I've been working in tech since the late 90s. This is the biggest and most sudden change in company behavior I've ever seen. The only thing that comes close was the web 1.0 world in the 90s where everything suddenly became websites.
That creates tons of risks and opportunities. Good and bad. Maybe a great time to start a security company. But maybe a terrible time to be a small time web app developer when your clients can get 'good enough' in minutes for dollars on their own.
You comments read like reddit clickbait. How many of these executives/senior/coffee bean/whatever ppl do you even know and why you the one enlightening them with claude cowork ? . "Every X i know" sounds like a large sample size. Make ridiculous claims by prefixing " every X i know" .
I feel so angry at this linkedin speak. so infuriating. Hate that we've accepted these ppl without any pushback.
I say this as someone who deals with sales/CRO/CFO functions quite regulary, I have to tell everyone that uploading contracts to Claude and/or ChatGPT does not hold confidentiality because files are not covered under enterprise ZDRs. [0] [1]
It comes down to 'everyone else is doing it' without an understanding of why, then past that, the what of how that applies to the specific business to find the unique value of AI to an organization that does not touch external networks.
Please give your GC the links below, let them look over your contracts and obligations to ensure you aren't exposing risk for no real reason other than saving a couple seconds for something that a SDR/BDR level employee could do.
[0] https://code.claude.com/docs/en/zero-data-retention#what-zdr...
[1] https://developers.openai.com/api/docs/guides/your-data#zero...
It’s an interesting time.
where do you see this going/any interesting theories?
If its so obvious that everyone is doing it then you dont need "every executive i know takes a shit" .
every interaction is now laced with ulterior motives like op trying to pitch himself as ai expert to sell his courses or whatever. He is apparently going around blowing executives minds with claude cowork. so ridiculous.
With all due respect, I have no idea what you are talking about. I'm saying that I've observed friends and associates (who are executives, because I'm old and work in business) pick up and adopt a specific tool at rates faster than any other tool I can think of, which seems interesting to me. Do with that information whatever you want. It's just an anecdote from a random person on the internet. I'm sorry that this observation makes you angry.
I'm not selling or pitching you (or anyone else) anything. I haven't taught any programming courses since the 2010s (pre-ChatGPT).
> Every executive/leader I've shown Claude Cowork
now you are saying you were merely "observing" ?
Wait, you exposed people to a technology, taught them how to use it, then you are not going to own the implications of that action without teaching them about the risks or telling them how they need to ensure they don't shoot themselves in the face or violate their duty of care?
Do you understand what you are saying and the implications of that in the real world relative to the insurance contracts that they have?
Your company is associated with HIPAA, you should have a much higher standard than this.
For big corps - this is different. But modulo hipaa - this is why they are gung ho hi about binding arbitration - they are trying to match velocity to some degree - and mostly failing…
From what I have seen - most executives would rather shut down the business and quit than accept the possibility of personal liability - and just avoid the regions of the world in which they do have it.
I think this is where we have the issue in my tone and approach to my comments. My response was based off of the OP stating that the people who they were introduction were 'executives/leaders' and not 'friends', which has a very different connotation when it comes to information security, liability, responsibility, accountability, and ownership. It was only in their response to my question about risk ownership that they described the persons as friends.
If they had said 'friends' from the very beginning, instead of 'executive/leader' I would not have had the reaction than I did. The reason why I brought up HIPAA was because of 'executive/leader', since the idea of duty of care extends to leadership within any organization, especially those who are involved with healthcare, which they know based off of their company.
>"I’m a CFO and network regularly with other executives, board members who also are board members at other companies, investors, people who see a combined large population of companies"
The call to HIPAA wasn't about PII, it was about knowledge around standards and regulations such as HIPAA when it comes to application/information/network security is just baked in. Which is why the passivity around the statement made no sense given the risks/obligations/liability associated with vibe coding applications at the executive level, which someone who's company deals with HIPAA should understand and appreciate.
Never have I said that, and please quote me word-for-word otherwise, what I said applied to "very executive/ leader at my place of business who does nothing except work with PII data all day", that is a windmill you created yourself.
You can keep tilting at the windmill.
[0] https://news.ycombinator.com/threads?id=Ucalegon#48133230
But I appreciate you trying to police the expression of my deeply held beliefs, but, like, nope!
If you care about data privacy, especially your own protected health information, that sentence should give you a lot of comfort.
In a HIPAA environment, people who are sufficiently trained on how to develop regulated software securely are called "software engineers".
In my opinion, agents will replace the majority of the rest of businesses before they are good enough at agentic engineering to be able to autonomously develop software that safely and reliably can manage PHI without a single mistake.
It goes without saying: never trust your PHI to any company who is vibe coding in production.
'Adding value' is a very interesting statement and way to judge the worth of something. Adding value to who? And if that value add also causes massive harms, how do we reconcile that? So you build a brand new app with does all of the things that all of your total addressable market wants, but it also exposes all of the IP your existing clients, does that mean you will be able to achieve that TAM?
Corp IT does not exist in a vacuum. Understanding the why of that isn't a 'you should just accept this' but more 'how can we make this better and avoid mistakes already made by others'. I will always point to aviation and 'bold text is written in blood' as a great model to understand all of this not as a blocker but, instead, as a building block.
In general, safe businesses can only exist with government support or government prohibition of all other businesses globally - and that is a very hard bar to clear.
In a properly structured organization, of which there are many and who are required by regulations and/or best practices, senior executives tend to have need/role-based access to information, just like everyone else in the organization. So they may have access to strategic business information, but not patient records or payroll. They may have access to planning data, but not the financial records of individual or clients. Etc. etc.
Smaller or newer orgs may not have this compartmentalization, but in general I think the principle holds true for orgs over a certain number of folks in size.
Generally, when it comes to 'privileged' information within an executives inbox it is business information or trust releastionships and not specific PII/PHI of an user. It was me being terrible at trying to impart that even the most begin seeming access may have major consequences even if it is not a total compromise of everything given the massive scope of 'what could happen' with executives vibe coding applications, like something managing their inbox past their EA, or something trivial seeming.
These are 'proper' (sometimes) access controls, but can still be abused. Not from email...but you get the idea.
Compliance is due to the legal obligations thanks to local regulations and obligations that are defined through contracts with 3rd parties.
Saying 'found the Microsoft person' expresses a lack of understanding of the domain.
This is how IT acts in my enterprise orgs. There is absolutely a need for compliance and governance but unfortunately the people in these roles are typically not technically minded and have low incentives to innovate so you get these folks only really arguing for their jobs.
Do you think the MSFT sales person, or anyone who has the financial incentive to innovate, doesn't want you to innovate? They want you on Azure and O365 regardless, they don't care.
Hell, Microsoft will give you will give you 150k [0] of credits to do so.
But keep talking as if you have some magical, unique, special insight that escapes contracts and the law, compared to the people who, sadly, have to deal with reality.
Risk is always nonzero but you can already today get pretty comfortable with most of these orgs with some customization in the contracts.
We are talking about vibe coded applications by executives and the risks that are associated with that, nothing within a DPA covers that. Please, be my guest, link an Anthropic DPA which includes indemnity for damages associated with the code produced.
Again, you keep showing your lacking of understanding of the domain in some really fundamental ways which shows that you haven't negotiated B2B contracts nor have you held a position of responsibility where you hold liability.
But keep responding because this feels more like therapy for you, and your feelings about people like me, rather than the realities of the exposure that come from vibe coded applications for executives.
Each entity and group have to consider the risks. I don’t think anything you’re trying to point at though is really useful for the discussion at hand. There is absolutely a use case for Claude code/cowork/codex and related tools to be used by non-technical folks. There is also a lot of figuring out in each of these groups. Unfortunately IT in most orgs in what I have seen have ignored the art of what’s possible for the last 3 years and now that we have hit this inflection point are scrambling to catch up but sadly the incentives are usually not aligned so they are really only incentivized to not take any risks.
You went further than "a joke."
You continued making aggressive, non-substantive remarks that were out of line.[0]
#1 > you have no idea about the details.
#2 > i don’t think you have a grasp what’s going on around you.
#3 > What is your deal about contract law? It’s not some mystical thing.
You wasted everyone's time.
There are significant reasons why an organization would not want to use Cowork, because it does not fall under Anthropic's ZDR [0], which is a huge issue for... anyone dealing with anything sensitive.
What I think this comes down to is that you value velocity regardless of whatever the costs. We will get to see how that solves itself, there are going to be a lot of billable hours that are going to figure that out.
But none of this means that you have any idea what you are talking about nor do you understand why individuals or organizations act the way that they do.
You are free to do it better. Please do.
[0] https://code.claude.com/docs/en/zero-data-retention#what-zdr...
I am sorry you feel this way, it does not change the facts of whats being discussed, its just that you disagree and you lacked the initial courage or intellectual capabilities to express that constructively, so you had to obfuscate through providing nothing of value to the discussion via low value comments. I get that YOU don't think something, but just because YOU feel something doesn't make it valid, grounded in reason, or should be listened too.
Have a great rest of your day and weekend!
But you are totally free to build a company where there is no oppressive corporate IT, where there is always an incentive to innovate and grow, you can build that future.
The reason why that will not happen might be contained within the first ten words of the first sentence of my first paragraph, but you can prove me wrong. Let me be your motivation! Your dream should be your reality!
Not sure by you keep thinking I have anything to prove to you. My point stands. The governance and risk are very valuable discussion and it’s going to change between industry and the trust level of each group.
Unfortunately most IT is short sighted and trying to play catchup. We had 3 years of thinking about how these tools are going to impact the workplace and are now rushing to catch up while also being insistent that Copilot is a worthwhile alternative. I generally disagree with that. I am not advocating that IT oppressive but that unfortunately most IT leaders are not technical and it shows.
My point has been consistent. You jumped to specific conclusions from a 30second post that adds little to the parent discussion.
IMHO,
1. Dismissing attorney client privilege is reckless
2. and the vast majority of users aren't aware of what "customization in the contracts" is needed to enable autonomous agents or if it's already contractually allowed.
This is still a fair question:
> Do you, and those executives, own the risks associated with that practice? Are those risks actually indemnified?