Tabletop Exercises for AI-Era Communications Incidents

Look, I’m getting asked about "tabletop exercises for AI-era communications incidents" pretty much every week now. The usual question isn't about specific tools; it's more like, "Brandon, what does 'secure enough' even look like anymore?" This piece is for the security lead, the ops director, or that chief of staff who needs something solid to drop into their Monday morning meeting. No sales pitch, no abstract waffle, just straight talk.

Why Tabletop Exercises for AI-Era Communications Incidents Matters Now

Honestly, when folks talk about tabletop exercises for AI-era comms incidents, they usually start in the wrong place. They jump straight to tech, but really, you gotta start with the workflow. The truly interesting question isn't which fancy gadget to buy. It’s about figuring out which decisions a single incoming interaction can trigger without a second set of eyes on it.

Contact Center Resilience? That used to be a quarterly line item, something you’d dust off a few times a year. Now? It’s daily operational grind. The reasons aren't new: attacker tools are cheap as dirt, we've got more communication channels than ever before, and regulators are finally getting serious. The companies that sat around waiting for someone to tell them what to do are about a year behind the ones who just got to work. And the gap? It’s widening. Generative AI tools are making credible impersonations basically free, which just pours gas on that fire.

If you peek at the search traffic in this space, the real tell isn't the big headlines about breaches. It's the uptick in really specific, long-tail queries coming from inside companies - things like "tabletop policy template" or "tabletop verification workflow." That’s where the work is happening. That's what execs are quietly trying to sort out.

The Threat Pattern in Practice

When my team and I dig into that workflow question with a security or operations crew, the answers usually stretch way broader than anyone expected. Think password resets. Address changes. Refund approvals. Service dispatches. Wire confirmations. Every single one of these has a workflow that, at some point, assumes a single input channel is trustworthy. And that assumption? That’s the first thing that crumbles under a serious attack.

Out in the field, this pattern almost always pops up first in workflows that were originally designed for customer convenience. You know, recovery flows, manager overrides, night-shift intake processes - anything built to keep things trucking when the usual channels get jammed up. Adversaries study those paths just like auditors do, but they get there first. The biggest sign of a successful attack isn't how slick the hacker's tools are. It's how little friction they hit once they're already inside your workflow.

What Effective Defense Looks Like

The fix here? It’s not glamorous. We’re talking about second-channel confirmations for sensitive actions, putting rate limits on those actions, and getting explicit policies in place that let your front-line staff hit the brakes without worrying about getting chewed out for it. The trickier part is getting the rest of the business to buy into those changes. That’s why we frame this as an executive discussion, not just a tech problem.

My team's shorthand with clients is "raise the cost." Really good controls aren't about promising to stop every single attempt. They're about making a successful attack so expensive, in terms of time and effort, that the bad guys just move on to an easier target. It’s the same basic logic behind every other security program out there, and it works here too, as long as you apply it consistently instead of treating it like a one-off project.

Practical Next Steps for Your Team

Vercon's approach to all this is laid out over on our Threat Frameworks page. Most of our work with clients kicks off there, so it's a good place to start.

If you only take one bit of advice from me today, make it this: do the absolute smallest review you can. Write down every action a single inbound interaction can authorize in your most sensitive workflow. Then, go down that list and ask yourself if each one would survive a determined impersonation attempt. Most teams walk out of that exercise with a short, prioritized list of changes that pay for themselves within a quarter, and you won’t have to buy a single new piece of software.

What We Are Watching Next

Over the next couple of quarters, I predict that assessing tabletop risk will move more and more out of just the security team’s lap and into operations, legal, and customer experience departments. That’s actually a good thing. It’s something to plan for now, before you’re forced to react to it. We’ll keep sharing our field notes right here as this whole situation develops.