“How do you teach people to distrust what they don’t understand?” That question followed me into the glass-and-steel atrium of the Munk School of Global Affairs & Public Policy and set the tone for a year that blurred classroom, lab, and city street. The dilemma — balancing rigorous technical inquiry with the messy realities of policy and practice — became the organizing problem of the academic year. Spending a year at the Munk School revealed how a public-policy institution can become a laboratory for governing fast-moving technologies, and why that work matters now more than ever.
Munk School as a laboratory for governance
Bruce Schneier’s announcement that he would spend the Fall 2025 and Spring 2026 semesters at the Munk School framed a focused experiment: run an AI security reading group, teach a cybersecurity policy course, and collaborate with Citizen Lab, the Law School, and the Schwartz Reisman Institute. Taken together, those activities created a rare chance to observe how a top public-policy school engages directly with high-stakes technology at a moment of accelerating risk.
The Munk School sits at the intersection of public policy and global affairs in one of North America’s most diverse cities. Within that ecosystem, Citizen Lab has built a reputation for mapping surveillance and exposing digital threats against journalists and activists. The Schwartz Reisman Institute adds a cross-campus platform focused on responsible innovation. The Law School brings legal frameworks and policy translation. That mix reflects a modern scholarly trend: pairing technical rigor with policy reach to produce research that matters outside the campus bubble.
What does this look like in practice? Three core activities dominated the year: convening informed debate, training practitioners, and producing evidence. The AI security reading group was a slow, communal effort to parse papers, threat reports, and regulatory proposals. The cybersecurity policy course trained future policymakers to think both technically and ethically, offering scaffolded experiences where students made decisions under realistic constraints. Collaborative projects with Citizen Lab and the Law School produced case-based research that could inform decisions on surveillance, export controls, and vendor accountability.
Why does a year at an institution like Munk matter? AI and cybersecurity are now infrastructure for modern societies. Powerful models and tools diffuse faster than legal frameworks and procurement processes can adapt. Schools like the Munk School become crucial sites for governance design: they host conversations that might otherwise be confined to private-sector echo chambers or isolated academic silos, and they create prototypes for policy and technical controls that can be iterated in public.
Different stakeholders bring different priorities to that space. Technologists prize reproducible research and the freedom to test failure modes that industry may avoid. Policymakers need assessments translated into practicable rules and timelines aligned with legislative cycles. Users want systems that preserve privacy and agency; community-facing research ties technical findings to real-world harms. Adversaries—hostile states, criminals, or unscrupulous firms—exploit gaps between knowledge and regulation, profiting when oversight lags.
Those tensions surfaced repeatedly. Reading-group debates ranged from the limits of formal verification for large models to whether vulnerability disclosure regimes actually protect users. Students in the policy course wrestled with trade-offs between national security secrecy and public-interest transparency. Empirical collaborations with Citizen Lab showed harms are unevenly distributed, often falling hardest on those with the least institutional recourse. These recurring themes underscored a key point: technical solutions and policy frameworks must be developed together, not in isolation.
Concrete lessons emerged from practice. First, interdisciplinarity is itself a discipline: bringing lawyers, engineers, and social scientists together requires building shared vocabularies and methods, not merely assembling diverse bodies. Second, pedagogy matters: teaching cybersecurity policy is not a matter of dropping technical slides into a law class; it requires experiential learning, realistic decision-making scenarios, and careful scaffolding. Third, local context shapes outcomes: Toronto’s multicultural fabric sharpens research questions about digital inclusion, language in datasets, and culturally specific surveillance practices.
Institutional frictions also appeared. Academic calendars and publication cycles often lag the tempo of urgent policy debates. Funding models encourage short-term grant-chasing more than long-term civic engagement. And while public-policy schools can convene influential conversations, they rarely control the levers needed to convert recommendations into enforceable change. In short, a year at the Munk School is catalytic rather than curative: it can change minds and produce prototypes, but it cannot, by itself, realign industry incentives or transform sovereign strategies overnight.
Engaging the broader public is essential. Events, open-source reporting, and public-facing courses make esoteric risks into shared priorities. Citizen Lab’s transparent, accessible investigations into spyware offer a replicable model: research that is methodologically rigorous and directly benefits vulnerable populations. Law-school collaborations can translate findings into model legislation, policy drafts, and legal memos that legislators and regulators can adapt.
Unanswered questions remain. How should researchers responsibly disclose AI vulnerabilities without enabling misuse? What balance between international coordination and national sovereignty is appropriate when addressing cross-border threats or toolmakers? How can institutions scale technical literacy so policymakers worldwide aren’t caught flat-footed? These are not problems that a single academic year will solve, but they are precisely the kinds of questions that a place like the Munk School can surface and iterate on.
If there is a single practical lesson from a year at the Munk School, it is that governance of complex technologies benefits most from iterative, evidence-driven engagement. Quick proclamations and one-off reports won’t substitute for sustained interaction among communities of practice. The real value of embedding in a space where scholarship, law, and civil society intersect is that it turns abstract worry into learnable, testable work.
As the semester ended and the visiting scholar prepared to move on, one clear conclusion remained: institutions like the Munk School can accelerate public understanding and policy innovation, but only with durable investments in faculty time, collaborative infrastructure, and public dissemination. Without those investments, the next generation of threats will find familiar vulnerabilities. The opportunity is to apply the lessons learned — to design policies that are technically informed, legally durable, and socially equitable. Which path will we choose?




