Increasingly, organizations are asking whether artificial intelligence (AI) constitutes a new security risk. The short answer is: yes and no.
AI can accelerate processes, analyze large amounts of information, and recognize patterns that take humans more time to discover. What AI generally does not do, however, is create entirely new vulnerabilities in existing software. It primarily exposes more quickly what was already there.
AI as a mirror
This sometimes creates the impression that AI is an entirely new threat that organizations need to defend themselves against. In practice, AI often functions more like a mirror. A mirror that can be confronting when security has not received the attention, time, or resources it required in the past.
Secure software does not suddenly become insecure because of the arrival of AI. Vulnerabilities identified by AI were generally already present and, in many cases, would eventually have been discovered manually. The difference lies mainly in the speed and scale at which these weaknesses can be brought to light.
AI in information security is not new
Within information security, AI has been used for many years, both offensively and defensively. This often involves specialized forms of machine learning and automated analysis systems, not exclusively the current generation of Large Language Models (LLMs).
What has changed in recent years is accessibility. Advanced techniques have become available to a much larger group of users and have also been integrated into an increasing number of security and attack tools. As a result, both attackers and defenders can work more efficiently.
The cost of technical debt
In a sense, offensive AI presents the bill for poorly designed software. This becomes particularly apparent in solutions where compromises have been made under time pressure, security measures have been postponed, or regular maintenance has been neglected for extended periods.
When organizations have historically cut back on development time, code quality, security testing, or maintenance, AI can help expose these existing shortcomings more quickly. Not because AI is the cause of the problem, but because the underlying vulnerabilities were already present.
The defense accelerates as well
The same development also works to the advantage of defenders. AI can be used to analyze source code, identify configuration errors, detect anomalies, and perform security audits more efficiently. As a result, organizations can gain insight into their risks more quickly and on a larger scale, allowing them to take more targeted measures.
The technological acceleration therefore applies to both sides. The attack becomes more efficient, but so does the defense.
The advice does not change
Current developments are, in a sense, comparable to the changes that quantum computing will cause in the future. New technologies undoubtedly bring challenges, but those same technologies will also be used to address those challenges.
There is, however, an important difference. AI cannot expose vulnerabilities that do not exist. Quantum computing, on the other hand, presents a different type of risk because encrypted data that has already been intercepted today may still be decrypted in the future. This is known as the 'harvest now, decrypt later' principle.
For organizations, the fundamental advice therefore remains unchanged: invest in carefully designed software, ensure that custom solutions are developed and maintained properly, minimize attack vectors, and segment systems in such a way that an incident cannot spread uncontrollably.
For most existing systems, AI is not a new security problem. It primarily increases the speed at which existing weaknesses become visible. Ultimately, that is not a reason to fear AI, but rather a reason to critically evaluate the technical decisions that have been made in the past.