AI, Vulnerability Management & The Future of GRC Engineering

In this episode of the Distilled Security Podcast, we dive into AI-driven vulnerability management, a massive breach hitting 9,000 educational institutions, and the future of GRC engineering, including a live preview of what autonomous compliance agents actually look like in practice. 🔹 AI & Vulnerability Management — Why the next 6–18 months will be a patching crisis, how AI models are accelerating zero-day discovery, the operational reality of back-to-back criticals, surge scenario planning, burnout risk, and Microsoft's M-Dash orchestrated agent approach 🔹 The Canvas/Instructure Breach — 275 million records exposed, finals week disrupted across 9,000 universities, a rumored $10M ransom negotiated by the SaaS provider, the Shiny Hunters connection, and what this means for critical infrastructure concentration risk 🔹 GRC Engineering Meets AI—Deterministic vs. non-deterministic testing explained, why auditors can't rely on AI-generated evidence, autonomous agents with segregation of duties, the Episky 2.0 platform preview, and the emerging role of the "orchestration conductor" in security teams 🥃 Spirit Review: Heaven Hill Grain to Glass (DSP KY-1) ⏱️ Timestamps 00:00 – Intro & Topics Overview 01:27 – AI & The Coming Vulnerability Surge 07:00 – Patching Windows, Burnout & Operational Reality 16:40 – Surge Scenarios, Fix-It Weeks & Recommendations 21:20 – Microsoft M-Dash: Orchestrated Agent Scanning 25:56 – The Canvas/Instructure Breach Breakdown 33:18 – Critical Infrastructure & Third-Party Concentration Risk 47:00 – Black Kite 2026: Third-Party Breach Report 53:11 – Spirit Review: Heaven Hill Grain to Glass 57:07 – BSides Pittsburgh 2025 Update 1:04:01 – GRC Engineering Meets AI 1:19:00 – Deterministic vs. Non-Deterministic Testing Explained 1:25:00 – episki 2.0 Platform Preview 1:47:00 – AI Segregation of Duties & Three Lines of Defense 1:53:00 – The Orchestration Conductor: A New Security Role 2:02:31 – Outro & Wrap-Up 🎙️ Hosts Justin Leapline – @justinleapline Joe Wynn – @wynnjoe Rick Yocum – @rickyocum 📬 Send Us Your Questions! [email protected] 🌐 Connect with Us Website: distilledsecuritypodcast.com X: @DisSecPod Email: [email protected] 👍 Like, comment, and subscribe for monthly security and compliance insights.