In a recent closed door roundtable, senior security leaders from professional sports, financial services, healthcare, SaaS, and the public sector gathered to discuss a timely question. Where is AI genuinely improving cyber defense, and where is it falling short?
The discussion quickly moved past surface level enthusiasm. The consensus was clear. AI is everywhere, but its impact is uneven. In some areas it is accelerating defensive capability. In others it is increasing complexity, risk, and operational workload.
AI Is Both Force Multiplier and Threat Multiplier
Several leaders described being deeply invested in AI driven tooling across detection, analytics, vulnerability management, and orchestration. AI is embedded in SIEM platforms, endpoint detection tools, and log analytics engines. It helps accelerate investigations, surface correlations faster, and automate portions of incident response playbooks. At the same time, attackers are leveraging AI just as aggressively.
One of the most immediate impacts has been in phishing and social engineering. Email attacks are more polished, linguistically accurate, and contextually convincing. The traditional indicators that once helped employees spot malicious emails such as poor grammar or awkward phrasing are disappearing.
Interestingly, user behavior metrics are shifting. Organizations are seeing higher volumes of suspicious email reports from employees. People are more cautious. However, the ratio of true positives to false positives has not meaningfully improved. Security teams are handling more volume without a proportional increase in confirmed threats. AI is increasing noise as much as it is increasing risk.
In this environment, defensive teams are forced to deploy more AI driven analysis simply to maintain parity. This reinforces the fact that AI is no longer optional, it is required just to keep pace.
Yet even here, the benefits are largely reactive as most AI assisted workflows still trigger after an alert has fired or suspicious activity has been identified. Playbooks may be accelerated, but the incident has already occurred. The group acknowledged that much of cyber defense remains response driven, with AI enhancing speed rather than fundamentally shifting prevention models. Many organizations are now reinforcing detection investments with proactive controls such as application allowlisting and least privilege enforcement and broader zero trust security models to reduce execution risk before alerts are ever triggered.
Where AI Is Not Delivering, Yet
Despite its ubiquity, participants pointed to clear gaps. One example was firewall rule management. Over years of incremental changes, rule sets become bloated, redundant, and difficult to rationalize. Leaders expressed interest in AI systems capable of parsing complex rule structures, identifying unsafe or unnecessary rules, and autonomously recommending cleaner architectures across heterogeneous environments.
Supply chain visibility and third-party risk is another area where leaders expected AI to help more than it currently does.
70% of the companies depend on vendors, cloud platforms, third party and ingrown APIs and libraries that are open source. Learning of what the risk is with such ecosystem is not easy for companies to manage. It starts from Inventory Management to third party supply chain assessments – all of that provide point in time learning. Initiation to usage of components to disposal of components are not clear. AI can help with this ecosystem and provide transparent view of risk across different platforms and components.
In reality, most third party risk platforms still operate the same way they have for years. Questionnaires, document reviews, and manual scoring remain the core workflow. AI is sometimes used to summarize responses or assist with analysis, but it has not yet solved the harder problem of understanding how external dependencies intersect with real architecture. As a result, teams still spend a lot of time stitching together incomplete information to understand supply chain exposure.
While some tools provide partial analysis, fully autonomous, context aware optimization remains aspirational. This is an area where leaders see potential but have not yet seen maturity.
Hiring processes represent another growing challenge. AI generated deepfake videos and voice manipulation are introducing new risks into recruiting workflows. Organizations are training HR teams and business leaders to recognize impersonation attempts during interviews. Here, AI is amplifying adversarial creativity faster than defensive tooling has adapted.
Privacy and data protection surfaced as a nuanced topic. Governance, risk, and compliance platforms are beginning to embed AI to help map controls to frameworks and surface evidence for audits. That capability is helpful from a documentation perspective.
However, the harder problem is operational. Locating personal data across unstructured repositories, supporting right to be forgotten requests, and interpreting ambiguous regulatory language remain complex. Some organizations are leveraging AI enhanced data discovery and classification tools, particularly within modern data loss prevention platforms. These systems can analyze content contextually rather than relying solely on static patterns.
Even so, gray areas persist. Regulations such as GDPR and emerging global privacy laws require interpretation, not just technical enforcement. AI can assist in surfacing relevant data, but accountability and judgment still rest with human leaders.
The discussion also highlighted a cultural reality. Whether in law offices, financial institutions, or creative organizations, business users often prioritize productivity over security controls. AI powered data classification and filtering can block unauthorized uploads or external sharing, but friction remains. Security leaders must balance enforcement with enablement.
The Strategic Takeaway for CISOs
The roundtable underscored a central takeaway for security leaders: AI should not be treated as a standalone strategy. It functions as a force multiplier within existing security and risk frameworks. In practice, AI accelerates detection and response workflows while also increasing the sophistication and scale of adversary activity. It expands the volume and velocity of signals that security teams must analyze, placing greater demands on triage, correlation, and decision-making processes. At the same time, rapid employee adoption of AI tools introduces added governance and oversight challenges, particularly when policy development and control frameworks lag behind implementation. Guidance from agencies such as CISA on AI risk management continues to evolve as organizations navigate this balance.
Security leaders are increasingly focused on defensive AI embedded within core operational platforms such as SIEM, XDR, and vulnerability management systems. They are prioritizing orchestration, faster hunting, and improved log analytics. At the same time, they are wrestling with AI driven social engineering, recruiting fraud, and data leakage risks.
There was no claim that AI is transforming security overnight. Instead, the tone was pragmatic. AI helps. It accelerates. It enhances pattern recognition. But it does not eliminate the need for disciplined architecture, strong user training, or well tested incident response processes.
For CISOs evaluating their own programs, the message is clear. Invest in AI where it strengthens core detection and response capabilities. Anticipate that adversaries are doing the same. Do not expect AI to resolve structural challenges such as firewall hygiene or regulatory ambiguity without significant human oversight.
AI is becoming foundational to modern security operations. The organizations that succeed will be those that treat it as an integrated capability within a broader strategy, not as a replacement for leadership, governance, or operational rigor.
