When Algorithms Shape Reality: How AI and Social Media Are Rewiring How We Think

Last November, Adam Aleksic delivered a five-minute TED talk that landed harder than presentations three times its length. His premise is deceptively simple: the AI tools and platforms we use daily aren't showing us reality—they're showing us a filtered, amplified, distorted version of it. And we're absorbing that distortion without realizing it.

I've been sitting with this one for a while. As someone who lives at the intersection of technology strategy and organizational transformation, I recognize the pattern Aleksic describes. I've seen it play out in enterprise systems, in user behavior, in the subtle ways digital tools reshape the humans who use them.

The Language We're Learning Isn't Ours

Here's the detail that stopped me cold.

ChatGPT uses the word "delve" at rates far exceeding normal English usage. The likely explanation? OpenAI outsourced portions of its training process to workers in Nigeria, where "delve" appears more frequently in everyday speech. A minor linguistic quirk from a specific population was reinforced during training and is now reflected among hundreds of millions of users worldwide.

But it doesn't stop there. Multiple studies have found that since ChatGPT's release, people everywhere—not just users—have started saying "delve" more often in spontaneous conversation. We're unconsciously absorbing the AI's patterns and mirroring them back.

As Aleksic puts it: "We're subconsciously confusing the AI version of language with actual language. But that means that the real thing is, ironically, getting closer to the machine version of the thing."

Read that again. The real is conforming to the artificial.

The Feedback Loop No One Asked For

This isn't just about vocabulary. Aleksic points to Spotify's "hyperpop" genre as a case study in algorithmic reality creation.

The term didn't exist in our cultural vocabulary until Spotify's algorithm identified a cluster of similar listeners. Once the platform created a playlist and gave the phenomenon a label, it became more real. Musicians started producing hyperpop. Listeners began identifying with or against it. The algorithm continued to push, and the cluster expanded. What started as an algorithmic observation became a cultural movement.

The same pattern drives viral trends—matcha, Labubu toys (the world is going crazy), and Dubai chocolate (I see them everywhere from Costco to World Market). An algorithm identifies latent interest, amplifies it among similar users, and, suddenly, businesses and influencers create content around what may have been an artificially inflated trend. We lose the ability to distinguish between organic cultural shifts and manufactured momentum.

The Uncomfortable Question

Aleksic doesn't shy away from the deeper implications.

"Evidence suggests that ChatGPT is more conservative when speaking the Farsi language, likely because the limited training texts in Iran reflect the more conservative political climate in the region."

If AI systems inherit the biases of their training data—and they do—what happens when millions interact with those systems daily? What range of thoughts do we stop considering because the algorithm never surfaced them? What possibilities get filtered out before we ever encounter them?

Elon Musk regularly modifies Grok's responses when he disagrees with them, then uses X to amplify his own content. Aleksic asks the obvious question: Are millions of Grok and X users being subtly conditioned to align with Musk's ideology?

These platforms aren't neutral. Everything in your feed or your chatbot response has been filtered through layers of optimization—what's good for the platform, what makes money, and what conforms to the platform's necessarily incomplete model of who you are.

Thinking About Thinking

Twenty-two years in global technology leadership has taught me something about systems: they shape behavior far more than we acknowledge. The tools we build eventually build us. The interfaces we design become the cognitive architecture through which users experience their work, their relationships, their world.

What Aleksic describes is that phenomenon at civilizational scale.

"TikTok has a limited idea of who you are as a user," he notes, "and there's no way that matches up with your complex desires as a human being."

And yet we scroll. We engage. We absorb. We mirror back.

The Only Defense

Aleksic's antidote is persistent self-interrogation:

Why am I seeing this? Why am I saying this? Why am I thinking this? Why is the platform rewarding this?

Simple questions. Difficult discipline.

"If you're talking more like ChatGPT," Aleksic concludes, "you're probably thinking more like ChatGPT as well, or TikTok or Spotify. If you don't ask yourself these questions, their version of reality is going to become your version of reality."

There's something almost spiritual in that warning. The ancient disciplines of self-examination—examine yourselves to see whether you are in the faith—take on new urgency when the voices shaping our inner dialogue aren't human at all.

The question isn't whether these tools are useful. They are. The question is whether we're using them—or being used by them.

Stay awake. Stay questioning. Stay real.

Decoding the Attack Vector: Entry Points in the Digital Build

 

Attack Vectors and Attack Surfaces

In the world of physical security, you don’t just worry about "theft"; you worry about the unlocked window, the side door with the faulty latch, or the delivery driver who isn't who they say they are. In cybersecurity, these specific pathways are our Attack Vectors.

An attack vector is simply the "how" and the "where" an adversary gains unauthorized access to your network. While the Attack Surface is the sum total of your exposure, the Vectors are the individual paths leading into the heart of the system.

The Common Vulnerabilities (The "Leaky Pipes")

Identifying attack vectors is the first step in hardening your infrastructure. Here are the primary culprits we see in the field:

• Social Engineering & Phishing: This is the "human exploit." Instead of hacking the code, they hack the person. Whether it’s a credential-stealing link or a deceptive PDF attachment, this remains the #1 entry point for ransomware.

• Account Takeovers (ATO): This happens when identity management fails. Stolen session cookies, brute-forced passwords, or credentials bought on the dark web allow attackers to walk through the front door as a "trusted" user.

• The Insider Threat: Whether malicious (the disgruntled admin) or accidental (the dev who leaves an S3 bucket open), the threat from within is often the hardest to mitigate because the "vector" is already inside the perimeter.

• Vulnerability Exploits (The Unpatched Flaw): Software isn't perfect. Bugs in code are like faulty locks. If you’re running unpatched "Zero-Day" vulnerabilities, you’ve essentially left a master key under the welcome mat.

• Infrastructure Misconfigurations: Open ports are the digital equivalent of leaving the garage door open. If a port isn't serving a specific business function, it should be closed. Period.

• Browser & Application Compromise: Because we live in a "Cloud-First" world, the browser is the new endpoint. Malicious scripts (XSS) or "poisoned" third-party apps can turn a standard web session into a bridge for malware.

Hardening the Perimeter: Practical Mitigation

You cannot eliminate every vector—the only 100% secure system is one that is turned off and buried in concrete. However, you can make the "cost of entry" too high for most attackers.

1. Identity as the New Perimeter: Use MFA and session monitoring to kill the effectiveness of stolen credentials.

2. Aggressive Patching: Automate your updates. A vulnerability is only a vector if it remains unpatched.

3. Browser Isolation: Treat the public internet as "untrusted" by default. Executing code in a containerized environment keeps the mess off your local network.

4. SASE (Secure Access Service Edge): As we move away from the traditional office, SASE integrates networking and security into a single cloud-native stack, closing the gap between the user and the app.

The Bottom Line

Think of your security posture like a building's blueprint. You can't remove every door, but you can ensure every door has a deadbolt, a camera, and a guard. By systematically identifying and closing off attack vectors, you shrink your Attack Surface and force the adversary to look for an easier target elsewhere.

 

 Five Things You Should Know About IT Risk Assessment

Every organization faces data security threats. Hackers get smarter, attacks become more common, and security budgets stay tight. You can't protect everything equally, so you need to identify your biggest weaknesses and address them first.

That's what IT risk assessment does. It helps you identify, assess, and prioritize data security risks so you can focus your time and budget where they matter most.

Here are five things worth knowing about it.
At the higher education institute where I work, we created a thoughtful exercise using a simple Excel spreadsheet to outline every area or department that meets twice a year to self-evaluate their risks and the likelihood of impact. If you are interested, take a look at the sample sheet that you can download for your organization to 

1. Risk assessment tells you where to focus your security efforts

Risk assessment and risk management sound similar, but they're different. Risk management is about controlling specific problems. Risk assessment is the bigger picture work of understanding all the threats you face, both inside and outside your organization.

Think of it this way: risk assessment helps you see the full map of dangers. Risk management is what you do about each one.

A good risk assessment might reveal misconfigured user permissions, forgotten active accounts, or admin rights that have become out of control. Once you know about these problems, you can fix them before someone exploits them.

2. Many regulations require it

If your organization must comply with regulations such as HIPAA or GDPR, you likely need to conduct risk assessments. These regulations don't tell you exactly how to protect your systems, but they do require you to have security controls in place and be able to prove it.

Skipping risk assessment doesn't just leave you vulnerable to attacks. It can also lead to failed audits and expensive fines.

3. Frameworks make it easier to get started

You don't have to invent your own approach. Several well-tested frameworks exist that tell you what to look at, who should be involved, how to analyze what you find, and what to document.

Three popular options are OCTAVE (created by Carnegie Mellon University), NIST SP 800-30, and ISO/IEC 27001:2013. Pick one that fits your organization's size and needs, then adapt it as necessary.

All of these frameworks expect you to document your process. This creates a paper trail showing you're taking security seriously.

4. You have to keep doing it

Risk assessment isn't something you do once and forget about. Your IT environment changes constantly. New software gets installed, employees come and go, and attackers find new tricks.

A risk assessment from two years ago won't catch the inactive account someone forgot to disable last month or the permissions that have gradually gotten out of hand.

Make risk assessment a regular habit, not a one-time project.

5. The process has three basic steps

Risk assessment breaks down into three parts:

Find the risks. Look for weaknesses in your systems. Users may have more access than they need, your password policies may be too weak, or old accounts are still active.

Estimate how likely each risk is. Not every weakness will actually cause a problem. Consider how probable it is that someone could exploit each vulnerability you found.

Decide what to tackle first. Combine likelihood with potential damage. A risk that's both likely and would cause severe harm warrants immediate attention. Something unlikely and minor can wait.

The Bottom Line

Threats don't stand still, and neither should your security planning. Regular risk assessment keeps your defenses aligned with current risks rather than yesterday's problems.

If your last assessment is collecting dust, your security strategy needs an update too.