Full-blown AI adoption in cyber security, whether we’re ready for it, or not

We have unofficially transitioned from a proof-of-concept phase to aggressive implementation. In fact, 90%  of organiaations are either currently adopting generative AI for security, or are planning to do so, according to research from the Cloud Security Alliance (CSA). The vast majority of IT and security professionals feel that these technologies can improve their skill sets and support their roles, while freeing them up for more rewarding, valuable assignments.

On the flip side, cyber criminals are also making abundant use of this ever-evolving innovation – to the point in which AI-enhanced malware ranks as a top risk for enterprise leaders, according to Gartner. This sets up a modern-day Spy vs. Spy scenario in which the good guys and bad guys battle it out in a technology arms race, with the stakes getting increasingly higher and the precarious potential for unleashed, harmful AI growing more likely.

The term “agentic AI,” for example, loomed large on the minds of many conference attendees. Simply defined, this refers to AI systems that act autonomously to pursue goals and solve problems without constant human guidance or oversight. It is difficult, however, to determine whether the concept signals genuine innovation or just repackaged marketing speak.

For now, security leaders should focus on the users and ask to what extent are they taking part in Shadow AI, and how are they deploying AI applications? In our own research, we’ve found that most generative AI (GenAI) usage in the enterprise (72%) is currently attributed to shadow IT. 

We know that AI left alone will transition swiftly in the direction of any and all forms of usage. It’s already starting to resemble the rapidly expanding universe of cloud adoption of years past. Transforming into this level of AI ubiquity requires deeper questions – and answers – about integration, accountability and governance. Which brings us to our next conference topic point.

Gaps in enterprise AI governance

Too often, AI governance committees are narrowly fixated on privacy and security concerns, rather than broader considerations such as legal liability, licensing exposure, cost and technology overlap rationalisation and appropriate use. As a result, organizations are approving AI tools without conducting full risk evaluations, including intellectual property and third-party risks such as code contributions.

For now, leaders seem to prioritise safe operation using local models, outright blocks, incident response and detection, along with other short-term use cases. But they must shift from this approach to a state of broader, enterprise-focused AI planning that is guided by strategic, organisational goals, and not merely functional execution.

Proliferating insider threats

These threats, of course, are older than cyber security itself. Think of the embezzling finance employee in the 1950s, or the factory worker who surreptitiously slipped company property in his pocket. There was plenty of chatter onsite about the widespread scam in which top tech firms in the US have been tricked into hiring remote IT workers who happen to be North Korean cyber operatives.

This speaks to the need for closer alignment among HR, legal and security teams to detect forged employment documents and eliminate hiring platform vulnerabilities. Unfortunately, there aren’t enough ongoing conversations about these emerging threats, with HR, legal, and security teams more likely to collaborate on compliance requirements and reactive, after-the-fact incident investigations.

Throughout its existence, the RSAC Conference has reflected the present state of cyber security, with impactful trends and challenges conveyed amid the cacophony of booths, presentations, demonstrations and conversations. This most recent conference has proved no exception, especially when it comes to new patterns in AI and insider threats.

That said, a consistent thread has emerged over the years: The need for proactive accountability, guidance and governance.

With this, security leaders won’t entirely mitigate the damaging outcomes of AI or ill-willed insiders. But they’ll take major steps in containing them. Hopefully in a few months, when we arrive at Black Hat, we’ll be talking more about how organizations are now able to more consistently and successfully do that.

James Robinson is chief information security officer at secure access service edge (SASE) and zero-trust specialist Netskope.