HalcyonFT Quarterly Newsletter - Q2 2026 - Updates and Recommendations
Halfway through the year, the pace of change in AI and security has not let up. This quarter we focus on one theme: adopting AI quickly without giving up control. Below you will find where the real risks sit, what changed in the tools your teams use every day, including a frontier model that was released and then suspended within days, and an update on our own certifications.
In this issue:
AI Security and Governance: Enabling AI Adoption Without Sacrificing Control
Artificial intelligence is now embedded throughout the workforce. Employees use AI assistants to work faster, SaaS vendors are adding AI features to the platforms you already run, and autonomous agents are beginning to act directly on business systems. The opportunity is substantial, and so is the responsibility: as AI moves into core workflows, security, governance, and compliance must move with it.
We view AI security as an extension of your existing security architecture, not a separate product to buy. The principles that protect your firm today, including identity management, access control, monitoring, endpoint security, and data protection, remain the foundation. Our approach focuses on 4 areas:
Visibility: knowing where AI is in use, including browser tools, SaaS features, extensions, and emerging agents.
Detection: identifying the risks that matter, such as sensitive-data exposure, unauthorized AI activity, and prompt-based attacks.
Response: applying controls that alert, block, or contain unsafe interactions before they affect the business.
Governance: setting the policies, permissions, and oversight that keep AI use aligned with your requirements.
Most of our clients already hold controls that neutralize much of this risk and continue to defend against AI-enabled phishing, social engineering, and credential theft. New tools are emerging too: enterprise AI Detection and Response platforms now offer visibility into prompts, responses, agent actions, and data flows. These remain early in their maturity, and we are evaluating them while prioritizing the practical controls that address today's risks.
The objective is not to slow AI down. It is to set clear guardrails so your firm can adopt it safely and with confidence.
What this means for you: if your teams are already using AI tools, you have an exposure surface worth mapping. We can run a short AI-use and governance review to show you where AI is in play across your firm and which guardrails to set first.
Our Take on Development and Vibe Coding
AI has changed how software gets built. The latest coding assistants can produce a working application in minutes, giving rise to what many now call vibe coding: describing the outcome you want and letting an AI generate most or all of the code to achieve it.
Our view is direct. For speed, experimentation, and innovation, vibe coding is excellent. It lets firms prototype ideas in hours and empowers technical and non-technical staff alike to build solutions that once required a dedicated development team. What AI has changed is the workflow, not the responsibility. Faster code does not remove the need for security review, documentation, and operational ownership. In fact, AI makes it easy to deploy software that no one fully understands.
That is where the risk lives. A business user can stand up an AI-generated application and still be unable to explain how it authenticates users, protects data, or handles vulnerabilities. The result is an unmanaged production system operating outside normal oversight. We treat ungoverned vibe coding as a red flag. The problem is not the use of AI; it is putting systems into production that bypass governance.
At HalcyonFT, our development governance framework requires AI-generated code to clear heightened scrutiny: documented ownership, adversarial AI review, security validation, and formal production approval. Our engineers stay fully accountable for the code they deploy, however it was produced.
What this means for you: the winners will not be the firms that generate the most code. They will be the firms that pair AI speed with clear ownership, approved platforms, and IT oversight. We can help you put a lightweight governance model in place before shadow applications take root.
The AI Toolkit: What Changed This Quarter
The major AI platforms shipped meaningful updates this quarter. Here is what matters for your firm, and what we suggest you do about it.
OpenAI. GPT-5.5 remains the everyday frontier model, memory capacity has expanded for Plus and Pro users, and a new Lockdown Mode limits external access to reduce data-exfiltration risk from prompt-injection attacks. For regulated teams, Lockdown Mode is worth enabling on any account that touches sensitive data. Note the pattern repeating: on June 27, OpenAI released its next family, GPT-5.6, as a government-restricted limited preview to a small group of approved partners rather than a broad launch, the same access constraint now applied to Anthropic's frontier models. For your planning, treat the generally available models as your working set and assume the newest releases may arrive gated.
Microsoft 365 Copilot. The headline this quarter is Copilot Cowork, which reached general availability worldwide on June 16. Unlike the chat-style Copilot you already know, Cowork takes on long-running, multi-step tasks and returns a finished result rather than a draft, grounded in your Microsoft 365 data and powered by Anthropic's Claude. At general availability it also gained a partner-plugin ecosystem, several pieces of which are relevant to financial firms, including Harvey, LSEG, Moody's, Morningstar, and S&P Global Energy, letting Cowork pull from those sources inside a task. Claude Opus 4.8 is selectable as a model for complex, multi-step work. Note that these agent actions are billed on a consumption basis, so each action an agent performs carries a usage charge on top of the per-user Copilot license, which you should factor into your budgeting.
Claude in Microsoft Office. Anthropic now offers its own Claude add-ins across the Office suite. This quarter it released Claude for Word and opened Claude for Outlook in public beta, joining the existing Excel and PowerPoint add-ins, so Claude can carry a single ongoing conversation across your emails, documents, spreadsheets, and slides. These add-ins are separate from the Copilot integration above, so confirm they fit your approved-tools and data-governance policies before enabling them.
Anthropic (Claude). The quarter's most striking development: Anthropic released Claude Fable 5 on June 9, its most capable model made available for general use, then disabled it worldwide on June 12 to comply with a US government export-control directive. The directive also covered Mythos 5, the same underlying model with certain safeguards lifted for vetted cyber-defense partners, and it restricted access for any foreign national, which in effect required Anthropic to disable both models for every customer. The trigger was a claimed model-bypass technique that Anthropic disputes as narrow, already known, and present in rival models. After two weeks of negotiation, the government on June 26 cleared Anthropic to restore Mythos 5 to a limited set of vetted US organizations that operate and defend critical infrastructure; Fable 5 remains offline for general use, and its return is still under negotiation. Every other Claude model keeps running, and Anthropic points customers to Claude Opus 4.8 as the fallback. Restriction is not the same as containment: within days of the Fable 5 suspension, an open-weight Chinese model, Zhipu AI's GLM-5.2, was reported to match the restricted Mythos on specific vulnerability-finding benchmarks while being freely downloadable worldwide.
The throughline. Every new agent is a new identity with access to your data, and, as the Fable 5 suspension shows, model availability is itself now a variable. Treat agent permissions the way you treat employee access, with named identities, least privilege, logging, and periodic review. The practical lesson for your firm is resilience over reliance, governing access and keeping a fallback, because the capability itself is not going away.
Bottom line: the tools are getting genuinely useful, and the firms that benefit are the ones that turn them on deliberately, with guardrails and a fallback plan, rather than letting adoption happen by accident. We can help you decide which to enable, how to govern them, and how to stay resilient when a model becomes unavailable.
Compliance Update: SOC 2 Type II Complete, ISO 27001 Next
At HalcyonFT, maintaining the industry's highest security controls is not a milestone we chase; it is our standard. Having completed our SOC 2 Type II recertification in Q1, we have turned to our ISO 27001 recertification audit, scheduled for Q3.
ISO 27001 is the internationally recognized standard for information security management. It gives you verified assurance that your data is protected through a comprehensive, risk-based framework spanning the people, processes, and technology that safeguard sensitive information across our organization.
Why this matters for you: as an SEC-registered adviser, broker-dealer, or fund manager, you are expected to conduct due diligence on your service providers. Our independent certifications give you documented, third-party evidence that HalcyonFT meets that standard, which directly supports your own vendor-oversight and regulatory obligations. Copies of our SOC 2 Type II and ISO 27001 reports are available on request through your HalcyonFT team.
HalcyonFT Named a 2026 Fortune Best Workplace in the Bay Area
We are proud to share that HalcyonFT has been named to the 2026 Fortune Best Workplaces in the Bay Area list by Fortune Media and Great Place To Work. The list is based entirely on employee feedback and recognizes firms that build high-trust cultures where people feel valued, supported, and empowered to do their best work.
We believe great client outcomes begin with great people, and this recognition reflects our continued investment in culture, professional development, and collaboration. It also reinforces our commitment to attracting and keeping top talent in one of the most competitive technology markets in the world. This award follows several years of Great Place To Work recognition, and it is a milestone we carry into the partner experience we deliver to you.
Read the full announcement in our press release.
Final Thoughts
The pattern this quarter is consistent: AI is creating real advantage and real exposure at the same time, and the firms that win will govern it rather than fear it. Whether your next step is an AI governance review, a closer look at agent permissions, or a plan for model continuity, we are ready to help.
We’re here to help.
Please contact your HalcyonFT team for more on any item above. To go deeper, ask us to schedule your mid-year AI governance review.
— Your HalcyonFT Team
{ HALCYONFT UPDATES }
More Insights
{ CONTACT }