The OSI Model and Its Two Missing Layers

Cybersecurity failures now happen beyond the OSI stack. Faulty governance, the human factor, and AI tools create new attack surfaces.

After seven years working across cybersecurity, cloud infrastructure, and Zero Trust architecture, Jayal Yadav explains how we got here and what organizations still get wrong.

“The original seven layers of the OSI model still matter. But today, the biggest risks sit beyond them.”

Those risks live in two overlooked attack surfaces: human behavior – Layer 8 and AI interfaces – Layer 9. Jayal further explains both.

Layer 8: Human behavior is part of the attack surface

“People joke about layer 8 being the human layer,” says Jayal. “But around 68% of breaches happen because there’s always a human operator in the loop.”

Everything from phishing to social engineering, credential misuse, misconfiguration, and faulty decisions is rooted in human behavior.

Jayal gave an example of a founder whose business collapsed after a breach.

He had some terms and condition issues with his cloud vendor. He hosted customer data, backups, and infrastructure with that same provider.
There was no risk assessment, no governance, no exit strategy. When things failed, they couldn’t recover.

That experience reshaped how Jayal thinks about modern security risk. In his own words, at this moment “The freedom to leave a vendor is now part of security.”

It’s not AI that creates chaos. AI just scales it

Regarding AI usage, Jayal says the human factor is also key to success or failure.

“We all talk about AI slop,” he says. “But AI slop isn’t an AI problem. It’s a human problem.”

Jayal explains that AI simply mirrors the quality, clarity, and intent of human input.

If people outsource both their work and their chaos to AI, they just automate more chaos.

The right way to use AI is to treat it like a verification layer, not a replacement for judgment.

I check outputs against research, cybersecurity principles, science, and market signals before sharing anything publicly.

Jayal also shows why context matters more than most people realize. Context details can help or confuse AI and humans alike.

We operate through context, memory, and identity. You communicate differently with colleagues than with family. AI reflects that same behavior.

Not offering enough context data in your prompt might have a negative impact on the outcome.

Know your workflows before adopting AI automation

Bad workflows can turn worse with AI.

Many companies onboard new AI tools simply because they are shiny new objects. Even when their current processes work, they pile on more tools, increase complexity, and end up in chaos.

One of Jayal’s strongest warnings is against rushing into AI automation before checking and understanding existing workflows.

He advises evaluating daily processes and overall operations before translating them into AI, whether through automation or hybrid models.

Before automating anything, make sure the manual process actually works.

Automating a faulty workflow will generate chaos.

Governance – Also a layer 8 issue

Jayal says governance is now the defining factor in cybersecurity resilience. He warns against treating compliance like a checklist.

This box is checked and that box is checked, but there is no actual governance behind it. Cybersecurity starts with real governance, not compliance theater.

Jayal remembers working with an organization that suffered a breach despite having certifications and compliance requirements in place.

The MSP identified and communicated the risks. So did the internal IT team. Yet, leadership delayed action because they didn’t want the cost.

Then the breach happened.

Certifications and compliance requirements were in place, but proper governance was lacking.  Although the risks had already been identified by both the IT team and the MSP, decision lag left the company exposed.

That was a clear layer 8 issue. However, it was not the leadership that took responsibility.

The operator became a scapegoat. Accountability without authority is a massive issue across the industry.

Layer 9: AI has opened a new attack gate

With Layer 9 – AI, human error risks are becoming even harder to control.

Jayal highlights that

We’re already seeing cases where AI systems are manipulated into actions like issuing massive refunds. These kinds of social engineering attacks will increasingly target public-facing AI connected to company infrastructure.

The solution is stronger governance.

He adds that organizations are moving too fast when adopting AI tools and shares a real-life example.

The story is about a founder who connected an AI meeting summarizer to his entire Google Workspace.

He just signed in to that AI summarizer tool and clicked ‘approved’ in just 6 minutes. He had no AI policy for it. He had no governance around it. No risk assessment.

The problem in that case wasn’t the tool itself, but how Layers 8 and 9 intertwined.

The MSP secured layers one to seven. But when you open a completely new gate into AI, that’s layer 9.

Of course, an MSP’s contract doesn’t cover that.

Updating security for the AI era

Jayal understands why parts of the industry resist changing the OSI model.

“Some people built the systems we still rely on today. That deserves respect.” But he believes security frameworks must evolve alongside technology.

“This isn’t about replacing the old system,” Jayal explains. “It’s about updating security to reflect where the real risks exist now.”

And increasingly, those risks involve humans, governance, and AI.

Adam Pilton

Adam is the Cybersecurity Advisor at Heimdal. With over 15 years in law enforcement, where he served as a Detective Sergeant leading Covert Operations and Cyber Crime teams, Adam transitioned to cybersecurity in 2016. Known for simplifying complex topics, Adam leverages his investigative and communication experience to engage leaders and end users alike, driving stronger cyber resilience.