AI will have a dramatic impact on how cyber work gets done. Many organizations are still trying to sort fact from fiction regarding the various promises of AI-enabled cyber tools, let alone create a vision for how they will leverage the emerging digital cyber workforce. What’s more, cyber organizations are racing to keep pace with the rapid adoption of AI across the environments they are trying to protect.

First, CISOs are contending with a perception that AI is an easy button for efficiency and staff reduction, while the truth is, the use of AI is complex and must be thought out carefully. AI requires pristine data, a control framework, proper governance, a robust infrastructure, seamless integrations with existing systems, and a skilled workforce. It needs to be piloted and tested extensively. This rigor can make it difficult to meet the expectations of executives who want to see the technology deployed quickly.

Second, there is a plethora of product companies making bold claims about their AI capabilities, and it can be challenging and time consuming to navigate this overwhelming vendor landscape. Making choices can be arduous, especially when many products have multi-year life cycles.

There is also the cultural aspect. CISOs are dependent upon a willing and skilled workforce to deploy AI. These skills are in short supply, and few professionals have extensive AI experience. Additionally, some cyber professionals may be wary of the use of AI.

Finally, in highly regulated environments, vigorous control procedures can slow adoption. Regulators will likely want to understand the full scale of agentic deployment, including what access and entitlements each agent has.

The adversary is getting more powerful and efficient through the use of AI. First and foremost, AI is exceptional at data mining.

Hackers can leverage AI to:

• Quickly identify vulnerabilities, misconfigurations, and other weaknesses to map out the best paths of attack.
• Create more convincing and tailored phishing campaigns.
• Perform automated source code analysis for weaknesses in public repositories.
• Generate novel exploits that avoid the known signatures of existing detection systems.

Essentially, AI multiplies the army of attackers that are already in the crime business.

To combat this army of attackers, you need a strong digital cyber workforce to amplify your threat management capability. There are several promising use cases for AI in cyber. What I described in terms of using AI as an attack tool can also be used for good. For example, we have created agents that automate vulnerability and penetration testing. There is also some momentum in reducing the menial and manual tasks of level 1 security operations center (SOC) analysts. Further, AI-enabled controls assessments and controls monitoring are on the horizon. However, there are many issues that need to be addressed in order to get this right. Data and training accuracy are fundamental, as is proper governance.

One of the most pressing issues for cyber organizations is helping their respective companies move safely and securely to AI adoption. We call this cyber for AI. Most companies’ business models require the sharing of data. Given the sensitivity of data, AI will need to be conscious of the underpinnings of data entitlements, security restraints, and compliance implications. This will be especially difficult if the cyber function has not provided its organization with a framework for AI deployment that includes all of the requisite controls and governance.