CODITO SUNDAY
3 minutes to stay a week ahead
Edition #07 · Sunday, 7 June 2026 · 3 min read
|
Pierre
Managing Director of Codito Ergo Sum
|
|
Hello everyone,
Grab your coffee, settle in: three minutes to stay a week ahead.
This week, OpenAI opened privileged access to GPT-5.5-Cyber for governments, verified companies and European Union institutions — including the EU AI Office. A few days earlier, Anthropic expanded its Project Glasswing program to power grids, healthcare and telecoms. The signal is clear: AI is moving into critical infrastructure, and cybersecurity is becoming a fully-fledged component of any enterprise AI project. For an SME, this raises three concrete questions — which we detail below, and which we tackled first-hand this week during a first AI Partnership diagnostic with one of our clients.
|
|
|
|
Part 01 · 📊 Market Analysis
|
|
|
OpenAI opens GPT-5.5-Cyber to Europe: AI becomes a matter of defense, not just productivity
The facts: This week, OpenAI announced that its new GPT-5.5-Cyber model — a variant of its flagship dedicated to cybersecurity use cases — would be made available to a limited number of European partners: governments, verified cybersecurity teams, vetted companies, and EU institutions including the EU AI Office. A few days earlier, Anthropic expanded its Project Glasswing program, built on Claude Mythos, to new critical sectors: power grids, water distribution, hospitals, telecom operators, hardware manufacturers. Two announcements, two labs, one and the same movement: frontier AI is now settling into the digital defense of infrastructure.
The Codito analysis: For two years, the enterprise AI narrative played out almost exclusively around productivity: saving time, automating tasks, boosting output. What these announcements mark is a change of register. AI is also becoming — and perhaps above all — a technology of protection, able to detect an intrusion, map vulnerabilities, write patches. And what gets deployed first among critical-infrastructure operators always trickles down, six to twelve months later, into the wider economy. For SME leaders, that means two very concrete things: cybersecurity can no longer be considered separately from AI, and the first vendors offering "cyber-specialized models" at accessible prices are arriving this year.
What it means for you: The trap would be to wait, telling yourself these announcements only concern large corporations. The reality is the opposite: every AI deployment in your organization changes your exposure surface. And until you have asked the right cybersecurity framing questions — where your data lives, who can paste what into a chatbot, whether your agentic solutions can even run inside your security perimeter — you are buying risk without knowing it. The good news: these three questions fit into a half-day conversation.
|
The number of the week
Two major cyber-AI announcements in seven days. GPT-5.5-Cyber for the EU from OpenAI, and the expansion of Anthropic's Project Glasswing to energy, water, healthcare and telecoms. As a reminder, Anthropic filed its S-1 on 1st June and revealed a revenue run-rate that went from 10 to 47 billion dollars in twelve months: the capital funding this acceleration is now in place. Deployments are about to multiply.
|
|
|
|
|
Part 02 · 🎯 Codito Expertise
|
|
|
Cybersecurity and AI: the three questions to ask before any project
The arrival of "cyber-specialized" models makes assessing your exposure urgent. But for an SME, the question is not "which cyber-AI model should we buy?" — it is: "can my organization use AI without becoming a sieve?"
Three questions structure this assessment. None of them is technical in the sense of requiring a CISO — all of them can be handled at leadership level.
1. Where does your data live when AI processes it?
If you use Claude, ChatGPT or Gemini in their consumer versions, every prompt — and therefore every piece of confidential content pasted into it — is sent to foreign servers, usually American. The Enterprise versions of these tools, by contrast, isolate your data, contractually guarantee it will not be reused for training, and allow auditing. For particularly sensitive organizations, sovereign solutions (Mistral, OVHcloud) or open models hosted locally complete the picture. The question is not taboo: it is mandatory before the slightest POC.
2. Who in your company can copy-paste sensitive content into a chatbot?
Shadow AI is statistically present in any organization with more than a dozen employees. Without a clear framework, your sales team summarizes their CRM, your HR analyzes CVs, your executives review contracts — all in personal versions, from private accounts, outside any traceability. The best defense is never prohibition (which breeds workarounds) but the triad usage charter + designated point person + enterprise tool made available. Employees do not bypass a tool they already have at hand and that works as well as the personal version.
3. Are your agentic solutions compatible with your security perimeter?
Corporate firewall, mandatory VPN, secure browser, filtering proxy: these layers are essential — and they often block agentic tools by default. Before signing the slightest POC, check that the tool you are considering can physically run in your environment. Without this check, you risk investing in a solution that nobody in-house will actually be able to use. And this check is also an excellent test of your vendor's maturity: those who have never heard of your security stack are probably not ready for a real French SME.
|
"Before choosing a model, look at what the organization can actually absorb."
|
Cybersecurity is no longer a separate track from AI — it is the very condition of its existence in business. Cyber-specialized models like GPT-5.5-Cyber or Claude Mythos will accelerate the wake-up call. But for an SME, the stakes remain practical: ask these three questions before signing anything.
Discover the Codito AI Partnership
|
|
|
|
Part 03 · 🎬 Inside Codito
|
|
Behind the scenes: what the first AI Partnership diagnostic at GAEA revealed
To close this edition, a fresh look behind the scenes — one that ties directly back to the two previous sections.
This week, I kicked off the Codito AI Partnership with a new client: GAEA. A 12-month program, with one objective: integrating AI into their operational processes, starting with their quote production. From the very first diagnostic session, on Thursday 5 June, the five-axis grid delivered on its promise — a clear starting point, and a well-defined playing field.
Four frictions across four of the five axes
- Process. Quote production currently relies on manually copying standard elements from a previous document into a new one. Specialist time spent on transcription, not on business value.
- Data. No structured database of items, services and standard wording. Every quote starts from a previous one, by hand. The direct consequence: no AI has reliable material to work with until that database exists. This is exactly the weak link identified in the previous edition.
- Tools. The management software in place is an industry-specific tool whose connectivity (API, interoperability) still needs validating before any AI agent deployment. This check conditions everything that follows.
- Governance & cybersecurity. GAEA operates behind a firewall, a VPN and a secure browser. Before the slightest agentic integration, we had to plan a compatibility-check step against that perimeter — exactly the questions raised in part 2.
The strategic decision
Rather than attacking all four fronts in parallel — the classic temptation, and the one that bogs down most projects — we made a joint decision: 100% of the effort concentrated on a single use case, quote automation, until it is fully validated. Once the technology is proven on that case, we extend. Not before. This discipline of scope is what separates the AI deployments that succeed from those that get stuck in generalization.
|
The most telling detail: the first action was not technical.
What kicked off the session was not the choice of a model or a tool. It was a verification — checking the compatibility between the AI solutions under consideration and the company's security perimeter. Before choosing an AI, look at what the organization can actually absorb. Everything else flows from there.
|
|
|
|
|
|
Thank you for reading this far. If you take away just one thing this week: AI does not need your entire information system to create value, but it does need the part it will touch — clean, documented, secured. Mapping that part precisely is what we do every month in the Codito AI Partnership.
See you next Sunday, — Pierre
|
|
|
|
|
|
|
Pierre
Managing Director of Codito Ergo Sum
|
|