Ghosts Across the Thames — A Tale of the Past, Present, and Future of the Human in the Machine Reflections from Infosecurity Europe 2026 — on sovereignty, agentic AI, burnout, and the stubborn human being still sitting at the center of all of it By Marco Ciappelli | On Location at Infosecurity Europe 2026, with Sean Martin July 2026 No time to read? No problem. Let my Artificial Intelligence companion, TAPE3, read it to you — it's got a voice, and a bit of attitude too. 🎙️🤖 Just like me… but with better pronunciation. 🤣 😅 There is a building across the Thames from the Infosecurity press room, a derelict flour mill called Millennium Mills that looks exactly as haunted as it sounds. For three days I kept glancing at it between conversations — broken windows, whole panes gone, a slow architectural decay staring back at a hall full of the anxieties of the digital age. We made a joke, the way you do at the end of a long week, that the ghosts in there might be watching us. Alan Turing, who taught us to ask whether a machine could think at all. Ada Lovelace, who saw what the general-purpose machine could become a full century before it worked and, in almost the same breath, insisted it could originate nothing — the first person to draw the line we are still arguing over. It was raining, the trains were on strike, and a few hundred meters away several thousand people had gathered to argue about the future of the machines those ghosts imagined. I have covered enough of these events to know when a room is telling me something. This one was telling me it had sped up. That was the first thing about the floor, before any single topic: the clock. The story everyone told, in one form or another, was the collapse of time. An intrusion that once took hours to hand off from one criminal crew to the next now does it in seconds, faster than you can decide whether to answer a ringing phone. Attacks are being weaponized in the time it takes to make coffee. Norbert Wiener, who gave us the very word under all the signage — cybernetics, the study of control and communication in the animal and the machine — warned three-quarters of a century ago about handing our decisions to systems faster than we could follow. His ghost would have recognized the floor instantly. And so the defense has to move at that speed too, which forces a question the industry has spent years politely avoiding: if no human can keep pace, what exactly is left for the human to do? The answers filled the booths. Agentic AI, autonomous agents patrolling the network and making decisions on their own. The same agents reframed, a beat later, as the newest insider threat — trusted credentials, no psychology to exploit, no hesitation to catch. Shadow AI, the quiet reality that people across every organization are already using tools nobody sanctioned. E.M. Forster wrote that story in 1909, in "The Machine Stops": a civilization so dependent on a system it no longer understands that when the system falters, no one remembers how to live. Quantum computing described not as a distant weather system but as a theft already in progress, encrypted data harvested today to be opened later. If you only read the signage, you would think the entire human contribution to security had been reduced to signing the purchase order. But I did not spend my week reading signage. And here the mood matters, because moods are data too. My friend Madelein van der Hout (https://youtu.be/uEbnXj4ZWqc), the Forrester analyst who this year joined us as a kind of friendly ghost of her own, beaming in from the Netherlands rather than London, put it more precisely than I could. A few weeks earlier, at RSAC Conference in San Francisco, the drumbeat had been resilience, and the air was thick with everything technology can do, good and bad, sold at full volume. In London the word was sovereignty, and the register was pragmatic, tempered, European — a continent that will, as she said with affection, make a framework out of anything. RSAC is where her blood pumps with enthusiasm. Infosec is where she comes to get grounded in reality. Same industry, two continents, two temperaments. And underneath the London sky, closer than anyone likes, the shadow of hybrid warfare. The reality I went looking for was the human one, and I found it in a series of conversations that had almost nothing to do with the booths. Sarah Armstrong-Smith (https://youtu.be/f5hOOhyZrrE), after nearly thirty years in cyber and crisis leadership, said the thing most people in her position will not say aloud: whatever we are doing is not working. More tools, more money, more people, more AI, and the problem keeps getting worse. She reminded me of a con called the Spanish Prisoner — a letter from a stranger, a fortune promised in exchange for a small advance — that is at least four hundred years old and is, give or take a detail, the email in your spam folder this morning. The tools change. The mark does not. We are robbed through the same prehistoric wiring, a flash of fear, a flicker of greed, a decision made before the slow part of the brain wakes up. Geoff White (https://youtu.be/KMAMfe197Jc), who has read three hundred thousand leaked messages written by a ransomware gang when they thought no one was watching, showed me the other side of that same wiring: criminals who do not see a gang at all. They see a company, with clients and negotiations and, sometimes, a tidy report handed to the victim afterward. The mind rewrites the job description until the extortionist can get out of bed believing he is a businessman. Nothing personal — as an Italian, I did not have to reach far for the reference. We are all narrating ourselves into the people we would prefer to be. The gang simply does it with higher stakes and worse intentions. Lee Clark (https://youtu.be/LyUHROaVawo), who runs threat intelligence for the retail and hospitality sharing group, the RH-ISAC, made the point that the two threats his members report most often need almost no code at all. One is a phone call to a help desk. The other is a fake résumé. People, lying to people, about who they are. And the defense that keeps working is the oldest one we own: the flinch, the hesitation, the small animal instinct that something is off. We keep trying to automate away the part of us that pauses. Lee spends his days proving the pause is the point. Then there was the cost of standing guard, which the event finally named out loud, on stage and on the risk register, not in a wellness pamphlet. Bronwyn Boyle (https://youtu.be/bH2tRghfeBU), a CISO who came to security through classics and philosophy, gave me the sentence I keep turning over: we can talk about vulnerabilities for hours, she said, but we cannot talk about vulnerability when it hits us. She had run herself to the edge of burnout without a word for it, until Peter Coroneos (https://youtu.be/MJ5Za5LAjgs) — who founded the non-profit Cybermindz to treat the mental state of defenders as part of the network's resilience — described the symptoms and she recognized herself in the list. Peter, whose background is in neuroscience before it was in cyber, framed it in a way that could be the mission statement of this entire newsletter. Our brains evolved for threats that arrive and then leave. A predator, a rival, a branch cracking in the dark. The system escalates, you deal with it, and your body gets the all-clear and stands down. A cyberattack sends no all-clear. It is invisible, and it never ends. So the ancient machinery stays switched on, week after week, year after year — an analog brain locked inside a digital siege that never lifts, paying a price nobody designed it to pay. What Cybermindz teaches, a protocol born in trauma therapy for soldiers, is essentially a manual override: a way to tell the body by hand the one thing the old world used to tell it for free, that the danger has passed. Brilliant, and also an admission. We built a place with no all-clear, so now we manufacture the all-clear ourselves. Which left me with Peter's question, and mine: if the system you built needs the people inside it to constantly talk their own nervous systems down from a threat that never ends, is the problem really in them? Hosted by Simplecast, an AdsWizz company. See pcm.adswizz.com for information about our collection and use of personal data for advertising.