By Matt Holland. Director of Cyber & AI Security Kainos
The cybersecurity stack most organisations operate today was sized for a slower opponent. That opponent has been replaced. The question for technology leaders is whether their cadence has changed with it.
Most of the security stack operating in enterprises today was designed around yesterday’s problem. Strategies signed off last year, tooling acquired the year before, playbooks honed over a decade: all of it assumes a human attacker working human hours, opposed by a human analyst clicking through a human queue. That picture held up for a long time. Most investment, most org charts and most governance cycles still rest on it. Somewhere between the spring of 2025 and the disclosure of the Mythos model the following year, however, the picture became one of several worth defending against, and arguably the least urgent of them.
The shift is best understood through three properties that the frontier AI labs have now put their names to in writing. Artificial intelligence has become faster than the controls built to constrain it, more competent than most of the attackers organisations have priced into their threat models, and more widely available than any offensive capability in the history of the profession. Faster, more competent, more widely available. Each word carries an obligation. Together they describe a different threat environment.
Take speed first. In February 2026, Sysdig’s Threat Research Team published a forensic account of an AI-assisted cloud intrusion in which an attacker moved from initial access to AWS administrative privileges in under ten minutes, traversing nineteen distinct identity principals on the way. Sergej Epp’s “Zero Day Clock”, once measured in weeks, now reads in hours. Patch processes that run on a daily review cycle, and security operations centres changing configurations weekly, sit outside the relevant window. By the time the ticket reaches triage, the attacker has finished and left.
Take competence next. Rob Joyce, former director of the United States National Security Agency’s Cybersecurity Directorate, used the keynote stage at last year’s RSA Conference to advise defenders against worrying about AI exploit developers. Twelve months on, he returned to the same stage to say he had changed his mind. The April 2025 Hack The Box capture-the-flag contest tells the same story: the leading AI team captured nineteen of twenty flags and finished twentieth out of 403 entries, ahead of 383 human teams. Forget the comfortable narrative about a script kiddie armed with a chatbot. What the frontier models now deliver is elite-tier exploit development, commoditised, and available by the hour.
Take availability last, because availability changes the math entirely. The defending profession has always faced a small number of brilliant attackers and a long tail of opportunists. AI flattens that distribution. The same capability now sits in every browser tab. Writing in March 2026, the veteran vulnerability researcher Thomas Ptáček observed that the craft of finding security flaws had been “cooked”: pointing an agent at a source tree and typing find me zero days simply works, and the new price of elite attention has fallen to epsilon. The Cloud Security Alliance’s AI Vulnerability Storm report, co-authored by Jen Easterly, Bruce Schneier, Chris Inglis, Phil Venables and others, formalises the same view. Five of its thirteen named risks carry a critical rating, and the cybersecurity risk model on which most boards still rely is itself classified as outdated.
What stays, what shifts
The existing defensive playbook still matters, in some ways more than ever before. Strong authentication, segmentation, fast patching, identity and privilege management remain the foundations of every credible security programme, and Phil Venables is right that under AI-driven attack these foundations move from sound to existential. What changes is the cadence at which they have to run, and the arrival of a new asset class on the corporate estate: the autonomous agent, an asset class the legacy controls predate. Five concrete priorities follow, and they should be addressed in order.
The first priority is non-human identity. Recent industry data places the ratio of machine identities to human identities in the average enterprise at between 82-to-1 and 144-to-1, growing roughly forty-four per cent year on year. Around five per cent of cloud machine identities carry full administrative privilege, and some sixty-two per cent sit dormant, inactive for ninety days or more while still retaining their access. Drop an autonomous agent into that environment and the attack surface stops resembling a perimeter and starts resembling a cloud. The first move for any organisation is to inventory every non-human identity, name the human owner of each one, and retire what fails the justification test. Enumeration precedes defence.
The second priority is to retire the language of human-in-the-loop in favour of bounded autonomy. A tired analyst clicking approve on the seventeenth alert of a shift functions as a rubber stamp with a person attached, and threat actors know it. Bounded autonomy works the other way around. For each agent, a small set of pre-authorised action classes runs at machine speed; everything else stops by default. The principle, formalised in the new OWASP Top 10 for Agentic Applications under the heading “least agency”, is that autonomy is a feature an agent earns, one action class at a time.
The third priority is revocability. A useful diagnostic is the sixty-second test: pick any agent in production and ask whether, on discovery of its compromise, access can be revoked inside a minute across every system it touches. Most organisations fail at the first attempt. Long-lived API keys, cached OAuth grants, credentials scattered through downstream systems, and a central kill switch still on next quarter’s roadmap: these are the recurring patterns. The CSA report is direct on this point. The agent harness, meaning its prompts, tool definitions and retrieval pipelines, is where the most consequential failures occur, ahead of the model itself.
The fourth priority is detection tuned for agentic behaviour. Conventional SIEMs were built to recognise a human pretending to be a process. The new problem runs the other way: a process behaving like a malicious human. Agentic attacks have a fingerprint, including constant authentication, tool-call sequences inconsistent with declared purpose, and cross-agent communication outside the expected graph. That fingerprint stands out clearly to a defender configured to look for it, and slips past one configured for last decade’s attacks.
The fifth priority is to treat artificial intelligence as a procurement category in its own right. Every model provider, every agent framework, every plugin and Model Context Protocol server has joined the corporate attack surface, and the OWASP Agentic Top 10 identifies supply chain compromise as a top-five risk precisely because agents fetch and execute components at runtime. An annual SOC 2 review falls short of the bar this category requires. Procurement needs a baseline questionnaire on training and red-teaming, contractual rights to audit and revoke, exit clauses that work in days rather than quarters, and an internal review body with the authority to refuse.
The cadence question
Every priority on this list can be purchased today. All five are achievable inside ninety days. Delivery at scale remains rare. Cadence, more than sophistication, defines the current threat landscape. Closing the gap between that cadence and the one our organisations were designed for is the work for the year ahead. Boards, regulators and insurers are already reading the new authority. The question they will ask next has moved on from the adequacy of the controls. They will ask whether the controls were ever sized for the right opponent.
Read the Summer 2026 edition free online →
Stay connected with NI's tech community:
