The coming years will be some of the most interesting in cybersecurity history.
Two trends are on a collision course:
Attackers are adopting AI to find and exploit vulnerabilities at a speed and scale we have not seen before.
Meanwhile, many companies are racing to deploy AI in their products and systems, often without taking the time to understand what running AI securely actually requires, or what is realistically possible to secure today.
And there is a bitter irony in the middle of it. While most companies are still trying to figure out practical use cases for AI and how to actually make money with it, cybercriminals have already found theirs. They are highly motivated, well organized, and improving their hacking tools every single day. You don’t get attacked because you were targeted, but because you were easy.
What worries me is not the technology. It is what sits underneath it.
Most people, even inside the industry, cannot imagine how bad the real state of the IT ecosystem is right now. Unpatched systems everywhere. Legacy platforms nobody maintains. Vulnerability management reduced to a checkbox. People who were never trained for the threats they face.
And this is not limited to one corner of the market. It runs through the entire ecosystem: software vendors, software developers, MSP and MSSP service providers, cloud service providers, security product vendors, and companies across every industry that have seen security as a cost instead of a foundation.
Even security companies do not properly test their own products before shipping them. Service providers do not do everything they could to secure the services their customers depend on. Many do not even have enough people to maintain their systems properly, because headcount was always the first thing to cut. And many engineers were never trained for the systems and threats they are responsible for, because training people is a continuous cost, and continuous costs are exactly what this management style eliminates first.
And here is the part that should make everyone in this industry uncomfortable. Many of the vulnerabilities that AI tools will “discover” in the coming years are not new at all. They are already known. Security researchers reported them to software vendors years ago. Developers inside those companies have known about them all along, but they never got permission to spend time fixing them, because developing new features was always the priority and maintaining old ones never was. System administrators reported vulnerabilities internally, again and again, but never got the resources to fix them, because management saw money as the goal and maintenance as a cost standing in its way.
So when an AI powered attack lands, in many cases it will not exploit something nobody saw coming. It will exploit something that has been sitting in a backlog, a ticket queue, or an ignored email for years.
And here is the important part: none of this happened by accident.
These were deliberate management decisions. For decades, the primary goal has been maximizing shareholder value, not the quality of products and services, and certainly not the proper maintenance of legacy systems.
Underneath it all sits a fundamental mismatch in mindset. Business runs on short term goals and short term gains. Security is a long term investment, the kind that pays off by nothing happening. So the default strategies became simple:
“When it happens, we will deal with it.”
“Nobody will ever find out anyway.”
And the most honest one of all: “By the time this comes out, I will have already moved on to a higher position.”
All three relied on the same quiet assumption: that there would be time.
That time is gone.
AI powered attackers will stress test all of those decisions at once. Organizations that invested in real security culture will adapt. Organizations that invested in the appearance of security will be exposed, along with the gap between what they promised customers and what they actually delivered.
The vulnerabilities were always the symptom. The decisions behind them were the disease.
The question for every leader right now: which side of that line is your organization on?