’), a recruitment algorithm, and whatever experimental automation Marketing has hooked up to Slack to bypass a slow internal process.

They are all making decisions. And they are all sharing data.

When Peter’s AI hallucinates a rogue clause into a vendor agreement, or a chatbot leaks PII because a prompt-engineer asked nicely, where does the buck stop? Traditional security loves clean lines—User vs. Admin, Internal vs. External. But we are now operating in a world that has gone full analogue. We have created a workforce that is part human and part silicon, yet the risk remains entirely ours to manage.

The Futility of Punitive Security

Historically, we have managed security like a digital Alcatraz. If a user clicks a phishing link, we chastise them. If they use unapproved software, we discipline them.

But punishing people for being human is like shouting at water for being wet. It provides a few seconds of emotional release for the security team, but it doesn’t change the outcome. You cannot discipline your way to a secure culture, and you certainly cannot punish an AI agent into making safer choices.

So, what happens when your workforce is 60% human, 40% AI, and rising?

Navigating the Shadow AI Explosion

Shadow AI isn’t born from malice; it’s born from friction. Employees use unsanctioned tools because the approved versions are often slow, restrictive, and designed by people who think ‘user-friendly’ as a type of malware.

If your IT ticket for an AI request won’t be resolved until Q3 2027 but the free version of ChatGPT is open in a browser tab right now, the choice for a busy employee is a foregone conclusion.

To manage this hybrid reality, we need to view the workforce as a single, unified, complex adaptive system. Here is the framework for securing the blur:

• Govern the Decision, Not the Entity: We need governance frameworks that apply to the action, regardless of whether the actor is carbon-based or cloud-hosted. If a human isn’t allowed to export customer data to a personal drive, their AI assistant shouldn’t be able to either.
• Design for Invisible Perimeters: Assume you will never have 100% visibility again. Security must shift toward real-time behavioral monitoring and anomaly detection that tracks patterns across both human and machine activity.
• Build Intuitive Culture, Not Just Compliance: You teach a child to cross the road by explaining traffic lights, not by screaming at them every time a car passes. The same applies here. You cannot train culture into an AI model, but you can design systems where humans and AI operate within a framework that makes security intuitive.
• Treat Shadow AI as a Signal: If half your workforce is using unsanctioned AI, that isn’t a compliance failure—it’s a sign your current tools are failing your people.

The question is no longer if your workforce will become a hybrid of human and machine. It already is.

The real question is whether our security models will evolve to meet this reality, or if we will keep building expensive walls around a perimeter that vanished years ago. The workplace has changed; our job is to design security that works with human nature, rather than against it.

Attributed by Osama Alzoubi, Middle East and Africa VP at Phosphorus Cybersecurity

As Saudi Arabia races ahead in digital healthcare transformation, a quieter vulnerability lingers in the background: medical imaging systems that can be found – and sometimes accessed – directly from the public internet. Imaging infrastructure, diagnostic platforms, and hospital information systems are being modernized at speed improving outcomes, accelerating workflows, and bringing advanced clinical capabilities to more communities. But beneath this progress lies a quieter risk that rarely makes headlines: medical imaging systems being exposed on the public internet due to simple configuration errors.

Not a dramatic cyberattack. Not a threat actor breaching a firewall. Just avoidable misconfigurations that leave sensitive patient data reachable by anyone who knows where to look.

Medical imaging systems in Saudi Arabia face a persistent security challenge that differs from dramatic cyberattacks. Patient data exposure often occurs through configuration errors that leave systems accessible on the public internet. These technical oversights represent a significant vulnerability in healthcare’s digital infrastructure.

The Kingdom’s Personal Data Protection Law (PDPL) establishes strict requirements for handling health data. This legislation, modeled after international standards, mandates enhanced protection for medical information and imposes penalties for unauthorized disclosure. Hospitals must implement organizational and technical measures to prevent data exposure.

Radiology departments increasingly use digital platforms for case discussions and second opinions. Without proper configuration, these systems might allow unintended access to patient records. Teleradiology services, which expanded significantly during the pandemic, require secure transmission protocols to protect data during remote consultations.

When we hear about data breaches, we often imagine skilled hackers penetrating security systems. The reality is often simpler and more preventable. “Exposed” typically means a system is reachable from the public internet due to setup choices, not a sophisticated intrusion.

This happens in real-world healthcare settings for straightforward reasons: rushed deployments to meet clinical deadlines, vendor-supplied default configurations that were never changed, remote support access left open for convenience, and legacy systems that were connected to modern networks without proper security reviews.

The scale is significant. Research has identified over 1.2 million reachable devices and systems globally, including MRI scanners, X-ray systems, and related medical infrastructure. These are not theoretical vulnerabilities. They represent actual systems that can be found and accessed from anywhere with an Internet connection.

What gets exposed is more than images

Medical imaging files are not simply pictures. They carry identifiers and metadata that can connect scans directly to real people. Patient names, dates of birth, identification numbers, and clinical details often travel alongside the diagnostic images themselves.

This matters for several reasons. Beyond the obvious privacy violation, exposed patient imaging data creates risks of identity fraud, potential coercion or blackmail, serious reputational damage to healthcare institutions, and erosion of the trust patients place in their medical providers.

Security monitoring platforms have documented cases where exposed systems allowed direct access to both images and patient data—offering a level of detail that should never be open to anyone outside the clinical team.

Why this keeps repeating worldwide

Hospitals everywhere use similar device types and manage comparable data flows. The result is that the same setup mistakes appear repeatedly across different countries and healthcare systems. What starts as one hospital’s misconfiguration becomes everyone’s common failure mode.

The medical devices themselves often come with similar default settings. Imaging servers, picture archiving systems, and diagnostic viewers are deployed in comparable ways. When basic security steps are skipped during installation, the exposure follows a predictable pattern.

Health sector cybersecurity guidance from international authorities emphasizes the need for repeatable baseline controls precisely because these patterns recur. Reducing exposure requires not innovation, but consistent application of known protective measures.

Healthcare organizations face a common vulnerability pattern. A major healthcare provider addressed similar challenges across hundreds of hospitals, discovering that default passwords, vulnerable firmware, and device misconfigurations created entry points that threatened patient care and hospital operations across more than 500,000 connected medical and operational devices.

The Saudi-specific layer: connectivity at cluster scale

Saudi Arabia’s healthcare transformation includes the expansion of health clusters that connect multiple facilities into integrated networks. This approach improves care coordination and resource sharing, but it also means that one weak link can affect multiple sites.

National interoperability initiatives support the sharing of imaging and diagnostic reports across the healthcare system. The Saudi health ministry has established specifications for imaging data exchange through the national health information exchange platform, enabling providers to access patient scans regardless of where they were originally performed.

This connectivity is essential for modern healthcare delivery. It allows specialists to review scans remotely, supports second opinions, and ensures continuity of care when patients move between facilities. However, it also increases the need for consistent configuration rules and security standards across all connected sites.

When imaging systems within a cluster are not uniformly secured, the exposure risk multiplies. A misconfigured system in one facility can potentially provide access to data from across the entire cluster network.

A practical checklist hospitals can act on

Healthcare institutions can take concrete steps to reduce exposure risk. These are not theoretical recommendations but proven measures that address the most common vulnerabilities.

First, create a complete inventory. Every hospital should maintain a current list of what is connected to its network, including imaging devices, storage servers, viewing stations, web portals, and remote access tools. You cannot protect what you do not know exists.

Second, check external exposure. Verify that nothing sensitive is reachable from the public internet. This requires technical scanning from outside the hospital network to identify systems that respond to external queries. Many organizations discover exposures they did not realize existed.

Third, restrict remote access properly. Remote connections for maintenance and support should be tightly controlled, require strong authentication methods, and be removed entirely when no longer needed. Convenience should never override security when patient data is involved.

Fourth, implement safe setup procedures. Develop standard build guides for imaging systems, change all default passwords and settings, clearly document who owns each system, and establish responsibility for applying security patches and updates. Industry experience shows that default credentials remain one of the lowest barriers for attackers seeking entry into healthcare networks.

Fifth, conduct continuous checks. Exposure scanning should happen after any network changes, not just once annually. Healthcare networks evolve constantly, and new vulnerabilities can appear whenever systems are added or reconfigured.

These steps align with guidance from international cybersecurity authorities and health sector regulators, which emphasize reducing exposed services and strengthening baseline controls as priority actions for healthcare organizations.

The governance fix: make secure setup part of how clusters run

Individual hospital efforts are necessary but not sufficient. At the cluster level, governance structures must embed security into standard operations.

This begins with cluster-wide minimum standards for imaging systems and remote access. Every facility within a cluster should follow the same baseline security requirements, ensuring consistent protection regardless of which site a patient visits.

Clear ownership must be established for every system. Someone specific should be responsible for applying patches, approving access requests, and regularly checking for exposure. When accountability is diffuse, critical tasks get overlooked.

Procurement processes offer another leverage point. Purchase agreements should require vendors to provide secure default configurations, enable comprehensive logging capabilities, and commit to supported update cycles for the life of the equipment. Security should be a selection criterion, not an afterthought.

These governance approaches reflect sector framework guidance that encourages structured programs and repeatable controls rather than ad hoc responses to individual incidents.

Saudi Arabia has invested heavily in national cybersecurity frameworks and regulatory oversight across critical sectors, including healthcare. The foundation exists. The next step is ensuring those protections extend fully to the expanding ecosystem of IoT and IoMT devices — where simple configuration gaps can undermine otherwise sophisticated digital progress.

Prevent avoidable incidents

The goal is not perfection. Healthcare systems are complex, and some level of risk will always exist. The goal is removing the easiest path for data exposure: systems sitting openly on the public internet waiting to be found.

In connected healthcare, the quickest wins come from two simple principles: visibility and access control. Know what you have connected, and shut the doors that do not need to be open.

For Saudi Arabia’s health clusters, this represents an achievable objective. The infrastructure investments being made across the Kingdom’s healthcare sector create an opportunity to build security into expansion rather than retrofitting it later.

Medical imaging systems serve an essential clinical purpose. They should not also serve as unintended windows into patient data. With practical steps and consistent governance, hospitals can fix this quiet risk before it becomes a public incident.

In digital healthcare, exposure is rarely a mystery. It is usually a configuration. The question is not whether hospitals can fix it, but whether they will do so before patients pay the price.

By Federico Pienovi, CEO for APAC & MENA at Globant

When technologies go exponential, even experts are caught off guard. Generative AI is one of those inflection points and nowhere is this tension more profound than in healthcare and aging, particularly in the Gulf region where demographic realities are driving unprecedented transformation. In Saudi Arabia, the population over 60 is expected to increase fivefold by mid-century, making longevity no longer just a Western debate but a Middle Eastern economic and social reality where AI moves from optional to existential.

While most organizations struggle to operationalize AI beyond demos, Saudi Arabia and the UAE are building system-level infrastructure that represents the real story. Saudi Arabia is embedding AI throughout its healthcare system through Vision 2030, with the Saudi Genome Program using multi-omics data—genomics, proteomics, metabolomics—and AI to shift from reactive to predictive care, moving beyond isolated diagnostics toward continuous early detection models.

Riyadh recently showcased the world’s first fully robotic heart transplant, CAR-T cell therapy advancements, VR-based medical education, and mobile stroke units with advanced diagnostics, while digital twin technology and precision medicine are becoming standard rather than experimental. These initiatives reflect a national longevity strategy that positions geroscience research and personalized digital twins as core infrastructure, with private-sector innovators like Rewind building AI-powered diagnostics to prevent disease before it emerges.

The UAE has gone even further, treating longevity as a national industry with Abu Dhabi’s Pura Longevity Clinic offering AI-integrated assessments and personalized prevention programs that combine nutrition, sleep, fitness, and mental health services, positioning longevity medicine as mainstream rather than elite. Dubai aims to become the global capital of “well-care”, biohacking, stem-cell therapies, and AI-driven anti-aging, as part of a broader strategy to engineer the “100-year life” through advanced preventive and regenerative medicine.

The UAE now hosts 680 longevity companies and 670 investors across 100 innovation hubs spanning PharmTech, telemedicine, advanced cosmetics, mental health, and wellness, making longevity a full economic sector. The Institute for Healthier Living Abu Dhabi is building a Healthy Longevity Medicine ecosystem with longevity-focused clinical care, innovation hubs, and population health research, while government-level commitment is evident through Abu Dhabi’s Department of Health convening global forums to accelerate personalized healthcare and longevity science.

Beyond the Hype: The Human Element

But here’s the uncomfortable truth: more AI doesn’t automatically mean better health. Like millions of others tracking sleep, monitoring recovery, and measuring stress variability, we risk becoming surrounded by dashboards of health metrics where everything is quantified and notified, yet the more data we collect, the more a critical question emerges—are we actually healthier, or simply more informed about our anxiety?

The healthcare system risks repeating the same mistake enterprises made with digital transformation, adding layers of technology without redesigning the underlying architecture, creating more apps, more portals, more fragmented experiences, with noise disguised as progress.

Harvard Medical School researchers have highlighted how AI can already match or exceed clinicians in specific diagnostic tasks, particularly in imaging and pattern recognition, while MIT’s Jameel Clinic has demonstrated how machine learning models can accelerate drug discovery cycles from years to months, and McKinsey estimates that generative AI could unlock up to $100 billion annually in value across pharma and medical products alone.

Yet the promise of AI in aging is not about adding intelligence everywhere,it’s about reducing friction and elevating judgment through agentic AI systems capable of orchestrating actions autonomously across complex environments, moving healthcare from reactive to anticipatory with adaptive health pathways tailored to biology, behavior, and environment instead of generic wellness advice.

We must be careful because biology is not software, data can be biased, predictions can be misinterpreted, and AI systems trained predominantly on specific datasets may fail in other populations, making governance, explainability, and medical accountability foundational requirements rather than afterthoughts.

The Bigger Picture

From a technology executive’s perspective, the next decade will redefine healthcare economics as systems shift from hospital-centered to prevention-centered models, payment structures evolve toward outcome-based frameworks, and AI doesn’t replace physicians but enables those who leverage it to outperform those who don’t.

The Middle East understands this transformation, with the UAE’s push into genomics and Saudi Arabia’s investments in biotech and digital health reflecting recognition that longevity will shape national competitiveness, where healthy lifespan, not just GDP, will define prosperity.

In these nations where governments are investing heavily in smart hospitals, genomics programs, and national AI strategies, the opportunity is enormous as they position themselves as global hubs for the future of healthspan and aging, demonstrating that AI is moving from experimentation to infrastructure with longevity becoming a national economic and healthcare priority.