AI systems have very different behaviors, use cases, and scope than much of the computing infrastructure we’ve seen in the past. The biggest difference is how much more flexible and contextual AI is compared with classic computing systems. This means many of the tool sets that have been developed and perfected for traditional security are not nearly as effective when applied to AI systems—and even less so when applied to emerging frameworks like agentic systems.

In classic computing, data and compute were siloed, so you could use traditional cybersecurity techniques to separate what’s attacking data from what’s attacking infrastructure. But in AI systems, the data and the computer are combined, so attacking one often means attacking both.

The emerging AI use cases and the complexity of the threat surface require rethinking what it means to secure computing systems. AI systems have become so good at merging in with standard traffic and looking like human information that many traditional detection strategies fail.

There’s a lot of excitement about going beyond language to vision, audio, and other multimodal systems. People engage with audio or video much more than [they do with] text, so they believe things more readily. The risk to stakeholders and to computing system infrastructure grows because of the broader modality set and this ability to engage with different modes.

On the ecosystem front, something very interesting is happening. We’ve seen two main buckets of companies. They’re [taking] highly complementary but different approaches. First, there are classic cybersecurity companies adding on AI—both in the security-for-AI space and the AI-for-security space. They’ve been investing in AI to help solve classic security issues, but most interestingly, they’re adding security-for-AI capabilities like data sanitation, guardrails, and AI firewalls against prompt injections and other agentic deployment issues.

The other bucket is native AI folks tackling security for AI. It’s a fascinating contrast. The approaches look different when you’re starting from security and asking how to scaffold to handle AI threats versus starting from native AI infrastructure, where you’ve built these systems, understand them deeply, understand their vulnerabilities, and exploit that knowledge to think about security infrastructure.

I believe AI-native approaches are likely much more effective for security-for-AI applications. Native AI companies have a special sauce because they understand the systems much better and can be much more targeted than traditional security companies.

My experience and broad frame of reference is that risks and capabilities tend to go along with each other quite closely. The more the system can do, the more we give it access and agency, and the more we have new kinds of security surfaces to cover. So, if you want to see where risks are going, look at where capability is going—what people are trying to do with it, what use cases people are excited about, and where future investment is going.

With AI, the excitement about [the] technology leads us to ignore security and safety issues, focus on capabilities, and then realize we left a gap. We should take another look and figure out what security risks might arise. Then we should treat security and safety as model capabilities as well.