Brent Agar, VP Strategic Partnerships, SentryBay
I spend a lot of time speaking with Federal and Healthcare security leaders. One concern keeps surfacing. Security programs are strong at preventing compromise, yet they leave a gap during authenticated sessions.
Once a user logs in, microphones and cameras are often accessible by default. That design choice made sense years ago. It does not reflect today’s threat landscape.
Modern collaboration platforms expand the attack surface
In modern collaboration environments, microphones and cameras must remain available to support tools such as Slack, Microsoft Teams, Zoom, and telehealth platforms. This persistent availability improves productivity, but it also expands the attack surface during authenticated sessions.
Telehealth, clinical dictation, and AI assisted collaboration have normalized constant audio and video access. These capabilities are now embedded in clinical workflows, government operations, and enterprise collaboration.
This applies equally to internal collaboration platforms such as Slack and Microsoft Teams. These tools are foundational for modern communication. The issue is not the platform itself. The risk lies in the broader endpoint reality. When microphones and cameras remain accessible during active sessions, unauthorized processes may attempt to access them as well.
At the same time, adversaries are using artificial intelligence to generate convincing impersonations, including deepfake videos and voice cloning.
If we are serious about preventing deepfake videos, we must start with the devices and collaboration platforms that make them possible.
Why deepfake videos are now an enterprise security problem
Deepfake videos and voice cloning moved from novelty to weapon. They enable impersonation, fraud, and extortion at scale.
The FBI has warned about the escalating use of AI tools in phishing and social engineering. The warning also calls out voice and video cloning scams. It highlights how realism drives deception and financial loss.
When microphones and cameras remain open, attackers do not need to break encryption. They can capture the raw material instead. They can record a voice sample. They can capture video frames. Then they can reuse that content to produce deepfake videos and voice clones.
This risk hits Federal and Healthcare especially hard. Conversations include protected health information. Video includes patient identity cues. Audio includes verbal consent and clinical detail. In many workflows, users cannot avoid these tools.
So, we need a control that works during the session.
Deepfake videos thrive on audio and video capture techniques
Attackers already know where the highest value data lives. It lives in the interface. It lives in what users see, type, say, and share.
MITRE ATT and CK tracks how adversaries collect data from endpoints. It explicitly documents audio capture and video capture techniques. Audio Capture is T1123. Video Capture is T1125.
Those techniques map to real outcomes. Covert recording. Unauthorized eavesdropping. Content reuse for impersonation. Fraud built on trust.
This is why I see deepfake videos as a prevention problem, not a detection problem.
The gamechanger for deepfake videos on IGEL is policy driven control
That brings me to what we just delivered for IGEL customers.
Armored Client for IGEL already protects against keylogging and screen capture threats on the endpoint. IGEL announced its availability through the IGEL App Portal and IGEL Ready validation.
Now we have added two new capabilities that matter immediately:
- Policy driven microphone protection.
- Policy driven camera protection.
These capabilities change the default security posture for audio and video:
- Camera and microphone are blocked by default.
- Only explicitly approved applications can access them.
- The policy enforces control at the endpoint user interface and input output layer.
- The control holds even after login.
That last point matters most. Many tools check posture at access time. They do not control devices throughout the session. Deepfake videos and voice cloning happen inside the session. So, the protection must live there too.
How this stops deepfake videos and voice cloning at the source
Most deepfake videos require source material. Most voice clones need clean samples. The easiest source is your endpoint audio and video devices:
- If malware can access the microphone, it can harvest voice prints.
- If malware can access the camera, it can harvest facial motion and imagery.
- If an insider can record quietly, they can build a dataset over time.
Blocking the device by default breaks that chain.
Allow listing only approved applications reduces the attack surface further. It also limits abuse from unauthorized tools. Even if a user installs a rogue app, policy denies access.
This is why I call it a gamechanger. It shifts control from user intent to enforced policy. It helps stop the production of deepfake videos and voice clones, because it restricts the capture path.
Why Federal and Healthcare teams care right now
In Federal environments, trust and provenance matter. Deepfake videos can mimic leadership. Voice cloning can imitate authority. Both can trigger operational disruption.
In Healthcare, privacy and compliance drive everything. Audio and video can expose patient data quickly. A single covert recording can create lasting harm.
Security teams cannot accept a world where microphones and cameras stay open by default. They need governance that survives the authenticated state.
Armored Client for IGEL fits as a natural prevention add on. It requires no operating system changes. It avoids architectural disruption. It also complements existing endpoint controls.
What happens next
Microphone and camera protection is live for IGEL OS today. It will roll into Microsoft AVD and Windows 365 very soon.
My message to security leaders is simple:
- If you want to reduce deepfake videos risk, secure the interface.
- If you want to reduce voice cloning risk, control the microphone.
- If you want to reduce covert recording risk, govern the camera.
We built these features because the threat changed. The controls had to change too.
If you are standardised on IGEL, you now have a practical way to shut down a fast-growing risk category, without redesigning your environment.
Deepfake videos will not disappear. But we can make them far harder to produce inside enterprise sessions.
About the Author
Brent Agar is Vice President of Strategic Partnerships at SentryBay, where he works closely with global technology partners, federal agencies, and healthcare organizations to strengthen endpoint security strategies. He focuses on advancing prevention led security at the user interface layer, helping organizations address emerging risks such as AI powered malware, voice cloning, and deepfake videos. Brent brings extensive experience in channel leadership and cybersecurity partnerships, aligning innovation with real world enterprise security needs.
