Two Things I Couldn't Let Go This Week
I try to write about what's worth saying. This week, two things qualified — and they have nothing to do with each other. I couldn't choose, so you're getting both!! Lucky you. Apologies in advance for the whiplash.
---
First. Your patching program is running behind schedule
Verizon released its 2026 Data Breach Investigations Report on May 20. The headline: for the first time in the report's 19-year history, vulnerability exploitation overtook stolen credentials as the most common initial access vector in breaches.
Here's what the data says is driving it. Organizations aren't patching fast enough. Of the vulnerabilities on CISA's Known Exploited Vulnerabilities list — the ones CISA flags because attackers are actively using them — only 26% had been fully remediated across the 13,000 organizations Verizon surveyed. The year before, that number was 38%. It went backward. Median time to fully patch a vulnerability is now 43 days, up from 32 days the prior year.
The social engineering picture has also shifted. Phishers are having more success via voice and text than email. Pretexting — fabricating a scenario to manipulate someone into handing over access — has become a more common initial path into ransomware attacks. Groups like Lapsus$ and ShinyHunters have built reputations around phone-based social engineering, and there are now off-the-shelf phishing kits built specifically to automate vishing calls at scale. The human element isn't going away. It's just changing channels, because it still works.
Third-party exposure adds to the vulnerability problem. Third-party involvement in breaches jumped 60% year-on-year and now accounts for nearly half of all breaches. Of the third-party organizations with identified MFA gaps, only 23% fully remediated them. Weak passwords and permission misconfigurations take close to eight months to fix, on average. That's a vendor management problem as much as a technical one.
Ransomware grew to 48% of all breaches, up from 44%. But 69% of ransomware victims didn't pay — worth noting for organizations still building response plans around the assumption that payment is the likely outcome. The more relevant data point may be this: half of ransomware victims who had a prior credential leak experienced it within 95 days of the attack. Infostealers are feeding initial access brokers, who package and sell credentials so ransomware operators can skip straight to deployment. The breach and the ransomware aren't always the same event.
One new category worth flagging: shadow AI. The DBIR found it's now the third most common non-malicious insider action appearing in DLP data — a fourfold increase from the prior year. Employees using AI tools outside sanctioned channels is generating a new class of data exposure that most incident response plans haven't mapped yet.
Hardening authentication and enforcing MFA are still worth doing. The 2026 DBIR doesn't say to stop. It says vulnerability management and third-party oversight are now where the concentrated exposure is. Those two areas haven't gotten the same attention, and the data shows it.
---
Second. Colorado threw out its own AI law before it even took effect!
In May 2024, Colorado became the first state to pass a comprehensive AI law. The Colorado AI Act had real teeth: a duty of care for developers and deployers, risk management programs, impact assessments, protections against algorithmic discrimination, and a requirement to disclose when consumers interacted with non-obvious AI systems. It was supposed to be the national model.
It never took effect.
Industry pressure started immediately after the signing. The legislature considered amendments. Then delayed the effective date — first to February 2026, then to June 2026. In March 2026, Gov. Polis convened a workgroup to draft a replacement. Colorado signed SB 189 into law on May 12.
Gone from the new law: duty of care, risk management programs, impact assessments, the algorithmic discrimination provisions, the non-obvious AI disclosure requirement. What SB 189 gives consumers instead is a disclosure-based framework with limited rights that only activate after an adverse outcome has already occurred.
Here's how the new framework actually works. Deployers must provide a pre-use notice before using covered AI to materially influence a consequential decision. If that decision goes against the consumer, they must receive a post-adverse outcome notice within 30 days — explaining the AI system's role, the categories of data used, and how to request a human review. The human review requirement is real: SB 189 defines it as someone with actual authority to approve, modify, or override the decision who doesn't simply defer to the system output. But consumers only get there after something has already gone wrong.
On enforcement: the Colorado AG has sole authority, with a 60-day cure period required before penalties apply — except for knowing or repeated violations. There's no private right of action. The bill states that twice, which suggests the drafters anticipated someone would try. The right to cure itself sunsets on January 1, 2030.
One thing that did survive the rewrite: liability under Colorado's anti-discrimination laws. Developers and deployers can still be held liable if a covered AI system produces discriminatory outcomes. Contract provisions designed to indemnify one party from responsibility for their own discriminatory AI outputs are void under the new law. That's a meaningful carve-out, and it's one worth making sure your vendor agreements reflect.
The bill passed in the Senate 34-1 and in the House 57-6. Decisively bipartisan.
Whether the original law was workable, or whether SB 189 is better policy, is a genuine debate. Reasonable people land in different places. What I'll say is the pattern is worth watching: Colorado passed an ambitious AI law, couldn't hold it under sustained industry pressure, and replaced it with something significantly narrower before it ever took effect.
And the compliance picture is now more fragmented than before. When the Colorado AI Act passed in 2024, it was the only state-level AI law of its kind. Today there's Texas TRAIGA, California's ADMT regulations, Illinois employment provisions, Connecticut's new AIRT Act — and now a rebuilt Colorado framework, effective January 1, 2027. Every state is doing something slightly different. There's no single model to follow anymore.
Colorado still has what analysts are calling the most far-reaching AI deployer law of any U.S. state. Just not the one it started with.