Thursday, July 9, 2026

Vows, Oversight, and the Blueprint of GRC

Kosher Food for Thought: Vows, Oversight, and the Blueprint of GRC

In the opening of this week’s Torah portion, Parashat Matot, the Torah introduces the intricate laws of Nedarim, vows and oaths. The text explicitly warns, “If a man makes a vow to the Lord... he shall not profane his word; according to all that proceeds from his mouth, he shall do” (Numbers 30:3). However, the Torah immediately pivots to a highly structured framework of oversight. Classical commentaries, including the Rambam (Maimonides), explain that this mechanism exists because individual verbal commitments cannot be left entirely unchecked. Unregulated vows can create severe personal and communal vulnerabilities. The Torah balances individual accountability with a system of absolute governance, risk mitigation, and compliance.  

This dual structure of personal commitment and centralized oversight is the exact operational definition of Governance, Risk, and Compliance (GRC) in corporate technology. In any large enterprise, individual teams are constantly making "digital vows." Developers write code, deploy cloud assets, and establish access permissions to get their jobs done quickly. Left unregulated, this fast-paced environment leads to shadow IT, untracked applications and misconfigured servers set up without corporate approval. Without a strong GRC framework, these unmonitored digital promises create massive gaps in security, leaving the enterprise exposed to massive regulatory fines and devastating data breaches.

The halachic framework of Nedarim teaches us that execution requires constant validation. The head of the household represents the centralized compliance engine; they possess the visibility and authority to review an individual’s declaration, assess its long-term risk to the family unit, and cancel it if it introduces a security flaw. GRC platforms perform the exact same function. They automatically scan an organization’s digital landscape to ensure that every configuration complies with internal security rules and legal mandates, stepping in to revoke unauthorized actions or toxic permissions before they can be exploited.

The enduring lesson of Parashat Matot is that execution without governance is a recipe for failure. Innovation and speed are necessary, but they must be anchored by strict regulatory guardrails. True organizational resilience means building a culture where every developer's digital action is continuously validated against a centralized compliance standard, ensuring that no individual choice can inadvertently compromise the safety of the entire community.

Good Shabbos!

Thursday, July 2, 2026

The Threat of Blurring the Lines

Kosher Food for Thought: The Threat of Blurring the Lines

In this week’s Torah portion, Parashat Pinchas, the Jewish people are getting ready to finally enter the Land of Israel. To prepare for this massive transition, the Torah establishes strict, permanent borders for each of the twelve tribes. We learn this through a famous legal case brought by the daughters of Tzelofchad, which results in a divine law: land cannot be passed from one tribe to another (Numbers 36:7). The great commentator Ramban (Nachmanides) explains that these boundaries were not arbitrary. They were essential for keeping order and ensuring that each tribe maintained its unique identity and territory without causing chaos or mixing things up.

This ancient focus on keeping territories separated mirrors a major cybersecurity issue discovered by tech researchers this past week. Security teams found that a new generation of "AI web browsers," smart tools designed to browse the web, open tabs, and perform tasks for you, are accidentally breaking a foundational security rule called the Same-Origin Policy. Think of this policy as a digital boundary wall: it ensures that what happens on one website stays on that website. It prevents a sketchy site you accidentally clicked on from peeking into your bank account open in another tab. Because these new AI assistants are given broad permission to jump across tabs and gather data for you, they are accidentally tearing down those walls. A malicious website in one tab can trick the AI into stealing sensitive login info from a completely separate, secure tab.

The core lesson here is the danger of trading safety for convenience. In the Torah, the daughters of Tzelofchad are praised for their wisdom because they understood that society functions best when clear boundaries are respected. In the tech world, we often give new tools massive amounts of freedom just because they are helpful. But when we allow an AI assistant to blur the lines between secure and unsecure places, we leave ourselves wide open to a digital break-in.

Pinchas teaches us that boundaries exist for a reason. Whether we are dividing land or browsing the internet, true security means keeping distinct spaces fiercely separated. We must make sure our smart tech gadgets respect digital boundaries, ensuring that convenience never overrides basic safety.

Good Shabbos!

Thursday, June 25, 2026

Trust, Hidden Rules, and Protecting What Matters

Kosher Food for Thought: Trust, Hidden Rules, and Protecting What Matters

In this week’s Torah portion, Chukat-Balak (Numbers 19–25), we encounter one of the Torah’s most mysterious laws: the red heifer. God commands the Israelites to use the ashes of a perfect red cow, mixed with water, to purify people who have come into contact with death. Strangely, the very people preparing this purifying mixture become impure themselves. The Sages call this a chok, a divine decree that goes beyond simple human logic. Rashi explains that nations of the world and even our own impulses mock it because it doesn’t fit neat categories of clean and unclean. Yet it works within God’s system. The portion also shows human efforts to control events, complaints in the desert, or King Balak hiring the prophet Balaam to curse Israel, only for God to turn those plans upside down into blessings. The message is clear: we must act responsibly while accepting that some things are ultimately in God’s hands.

This tension feels very relevant to recent tech headlines. Just weeks ago, reports highlighted how AI tools are speeding up cyberattacks by helping criminals find weaknesses in software faster than before. A notable example involved the company Vercel, whose systems were breached through a third-party AI productivity tool called Context.ai. An employee had given this tool broad access to their work account (via something called OAuth permissions). Attackers used that trust to slip inside and reach sensitive information. The Trump administration’s new Executive Order on AI from early June emphasizes voluntary safety checks for powerful AI models before they are widely released, precisely because these systems can discover and chain vulnerabilities at high speed. 
From a Torah perspective, this mirrors the red heifer’s lesson about limits to human understanding. Rambam (Maimonides) taught that such chukim train us in intellectual humility, we follow divine wisdom even when we can’t fully explain every detail. In the same way, advanced AI systems are like complex “black boxes.” We benefit from them, but we cannot perfectly predict or control their behavior, training data, or side effects. Giving an external AI tool full access to your systems is like assuming something is pure without proper checks. The parsha warns against over-reliance on human cleverness (Balaam’s skills or our own “move fast” tech culture). Instead, it calls for careful boundaries, much like modern security ideas such as “zero-trust” to never fully trust any part of the system, even if it seems safe, and verify everything.

The Haftarah from Micah reinforces the practical takeaway: God does not want empty rituals or power plays. “He has told you, O mortal, what is good… to do justice, to love goodness, and to walk modestly with your God” (Micah 6:8). In our tech-filled world, this means building systems with real accountability, clear records of what AI does, careful limits on permissions, and honest assessment of risks from outside suppliers. We balance diligent effort (hishtadlut) with faith, protecting communities from both physical and digital harm.

Good Shabbos!

Thursday, June 18, 2026

The Fallacy of the Flattened Perimeter

Kosher Food for Thought: The Fallacy of the Flattened Perimeter

In this week’s Torah portion, Parashat Korach, we witness the ultimate challenge to authority and boundaries. Korach launches a rebellion against Moses and Aaron using a populist slogan: “For all the congregation are holy... why then do you lift yourselves up above the assembly?” (Numbers 16:3). Korach argued for a completely flat structure, contesting the necessity of specialized roles, specifically the restricted access rules that allowed only the priests to enter the inner sanctuary. His error was architectural: he conflated the collective value of the people with the operational need for structured boundaries and controlled access.

This ancient push to eliminate boundaries mirrors a massive digital security crisis. Researchers recently uncovered a massive, unsecured database containing over 24 billion plaintext records, usernames, passwords, and service credentials harvested by malicious software. When hackers steal authentication data, they effectively flatten a company's perimeter. By exploiting these stolen credentials, threat actors can bypass standard security gates. They achieve a dangerous realization of Korach's philosophy: a boundaryless landscape where any unverified outsider can instantly claim the identity and administrative privileges of a trusted insider.

The classical commentator Rashi notes that Korach was highly intelligent, yet his judgment was deeply flawed. In the Torah, structural separation is not an exercise in elitism; it is a critical safety measure designed to protect the community. For modern organizations, the lesson of Korach’s rebellion is a definitive warning against the fallacy of a flattened perimeter. In the pursuit of convenience, organizations frequently leave databases misconfigured or fail to restrict internal access. True security dictates that equality of value does not mean uniformity of system access; our digital defenses must maintain strict identity boundaries and require continuous verification to prevent total exposure.

Good Shabbos!

Wednesday, June 10, 2026

The "Free-for-Teacher" Loophole and the Limits of Delegation

Kosher Food for Thought: The "Free-for-Teacher" Loophole and the Limits of Delegation

In this week’s Torah portion, Parashat Sh’lach, we encounter the tragic turning point of the wilderness generation. The narrative begins with a divine concession: “Send for yourself men, that they may spy out the land” (Numbers 13:2). Rashi famously notes the nuance of Shelach Lecha—God is not commanding this reconnaissance; He is permitting it because the people demanded it. Moses, facing a systemic crisis of confidence from the nation, delegates this critical exploratory task to twelve tribal leaders, elites explicitly described as Anashim (men of high standing). By establishing this highly privileged, loosely managed exploratory committee, Moses inadvertently created a profound governance vulnerability. The spies were granted absolute internal network access to the Promised Land, yet they lacked the structural alignment to process what they observed without corrupting the system from within.  

This ancient failure of privileged delegation mirrors a massive, highly sophisticated cybersecurity crisis: the recent ShinyHunters breach of Instructure’s Canvas platform. In that incident, threat actors successfully exfiltrated terabytes of data and defaced portals at major institutions like Harvard and Princeton. The entry point? A feature known as the "Free-for-Teacher" program. This feature was fundamentally designed to bypass rigid institutional verification to foster accessible education. It allowed unverified users to spin up environments, act as administrators, and interact with the platform. Much like Moses allowing a specialized group to access the land under a mandate of trust rather than zero-trust verification, Canvas left a high-privilege access channel open to the public, underestimating how easily that channel could be weaponized by an adversarial payload.  

The deeper halachic and technical breakdown lies in the concept of Shelucho shel adam kemoto—a person's agent is as themselves. When we delegate authority, whether we are appointing a communal representative or writing an API integration that grants a third-party application admin rights, we create an extension of our own perimeter. The mistake in Sh’lach was assuming that because the spies were of high pedigree, their output would naturally align with the core security baseline of the nation (their faith).

In modern technology infrastructure, we routinely make the same mistake. We trust vendors, unvetted open-source libraries, or legacy administrative loopholes simply because they serve a noble or convenient purpose. The lesson of Sh’lach is that unchecked, unverified delegation—even when granted to the most elite "trusted users"—is the ultimate security flaw. True resilience requires that every agent, human or digital, be continuously authenticated, mapped to strict scopes of least privilege, and monitored against an objective operational standard.

Good Shabbos!