IT Brief Canada - Technology news for CIOs & IT decision-makers
Canada
AI does not invent cyber risk, it accelerates it

AI does not invent cyber risk, it accelerates it

Wed, 1st Jul 2026 (Today)
Morey J. Haber
MOREY J. HABER Chief Security Officer BeyondTrust

The latest warning from the Five Eyes intelligence alliance should not be interpreted as routine government advisory. It should be considered a strong acknowledgement that the pace of cybersecurity conflicts has fundamentally changed, and organisations no longer have years to defend against artificial intelligence driven attack vectors. They may only have weeks and some cases, days.

For cybersecurity professionals, this should not come as a surprise. Threat actors have always been early adopters of automation and filtering targets from noise. From phishing kits to ransomware as a service, cybercrime syndicates consistently embrace technologies that reduce cost, improve obfuscation, increase scale, and improve success rates. Artificial intelligence simply represents the next evolution of that business model and AI enabled malicious tools.

However, the greatest misconception surrounding AI originated cyber-attacks is that they will be fundamentally different from today's threats. In reality, they will exploit the same old weaknesses that defenders have struggled with for decades:

  • Unpatched vulnerabilities that can be exploited at scale with AI
  • Stolen credentials with excessive privileges that are phished via techniques like social engineering 
  • Exposed systems that are misconfigured or running vulnerable default 
  • Stolen credentials
  • Shadow IT, unsupported infrastructure, or end of life assets that have are vulnerable due to incomplete management and monitoring.

With these attack vectors in mind, AI merely compresses the timeline between discovery and exploitation while increasing the number of targets an adversary can pursue simultaneously using automation.

That is why the Five Eyes recommendation to strengthen foundational cybersecurity practices is so important. These recommendations include:

  • Secure by design for all development activities. Security should be an active part of all new and in process development initiatives.
  • Security updates and patching service level agreements (SLA) need to decrease to hours and days, not weeks and months, to accommodate the rapid exploitation techniques available with AI.
  • The overall reduction of attack surfaces needs to be prioritised based on risk and exposure based on real world threats.
  • Organisations should eliminate legacy systems and end of life technology that represents a liability and has poor mitigation controls such as segmentation.
  • Implementing identity security controls for human, non-human, and artificial intelligence to ensure a compromised identity does not lead to a game over event. 

While these recommendations are often postponed in favour of the latest security product or fashionable technology, they should be reprioritised first to meet the challenges of offensive AI. Why? Because history repeatedly demonstrates that threat actors succeed because organisations neglect the basics and revisiting the basics and doing them exceptionally well is crucial defending against these threats. 

Out of this list however, identity security deserves particular attention in this new threat landscape and is the latest defensible strategy all organisations should embrace. AI powered threat actors will not magically bypass every defense. Instead, they will identify the easiest path to privilege access. Every over permissioned account, dormant administrator credential, shared password, and unmanaged service identity becomes a shortcut for automated exploitation. Least privilege is no longer simply a compliance objective and it is becoming one of the few scalable mechanisms capable of limiting AI accelerated lateral movement. After all, it is much easier for a threat actor to simply login, verse hack in.

Equally concerning is the shrinking window for defenders to respond. Security teams traditionally relied upon human analysts to review alerts, investigate anomalies, and determine whether activity represented malicious behaviour. AI changes that equation. A threat actor operating autonomously can enumerate environments, generate exploits, adapt techniques, and pivot across networks in seconds rather than hours. Human only security operations centres (SOCs) will notably struggle to keep pace with this acceleration.

Fortunately, the solution is not to reject AI but to embrace it responsibly as a defensive solution. The same technologies that automate reconnaissance can automate vulnerability management and the same reasoning engines that generate attack paths can identify toxic privilege combinations before a threat actor discovers them. AI can assist with threat hunting, code analysis, anomaly detection, and incident response, enabling defenders to operate at machine speed rather than human speed as a counter response.

This creates an interesting paradox. Organisations uncomfortable with deploying AI internally may inadvertently handicap themselves against adversaries who have no ethical reservations about using it against you. Choosing not to adopt defensive AI does not prevent offensive AI from appearing at the front door.

Boards of directors should also pay attention to the language in the Five Eyes statement. Cybersecurity is no longer portrayed as merely an IT issue but as a core business responsibility. That distinction matters because operational resilience, shareholder confidence, regulatory obligations, and brand reputation increasingly depend on an organisation's ability to withstand cyber-attacks rather than simply prevent them. Breaches will occur and the competitive advantage belongs to organisations that contain and recover from them quickly verses becoming a victim and the front page of tomorrow's newspaper

The conversation should therefore move beyond whether AI is dangerous. Every transformative technology carries inherent risk. The more relevant question is whether organisations are adapting quickly enough to manage that risk, and too many security programs still operate according to annual or quarterly planning cycles. Defenders need to adapt to these timeline changes

The Five Eyes warning should serve as a catalyst for executive action rather than anxiety. Organisations should ensure that they are inventorying critical assets, remove unnecessary exposure, patch aggressively, eliminate standing privileges, modernise identity governance and security, exercise incident response plans, and, most importantly, leverage AI to strengthen defence before threat actors leverage it more effectively against you.

AI did not create new cybersecurity weaknesses. It simply exposes them faster, exploits them sooner, and scales them farther than ever before. The organisations that thrive in this new era will not necessarily be those with the largest security budgets, but those disciplined enough to master the fundamentals while intelligently augmenting them with automation and artificial intelligence in defence.