COMMENTARY: The recent lawsuit filed by Elon Musk’s startup xAI against former engineer Xuechen Li is an old tale that takes companies by surprise in the most concerning of ways. When a trusted engineer – not an outside threat – can allegedly download proprietary Grok intellectual property and jump to a competitor, it shows how truly exposed most organizations really are.According to industry reports, insider threats now account for 60% of all data breaches, with the average cost reaching $4.9 million per incident. Yet, most organizations still rely on perimeter-based security strategies designed for an era when employees worked from cubicles and data lived on company servers.[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]But we shouldn’t focus on the rogue employee or the profile of the company: this incident shines a bright light on the fundamental mismatch between how we protect data and how work actually happens.We should never ask whether data theft will occur. Instead, we should all accept that it will happen.The big question: can companies adapt defenses before incurring losses?
How data gets exposed
The corporate perimeter disappeared during the pandemic. We let our guard down. But security hasn’t really caught on since then. And that’s why cases like xAI happen.IP lives and flows through dozens of cloud applications, employee devices, and AI tools. Workers can access sensitive data from anywhere: coffee shops, home offices, shared workspaces. And they can do it from personal devices on unsecured networks.The xAI incident bore all the hallmarks of an incident of this nature. It involved:- Sophisticated targeting: Modern threat actors don't steal randomly. They identify intellectual property that could "save competitors billions in R&D"—algorithms, customer data, strategic roadmaps, and trade secrets that represent years of competitive advantage.
- Advanced evasion: According to reports, Li allegedly deleted logs to cover his tracks. Today's insider threat actors understand security controls and actively work to bypass detection, making traditional monitoring systems largely ineffective.
- Legitimate access advantage: Trusted employees have authorized system access, understand data classification, and know approved transfer methods. This makes malicious activity nearly indistinguishable from normal business operations.
How to protect the crown jewels
Attacks will continue to become more sophisticated - especially given AI becoming more effective.That’s why it’s important to have a game plan and take action. Here’s what teams can do regularly to establish standards:- Conduct comprehensive data audits regularly to identify where intellectual property actually resides and who can access it. Many companies discover sensitive information in unexpected locations across their technology environment.
- Deploy real-time DLP monitoring across all data movement channels, including cloud applications, email systems, AI applications and endpoint devices. Comprehensive visibility enables effective protection.
- Establish automated incident response procedures that can immediately contain suspected threats while human analysts investigate.




