The rapid adoption of artificial intelligence has thrown cybersecurity principles into disarray. The direct linking of models to business data, the emergence of thousands of invisible AI agents, and the unstoppable wave of “Shadow AI” are creating blind spots in virtually every IT infrastructure. Yet the situation is far from hopeless. How do you weather this technological storm? And how do we ensure that security, governance, and the exponentially rising costs remain manageable? We’ll discuss this in a roundtable discussion with experts from ManageEngine, Nutanix, Okta, Thales, TrendAI, Veeam, and Zscaler.
In the first article we published following the roundtable discussion, it became clear that AI has a significant impact on security. The shift in the adoption of this technology, in particular, underscores this point once again. In the early days of the generative AI hype, the prevailing sentiment was one of hesitation and a desperate attempt to block its adoption. However, the market is now adopting a more mature approach.
As a result, the focus is also shifting from simply detecting threats to facilitating business operations, without putting the company’s crown jewels on display. Remarkably, the answer to the AI security puzzle does not lie in completely new, magical solutions, but in a radical reassessment of the fundamentals.
Back to the basics
Despite the speed and complexity of AI, several experts at the table warn against reinventing the wheel. After all, the fundamental rules of IT security haven’t changed. Edwin Weijdema of Veeam sees a clear parallel with previous technological shifts. “The security principles remain the same, whether we’re moving to the cloud or embracing AI: least privilege, secure by design,” Weijdema states emphatically. However, he notes that reality is more stubborn. “We’re seeing the same rush with AI as we did back then with the cloud. People are rolling it out without thinking about security or who should have access to what. We’re still in the development phase, where an engineer is asked how many resources he needs, and the answer is invariably, ‘everything you can give me.’ That’s obviously not sustainable from a cost perspective. As AI matures, we’ll see its use become more targeted and efficient. You want to use applications with built-in AI to truly accelerate processes, rather than wasting unlimited resources on random experiments.”
Rob Sanders of Okta also believes that the solution starts with good old-fashioned, solid management, in other words, cyber hygiene. This is especially true for autonomous systems. “We need to go back to basics,” Sanders emphasizes. “Take autonomous AI agents, for example. As with an employee who leaves the company, you must revoke access rights immediately when the agent is no longer in use. Governance surrounding these entities is crucial; deprovisioning prevents a dormant agent from being misused in the future.” According to Sanders, organizations don’t need to panic about a lack of resources. “What’s truly encouraging is that we’re building on a foundation that’s already in place. AI doesn’t operate in a vacuum. It relies on the API economy, modern authentication protocols, network signals, and advanced endpoint detection. The tools are all there. The next step is for us, as security vendors, to further integrate our signals and insights in real time. We can no longer wait for a SIEM or SOC team to analyze a log file.”
Fighting fire with fire
That need for real-time integration brings the conversation to a crucial point: the scale and speed of modern threats. Because attackers are using AI to automatically scan networks and write code, the traditional approach of manual patching and response is a thing of the past. Albert Kramer of Zscaler argues that it’s time to shift our perspective. “I think we’ve been pretty pessimistic about the threats posed by AI so far, but we mustn’t forget that it also gives us a huge advantage,” he clarifies. “We used to receive fifteen vulnerabilities a week; now there are thousands. Manual patching at that pace is simply impossible. We need to rely on AI to detect those same vulnerabilities for us and immediately isolate them from the outside world. This can be done through virtual patching or automated response. If a vulnerability is found in an application tonight, AI can immediately block that connection or minimize access until a permanent patch is available. That’s the shift from reactive to proactive security at machine scale.”
Bart Herps of TrendAI adds that AI is indispensable for seeing the forest for the trees, especially now that employees are generating applications en masse using AI coding tools. “These days, it’s all about the speed at which new things are created. We’re seeing hundreds of new applications added daily at some organizations,” Herps explains. “It’s impossible to check all of that manually anymore. That’s why it’s essential that we use AI to make the entire threat landscape visible. You need insight into all individual risks: a device accessible from the internet, a misconfiguration, or a vulnerable account.” According to him, AI can identify the interrelationships between all these individual vulnerabilities and dynamically adjust the network layer. This shifts the defense toward attack path prediction. This involves rapidly predicting and blocking the path an attacker will take before the chain reaction can even begin.
Governance at speed
As defense at the network layer becomes automated and accelerated, the policy department cannot fall behind. A common frustration is that innovation teams have to wait weeks for approval from the security board before they can deploy a new AI model into production.
Praveen Das of ManageEngine advocates for a radical acceleration of this process. “Given the tremendous speed of AI, we need to bring governance up to that same pace,” he warns. “Today, we still often see governance treated as a slow, bureaucratic process. You request permission, you wait six weeks, and a committee gets involved with follow-up questions. That no longer works. We need to move toward an infrastructure where policy and ethics are embedded in code, so that governance moves just as quickly as the operation itself.”
Das explains that his company reduces risk internally by making strategic architectural choices. “In addition, we place a strong emphasis on eliminating dependencies. By training our own, specialized language models that focus purely on our IT use cases, we not only eliminate unnecessary risks associated with external parties, but we can also integrate the AI securely and at no cost for our customers.”
The human factor
Even with perfect virtual patches, flawless deprovisioning, and rapid “policy as code,” the human employee remains the most important (and most vulnerable) link. While we’ve spent years training employees not to click on phishing emails, the AI era demands a completely new form of awareness.
Steven Maas of Thales is very firm on this point. “In addition to technology, user education is crucial,” he notes. “Just as we used to train employees to recognize phishing, we now need to train them to interact safely with AI. At Thales, we conduct weekly training sessions on which tools are and aren’t permitted. We also use our own technology to prevent critical business data from becoming visible to just anyone and potentially leaving the company. People will always find ways to circumvent restrictions, so if you don’t provide them with proper guidelines and education, you’re taking major risks. In addition, I expect external integrators and consulting firms to play an increasingly important role. After all, implementing the right frameworks for an SME is completely different from the approach taken by larger companies in sectors such as finance or tech.”
The cost of AI
During the conversation, an often-overlooked aspect of AI security is also addressed: the harsh economic reality. Training, fine-tuning, and querying models (inference) require an incredible amount of computing power, and therefore money. The major tech companies initially lured the market with unlimited access, but are now tightening the screws with token-based billing models. Securing AI, therefore, means not only protecting data but also protecting the IT budget.
Stephan Wibier of Nutanix believes that good architecture is the key to both security and affordability. “I’m very optimistic about the future because the AI landscape is being built on top of existing platforms,” he says. “The public cloud and many on-premises infrastructures have a very robust foundation these days. This means we’ve actually already got a significant portion of AI security under control at the platform level. We need to realize that we can’t solve this on our own. No single player has all the answers.”
He adds that companies can significantly reduce costs with smart hybrid models. “We need to manage the costs of AI adoption wisely. With an AI gateway, for example, you can route traffic based on economic considerations. That way, 30 percent of your computations can go to the public cloud, while 70 percent can run on your own, less expensive on-premises hardware. This makes AI not only secure but also affordable.”
Collaboration is the only way forward
The tone toward the end of the roundtable discussion is surprisingly optimistic. The panic phase seems to be slowly coming to an end. Organizations realize they don’t need to reinvent the wheel; they just need to adjust the settings of their existing security solutions.
The common thread in all the proposed solutions? Siloed thinking must be broken down. A modern security challenge involving AI cannot be solved by purchasing a single specific tool. It requires orchestrating network monitoring, identity management, data encryption, and robust governance. Vendors must enable their systems to communicate with one another via standardized protocols, and internal departments, from the CISO to developers and the boardroom, must be able to collaborate in real time.
The resources, from zero-trust architectures to advanced API integrations, are essentially already in place. It is now up to organizations and the industry as a whole to deploy these tools and fight fire with fire. Only then will AI transform from a vulnerability into the ultimate line of defense.