AI Is Reducing the Margin for Error in Cybersecurity Controls
The conversation around AI in cybersecurity can become distracted by speculation, fear and novelty. For senior security leaders, the more useful question is not whether AI has changed the threat landscape in some abstract way, but how it has changed the operating conditions for security teams that already have complex estates, multiple tools, incomplete inventories and long-standing control gaps.
From my perspective, after around 35 years in cybersecurity across incident response, forensics and vulnerability management, the most important difference today is the speed of attacks. A few years ago, defenders could often think in terms of hours, and in some cases days, when responding to an intrusion. That assumption is no longer safe. The time from initial compromise to lateral movement has compressed significantly, with average breakout times now measured in minutes and the fastest examples measured in seconds.
That does not mean every attacker has suddenly become highly sophisticated. AI is helping relatively modestly skilled attackers operate with far greater capability than ever before. It is making reconnaissance faster, exploitation cheaper, phishing more convincing and lateral movement easier to automate. The fundamentals of good security have not disappeared, but the tolerance for getting those fundamentals wrong has become much smaller.
Why AI Is Reducing the Margin for Error
AI is often discussed as though it is creating an entirely new category of cyber risk from nothing. That is not the most helpful way to view it. In practical terms, AI is accelerating the attack chain against weaknesses that already exist. Unpatched vulnerabilities, exposed management interfaces, weak credentials, incomplete patching, missing endpoint protection, poor configuration and unmanaged assets remain at the centre of most successful attacks.
What is new is that attackers can now find and exploit those weaknesses at a far greater scale. AI can help rapidly build more targeted reconnaissance, identify likely routes into an environment and reduce the time required to turn a known weakness into a working attack path. This is important because many organizations still rely on incident response workflows that were designed for a slower world.
A campaign does not need a novel vulnerability to be damaging. A known exposure, combined with automation, can be enough. We have already seen examples where large numbers of enterprise devices were compromised by targeting exposed management interfaces and weak credentials, rather than by using advanced zero-day techniques. That should focus the attention of CISOs and security leaders because the technology to prevent many of these attacks already exists.
This is why “back to basics” should not be dismissed as an underwhelming response to AI-enabled threats. It is actually a reassuring message, because it means many of the most important improvements are within reach. The issue is not that organizations do not know what good looks like. The issue is that they often do not have reliable, continuously verified evidence that the basics are fully in place across the whole estate.
For example, if an organization has endpoint detection and response deployed on 90% of known devices, that may look positive on a dashboard. The question is what sits outside that number. In addition to the 10% that are known to have missing controls, there is typically another 10% of the estate that is completely invisible. These often include unmanaged endpoints, forgotten servers, cloud workloads, virtual machines, test systems or devices that have quietly fallen out of compliance. Not only are these unsecured, but they are also unmonitored. Attackers do not need the whole estate. They need the weakest reachable part of it.
How AI Is Increasing the Risks of Social Engineering
The same compression of time and tolerance applies to social engineering. Business email compromise is not new, and executive impersonation has been a problem for many years. What has changed is the level of personalisation and critically, the layering of combinations of highly personalized and plausible channels now available to attackers.
AI makes it easier to create phishing messages that match the right tone, context and timing. Public information from LinkedIn, company websites, press releases and social media can be used to craft messages that feel more plausible to the recipient. The result is not simply a better-written phishing email. It is a more convincing interaction that appears to fit the employee’s working reality.
Increasing the threat dramatically is the ability to layer tailored emails with voice cloning and, in some cases, video impersonation. An employee may receive an email that appears to come from a senior finance leader, followed by a phone call that sounds like that same person. That combination can defeat the scepticism that a text-only phishing attempt might not overcome, especially when the request is framed with urgency, authority and business context.
This reinforces the need to think about cyber hygiene as an operational discipline rather than a periodic campaign. If attackers can move quickly and social engineering can be tailored at scale, security teams need continuous visibility into which controls are present, working and correctly configured. A quarterly review or weekly report may identify a problem eventually, but it may not identify it soon enough to matter.
The AI Generated Code Problem
There is another issue that deserves more focus: AI-generated code. Recent research from the University of Naples shows that AI-generated code can contain as much as double the rate of serious vulnerabilities when compared to human-written code.
At the same time, today AI is responsible for generating as much as 90% of new code. For at least the near term, this means we are industrializing the development of new vulnerabilities. When this is coupled with the ability of AI to identify and exploit vulnerabilities, as highlighted by Mythos and Project Glasswing, the result for the foreseeable future could be a bonanza for malicious actors.
Closing the Gap Means Verifying the Whole Estate
The most important question I would encourage CISOs to ask is straightforward: what percentage of the organization’s actual estate is covered by its security tools right now? It is critical that the answer to that question is not a guess, an assumption, or simply the number of assets in a given tool. It is important that this number is validated independently of any measured tool, team, or platform administrator.
The word “actual” is key here. Many organizations have a difference between the estate they think they have and the estate that really exists. In our experience, at least 10% of an organization’s environment is often invisible to the security team. That invisible portion may not appear in the EDR console, the vulnerability management platform or the patching system. However, it is still touching corporate data, connecting to business systems and creating a path for attackers.
This is where many organizations face an architectural challenge. Agent-based tools are essential, but they can only report on what they can see. If an agent is not deployed to a device, that device is invisible to the tool. If the agent is broken, blocked by a firewall, disabled by a user or misconfigured, it may not be able to report its own failure. Agent-based tools cannot reliably grade their own homework.
That is not a criticism of best-of-breed security products. EDR, patching, vulnerability management and other controls all perform valuable roles. The issue is that security leaders need an independent way to verify that those controls are deployed, healthy and configured as expected across every relevant asset.
This requires complete asset intelligence drawn from multiple sources and reconciled continuously. On-premises systems, cloud workloads, servers, remote workstations, physical devices, virtual machines and other assets all need to be visible in one trusted view. That view should automatically and in real-time compare assets and coverage against the organizations desired state, highlight gaps, and in mature organizations automate the remediation.
The goal should not be to settle for 90% coverage and hope the remaining gap is low risk. In the AI-enabled threat environment, the uncovered portion is exactly where attackers will focus. If independent measurement shows that effective coverage is closer to 70% than 90%, then the organization has a material exposure that needs board-level attention.
For senior cybersecurity professionals, the priority is not to chase every new AI-themed concern. It is to verify the foundations with more urgency and more independence than before. Know every asset. Manage every control to full coverage. Verify continuously across platforms. Do not rely only on what individual tools report about themselves.