The same renaissance, the other way
I’m going to open with the line I closed Part 1 with, because it’s the load-bearing premise of everything that follows.
Same technology. Same force multiplier. Same exponential curve. Used by people who don’t think like us.
The defender’s renaissance I described in Part 1 is the same renaissance the adversary just got. Cheaper, faster, with fewer procurement controls in the way. The fourteen-year-old in Bucharest with a stolen credit card and a Telegram channel has access to the same model family the Fortune 500 CISO does. The model doesn’t care which one of them is asking. It writes the same code at the same quality for both.
The honest version of the AI cybersecurity story has to hold both ideas at the same time. The case I made in Part 1 is real and the work is shipping. The case I’m going to make in Part 2 is also real, also shipping, and considerably more uncomfortable.
I’m not going to write Terminator. I’m not going to write extinction. I’m not going to write the article where the robot overlords enslave us and the only solution is to unplug everything and move to a cabin. That article gets clicks and changes nothing. The honest concerns are smaller, harder to dismiss, and they’re already showing up in incident reports.
Let’s go.
The adversary’s force multiplier
Start with the most obvious failure mode and work outward.
Every productivity gain a defender unlocks with AI is a productivity gain an attacker also unlocked, usually two quarters earlier. AI doesn’t pick sides. It’s a sharper knife. Both ends of the knife cut.
Phishing at scale, with the seams gone. The classic phishing email of 2020 was full of tells. Bad grammar, awkward phrasing, generic salutation, slightly wrong logo, a sense-of-urgency line that any trained user could spot. The 2020 model was cast a wide net, accept a low conversion rate, hope someone is having a bad day. That model is dead. The 2026 phishing email is personalized to the target, written in the exact register of the person it’s impersonating, references actual recent activity scraped from LinkedIn or the target’s last six conference talks, and includes a context-aware call-to-action that survives a careful second read. The conversion rate jumped. Internal phishing simulations that used to catch fifteen percent of users now catch forty percent of users, and the new forty percent includes people who would have spotted the 2020 version in their sleep.
Voice cloning and the CFO scam. A 25 million dollar deepfake video call took down a finance department at a multinational in 2024. The “CFO” was a clone built from public speaking footage. The “team meeting” had multiple deepfakes. The wire instructions went out the door before anyone in the meeting realized the only real person on the call was the victim. That was 2024. The tooling that made that attack possible used to require a PhD in signal processing. Now it ships as an API. The next CFO scam is not going to take a multinational to pull off. It’s going to take a determined fraud team and a free weekend.
Vibe-coded malware. Peter Schawacker calls the new generation of builders “vibe builders” and he means it as a compliment to the defenders. The same skill stack works on the attacker side. A junior threat actor with a sharp model can now write polymorphic dropper code, evade common EDR signatures, customize the payload for a specific target environment, and ship it in a week. The work that used to require a senior reverse engineer and a custom toolkit can be assembled by someone with no formal training and access to a model. The MITRE ATT&CK matrix didn’t get worse. The cost of operating across it got cheaper for the people who shouldn’t have access to it.
Autonomous reconnaissance. The slowest part of any sophisticated attack used to be the recon phase. Identifying the target, mapping the surface, finding the seam, picking the access vector. AI eats this phase for breakfast. An autonomous recon agent can crawl an exposed surface, correlate it with public breach data, identify the most likely social-engineering vector for each employee, and generate the personalized attack plan, in the time it used to take a human red-teamer to write the introduction to their engagement report.
I’m not going to give you the numbers on this because the numbers are an estimate and the actual numbers are worse than the estimate. The point is the attacker’s clock got faster. The defender has to either match the clock or lose.
The trust collapse
Phishing and voice cloning are the loud version of a quieter, more important problem. We are losing the ability to know what’s real.
The economic infrastructure of the last hundred years was built on a few small but load-bearing trust assumptions. The person on the phone is the person they say they are. The video of the executive is the executive. The signature on the contract is the signature. The press release was written by a human at the named company. The supplier’s certificate was issued by someone who verified the supplier’s identity.
All of those assumptions are eroding at once.
The CFO call I mentioned above is one example. Synthetic press releases manipulating stock prices is another. AI-generated court filings with fabricated case citations have already shown up in real litigation. The dating app you’re using is full of synthetic profiles that the platform can’t reliably detect. The reviews on the product you’re about to buy are getting harder to verify. The “customer support” agent on the website might be a model, might be a human, might be a model pretending to be a specific human.
The implications go further than fraud. Consider:
Internal trust. Your SOC analyst pulls up a summary of an incident the model wrote overnight. The summary references a specific log entry. The log entry doesn’t exist. The model hallucinated it. The analyst doesn’t check because the rest of the summary looks right, and now the post-incident report has a fabricated fact in it that propagates upward through three layers of decision-making before anyone notices. This is happening already. The volume of AI-generated content inside enterprises is outrunning the volume of human review, and the failure mode is fabricated facts being treated as ground truth because they were inside a document that looked credible.
Supply-chain trust. The vendor whose model you’re using has a model whose model the underlying foundation model was trained on, by a company you don’t have contractual privity with, on data that included your competitors’ proprietary documents. Three layers of trust separation, and any one of them can compromise the whole stack. We don’t have the tooling to map this yet. SolarWinds was a wake-up call about software supply chains. We are about to get the AI-supply-chain version of SolarWinds, and the blast radius is going to be larger because more of the enterprise stack passes through fewer model providers.
Public trust. Elections, scientific consensus, news. The mechanism that used to separate “this is established” from “somebody on the internet is saying it” depended on human gatekeepers who could be held to account. The gatekeepers are losing the race against synthetic content. I’m not going to make a political prediction here, but I will say that the next decade of cybersecurity is going to bleed into the next decade of civic infrastructure in ways the field has not historically dealt with. Defenders will be asked to defend not just systems but trust itself.
This is the part of the AI conversation that doesn’t get enough airtime because it is unsolvable as a technical problem. The technical problem is hard. The trust problem is fundamental. You can’t watermark your way out of it. You can’t blockchain your way out of it. You can mitigate, you can layer defenses, you can build out verification protocols, but the underlying problem (cheap, abundant, convincing synthetic content) is not going back into the bottle.
Jobs. Not extinction, but disruption
I want to handle the jobs question carefully because the discourse on it is bad in both directions.
The doom version says AI is going to make humans obsolete and the only thing left for us is universal basic income and pottery class. That’s not what’s happening. The boom version says AI will create more jobs than it eliminates and everything will be fine. That’s also not what’s happening, at least not in the timeframe the affected people care about.
What’s actually happening is two things at once.
The work is changing, fast. A SOC analyst job description in 2022 said triage alerts, perform initial investigation, escalate to tier 2 when threshold met. The 2026 version says supervise an AI agent that handles triage, perform initial investigation on edge cases the agent escalated, do post-mortem analysis on the agent’s quality. Different job. Different skill stack. The 2022 analyst either retrained into the 2026 role or got squeezed out by candidates who never had to do the old version of the work.
This is fine if you’re senior. The senior analyst’s job got more interesting and the pay went up. It is brutal if you’re junior, because the entry-level rung of the ladder is the one that AI ate first. The job that used to be the apprenticeship for tomorrow’s senior is now an AI workflow with a human supervisor. The training pipeline collapsed.
The implication is that the cyber industry in 2031 is going to have a shortage of senior leaders, and the shortage is going to be measured in missing operator experience, not missing certs. The seniors of 2031 are the juniors of 2026 who learned the work hands-on before the work changed. The ones who came in after the change are going to know how to run the agent. They are not going to know what to do when the agent is wrong, because they never had to do the work the agent took over.
I do not have a clean answer for this. Peter Schawacker said don’t chase the money, chase the work you’d do anyway. That’s the individual-level answer. The industry-level answer needs to be a deliberate investment in keeping a junior pipeline alive even when the AI agent is faster, because in ten years we are going to need people who remember how to do the work the AI now does. Some firms will figure this out. Most won’t.
Some roles are going away. Permanently. I’ll name them so we’re not being coy. Tier-one help desk. Junior SOC analyst (the traditional version). Junior pen tester (the rote part of the work). Compliance evidence-collection analyst. Junior threat researcher. Junior detection engineer. The people who hold these jobs today will retrain, get promoted, or get displaced. The job titles will exist on paper for years after the function has moved into the agent stack. Some of those people are going to land well. Some are not.
The honest take is that this is happening to every white-collar profession at once, and cybersecurity is not unique. What is unique to cybersecurity is that the field has a permanent talent shortage and the people getting displaced are still desperately needed somewhere in the stack. The challenge is helping them move from the place the AI took to the place the AI hasn’t reached yet. That’s a real challenge. Most enterprises are going to do it badly.
War and statecraft
I’m going to be brief here because the topic deserves a longer treatment than this article can give and because the people writing about it inside the defense and intelligence community are doing it more thoroughly than I can.
But two points have to be made.
One: cyber warfare is already AI warfare. It hasn’t been announced. There hasn’t been a press release. The major state actors have been operationalizing AI-driven offensive cyber capabilities since at least 2022, and the gap between human-driven and AI-driven operations is now measured in orders of magnitude. The 24-hour attack cycle used to be a tight timeline. It is now closer to a 24-minute attack cycle for some classes of operation. The defender’s clock has to match this or the defender loses.
The implication for the United States, for NATO, for any aligned democracy, is that defensive AI capability is no longer optional. It is a strategic asset on par with the SBIRS satellite constellation or the carrier strike groups. We are funding it like it is optional. That is going to look stupid in retrospect.
Two: autonomous weapons are not Terminator. They are loitering munitions making target-acquisition decisions. They are autonomous swarms coordinating across denied airspace. They are AI-driven targeting systems that pick which person in the convoy is the leader. None of this requires general intelligence. It requires narrow ML systems making narrow decisions, fielded in volume.
This already exists. The Ukraine war has accelerated it by five to seven years. The constraints around using these systems are still mostly diplomatic and political, not technical. The technical capability is here. The norms have not caught up. They may not catch up before the next major conflict, which means we are about to find out how AI-augmented warfare actually plays out in real time. I do not love that timeline.
Cybersecurity is downstream of all of this. The systems being targeted in the next conflict include critical infrastructure. The OT environments your colleagues are defending today are on the target list. This is not paranoia. This is the working assumption every serious OT cybersecurity practitioner has been operating on for two years.
Business risks we’re sleepwalking into
Outside the warfighting domain, the business-side risks are the ones I want most enterprise leaders to think about right now.
Loss of institutional knowledge. Every enterprise has tribal knowledge that lives in twenty long-tenured employees and is documented nowhere. The AI agent that summarizes the documentation does not have access to the tribal knowledge. When those twenty employees retire, get squeezed out, or leave for a competitor, the AI is going to summarize the documented version of how the system works, and the operators of 2030 will treat that summary as ground truth, and the parts of the system that only ran because Frank in plant maintenance knew to whack the third relay with a screwdriver every Tuesday will fail in ways nobody can diagnose. We need to be capturing tribal knowledge now, urgently, before the cohort that holds it is gone. I do not see most enterprises doing this. I see them buying AI tools and assuming the documented surface is the full surface.
Compliance as a black box. Ken Foster’s whole framing on the show is that compliance has to be a business enabler, not theater. AI can make it an enabler at speed. AI can also make it a black box. The auditor asks why a specific control passed in the test, and the answer is the model said so. That answer doesn’t fly with a serious auditor in 2026. It is going to fly less by 2028. Regulators are starting to require explainability for any AI used in compliance decisions, and the enterprises that bolted compliance evidence generation onto a model with no audit trail are going to learn this the hard way.
Vendor lock to a small number of model providers. There are, depending on how you count, somewhere between three and seven serious foundation-model providers in 2026. The infrastructure on which a meaningful fraction of the entire enterprise AI stack depends concentrates to those few. Pricing changes, terms-of-service changes, geopolitical accessibility (China cutting off API access, the EU regulating differently, the US adding export controls) can each disrupt the dependent enterprises in ways the procurement contracts mostly do not anticipate. The CISO who didn’t think about model-provider concentration risk is going to think about it later, under worse conditions, when something disrupts the access.
IP leakage. Clark Liu spent half our episode talking about ring-fencing public LLMs because the public LLMs train on the data fed into them, and the data the average enterprise user feeds into them includes proprietary documents, trade secrets, customer data, and the contents of internal incident reports. The settings to opt out of this exist for the enterprise tiers. The default for the consumer tier is we train on your inputs. Half the workforce is using the consumer tier. The IP that walks out the door this way is the IP that decades of investment built, and once it is in a training corpus you do not get it back.
The boards I’ve been in front of in 2026 are about evenly split between we banned the consumer tier and we don’t know what our employees are using. The second group is bleeding IP and doesn’t know it.
The ���we use AI for everything” trap. Some workflows benefit from AI. Some workflows do not. The pressure on every executive in 2026 is to be seen using AI for everything, regardless of whether it makes the workflow better. The result is a class of organizations adding AI to processes where it slows things down, adds noise, increases error rates, and consumes budget that would have been better spent elsewhere. Vendor pitches encourage it. Boards encourage it. The honest answer (this workflow doesn’t need AI) is hard to give in a meeting where everyone is signaling that AI is the future. Some of the AI rollouts of 2025 and 2026 are going to be unwound quietly in 2027 because they didn’t actually help, and the lesson will be expensive.
OT-specific dangers
The OT side has its own list of failure modes that the IT-side conversation misses.
The LLM giving an operator the wrong setpoint. A controls engineer asks a model what the right gas pressure is for a process step. The model gives an answer that’s plausible, well-formatted, and wrong by ten percent. The operator follows it. The process either fails safe, in which case the loss is downtime, or it fails unsafe, in which case the loss is property, environment, or life. The model didn’t lie. It hallucinated within the confidence bands its training data supported. The operator didn’t know to check because the answer looked right and the operator’s pattern recognition was calibrated for human-written advice, not AI-written advice. This is the OT incident profile we are going to spend the next five years learning to mitigate. It is not theoretical. Two near-misses I am aware of have already happened. They have not been publicly reported. They are coming.
AI-generated as-built docs that diverge from reality. I praised this workflow in Part 1 as the highest-leverage AI win in OT. The risk is that the AI generates documentation that the operators trust more than the physical equipment, because the AI version is cleaner, better-formatted, and arrives faster. The drift between the documented system and the actual system is then no longer a drift between Frank’s memory and the as-built. It is a drift between the AI’s confident summary and the actual physical state of the plant. That is a worse failure mode because the AI’s summary feels authoritative. Mitigations are: ground-truth audits, physical inspection cycles, and a deliberate culture of distrust between the AI documentation and the operators’ eyes on the equipment. Most plants will not do this and they will get bitten.
Predictive maintenance models with poisoned data. The model only knows what it was trained on. If a supplier’s failure data is biased (and it usually is, because suppliers do not love sharing failure data), the model will under-call the failure rate of that supplier’s equipment. The plant will get a false sense of security on the asset that is most likely to fail. The first time this happens at scale, the supplier whose data biased the model will face a lawsuit, and the lawsuit will set the precedent for how the industry treats AI-driven maintenance decisions for the next decade. Get ready for that case.
Self-doc workflows as attacker recon. The AI workflow that documents the plant in detail is the same workflow an attacker dreams of when planning an OT campaign. If the documentation is accessible to anyone outside the engineering team (it usually is), and if the AI is generating complete documentation (it usually is), then the attacker who gains a foothold has just been handed the operator’s playbook in machine-readable form. The defender has to think about what the AI is exposing to the next stage of an intrusion, not just what it is helping with in the current workflow.
These are not edge cases. They are the new operating conditions for OT cybersecurity, and we are early in figuring out how to manage them.
The velocity problem
There is one structural concern that I think the manifesto under-weights and that needs its own section.
Marc Andreessen writes that any deceleration of AI will cost lives, and he is making a serious argument. The argument is that AI’s positive use cases (medical, scientific, productivity) save more lives in expected value than its negative use cases destroy. If you decelerate to avoid the negative, you delay the positive, and the delay has a body count.
I take the argument seriously. I think it’s roughly right about the long-run average. I also think the argument has a subtle error, which is that it conflates deceleration (slowing down) with deliberation (thinking before acting).
You can accelerate AI adoption while still deliberating about how to deploy it responsibly. You can deploy AI in cybersecurity while building the governance layer that catches the failure modes I described in this article. You can move fast on the tooling and still be careful about the trust architecture.
The Peter Schawacker framing on the show was exactly right. GRC has to accelerate AI adoption, not brake it. GRC done well speeds the adoption up by making the safe path the default path. GRC done badly is the brake Andreessen warns against. The choice is not between adopting fast and adopting carefully. It is between adopting carefully-and-fast versus adopting fast-and-recklessly, and the second one is what we are mostly doing in 2026.
The cost of fast-and-reckless is paid by the customers, the employees, and the society that has to live with the failure modes we shipped at speed. That is the deceleration argument inverted. We are decelerating the careful adoption while we accelerate the reckless adoption. The body count of that combination is going to be ugly.
What to think about now
I’ll close with what I want every leader reading this to think about this week, not later this year.
Build an AI threat model for your organization. Not the generic vendor version. The version specific to your business, your data, your employees, your adversaries. What can the attacker do with AI against you that they couldn’t have done in 2022? Where are you exposed in a way that an attacker with AI exploits before you can close? What are your most plausible “near miss” scenarios? Write them down. Walk them through with your team. Update quarterly.
Rebuild your identity and access management for the agent era. Ken Foster has been talking about this for two years and the field is finally catching up. Identity is no longer a human problem. You have AI agents that take actions on behalf of users, that need credentials, that get phished, that have to be deprovisioned, that have to be audited. The IAM stack you built for humans does not handle this gracefully. The IAM stack you build for the next five years has to handle agents as first-class principals. If your IAM team is not in the loop on AI deployments, fix that.
Extend the mutual-distrust pattern to AI agents. Clark Liu talked about the dual-firewall era in OT and the mutual-distrust pattern between IT and OT firewalls run by different teams. The same logic applies to AI agents. You should not trust the agent the way you trust the senior engineer. You should not let the agent take actions that a senior engineer would only take with peer review. You should not let the agent operate in domains where its failure mode is invisible. Build the distrust into the architecture, not into a policy that nobody reads.
Govern training-data sovereignty. Every model your enterprise touches has a training-data origin, a usage policy, and a leakage profile. Know all three for every model you let employees use. Block the ones that train on your inputs by default. Allow the enterprise-tier accounts that don’t. Make this a procurement requirement, not a security suggestion.
Plan for vendor concentration. Identify your model-provider dependencies. Have a backup. Run periodic tabletop exercises on what do we do if our primary model provider has a 24-hour outage, gets sanctioned, doubles their pricing, changes their terms? If your business runs on one model, you have the same single point of failure you would have had if your business ran on one cloud provider in 2016. Don’t.
Invest in the junior pipeline. I do not have a clean policy answer here, but every CISO has a small policy answer. Keep a few junior roles where the AI does not do the work. Force the juniors to do the work the old way for a while, even when the AI could have done it faster. This is expensive. It is also the only way you have senior operators in 2031 who actually know what the AI is supposed to be doing.
Capture tribal knowledge while the people who hold it are still here. Hire someone whose job is to extract it. Pay them well. Sit them next to the longest-tenured engineers. Have them generate the documentation that the AI will eventually summarize, but make sure the documentation is complete before the AI gets it, because if the documentation is incomplete the AI’s summary is going to be confidently wrong forever.
Build a deepfake response playbook. Specifically. The wire-fraud version. The press-release version. The CFO call version. The HR-impersonation version. Run the tabletop. Drill the team. Find out which of your verification protocols actually work against synthetic media. Most don’t.
The honest closing
Part 1 of this series is true. AI is a generational gift to defenders, to operators, to the people doing this work. The wins are concrete and they are already shipping.
Part 2 is also true. The same gift is a weapon the wrong way around. The trust collapse is real. The career disruption is happening. The OT failure modes are coming. The state-level conflict is already escalating. The business risks are being underweighted.
Holding both at the same time is the job. The techno-optimist case is the right one as a default posture. The cautionary case is the right one as the work we have to do alongside the optimism.
The defenders who win the next decade are going to be the ones who lean into the optimism and take the caution seriously. Not one or the other. Both, every day, with discipline.
Don’t sit it out. Don’t go all-in without thinking. Get in, think hard, deploy carefully, govern aggressively, and keep an eye on the parts you can’t easily see.
The future is going to be exactly as good or as bad as we make it.
Let’s go make it good.
Aaron Crow is the host of PrOTect IT All, a podcast on cybersecurity, OT, and the people doing the work. Recent episodes referenced: EP107 with Peter Schawacker, EP106 with Clark Liu, EP105 with Ken Foster. Read Part 1: The Promise if you missed it. Connect on LinkedIn.