Select Page

Every conversation about AI risk eventually reaches the exotic scenarios: model manipulation, adversarial attacks, agents behaving in unintended ways. Real topics. But I keep dragging our conversations back to something far less interesting, because the boring truth is this: AI raises the price of every basic security failure we’ve been tolerating for years.

Most organisations have survived on a hidden subsidy. Attacking at scale used to require human effort. Social engineering meant humans crafting emails, researching targets, working the phones, so attackers rationed their effort and most organisations, statistically, weren’t worth it. That rationing is over. What once needed a team now needs a prompt: persuasive, personalised, well-researched attacks, in bulk, in any voice. Businesses haven’t been secure. They’ve been lucky, and the luck was priced in manual effort that no longer applies.

Against that backdrop, look at the hygiene sheet we’ve all talked about forever. Phishing rates that organisations have quietly accepted at ten per cent, that acceptance now needs to end, and yes, I’d make repeat failure a performance conversation. Leavers and internal movers whose core account gets disabled while dozens of SaaS logins linger for weeks. Suppliers with remote access that bypasses every control we impose on our own people. Lazy integrations, the service account with broad privileges that “we’ll tighten later”, wired straight into core systems. Flat networks. Patching debt. Unclassified documents, and without classification, no tool can apply the right controls, AI included.

Nothing on that list is news. That’s my point. And there’s a compounding factor: as we deploy agents with access to systems and data, every one of those weaknesses is inherited by things that operate at machine speed. Access control stops being an audit finding and becomes the blast radius of your AI program.

The uncomfortable question for boards isn’t “what’s our AI security strategy?” It’s older and plainer: why, after all these years, are the basics still not right, and what does that cost us now that the attackers have agents too?

Get the hygiene right, or pay a price that just went up.