Artificial intelligence is not new to cybersecurity. This sector is one of the first to adopt artificial intelligence. For many years, defensive cybersecurity has relied on machine learning to identify anomalies, detect patterns, and respond to threats with speed and accuracy beyond any human ability. What is new is the speed, scale and accessibility of AI, and the way it is reshaping not only our defenses but the nature of cyber risks themselves.
On April 7, Anthropic shocked industries when it announced that its latest model, Cloud Mythos, was too powerful to be released publicly due to its exceptional ability to identify and exploit software vulnerabilities. Instead, the company chose to provide controlled access to select companies, including JPMorgan, Apple, Nvidia, and Google, to bolster their cybersecurity defenses. The move highlights a growing reality that the same systems designed for protection can easily be weaponized.
The uncomfortable truth is that while AI is accelerating both offensive and defensive capabilities, threat actors are proving just as innovative, if not more so. Technology alone will not be able to bridge the capabilities gap. Instead, leadership, talent generation and training need to keep pace with this revolutionary shift in technology.
The new crime: faster, smarter, more personal
For decades, cyberattacks have followed a familiar pattern. Phishing emails were often clumsy, full of grammatical errors, and relatively easy to spot. Think of the infamous “Nigerian Prince” scam. This era is over.
Artificial intelligence has radically changed the precision and economics of cybercrime. It allows bad actors to operate like never before Speed and sophistication. Cyberattacks have always been, in part, a numbers game, like trying every door and window in the neighborhood until one opens. AI simply allows attackers to try exponentially more doors at near-light speeds. It also serves as a force multiplier for low-skilled actors, simplifying the creation of malware and phishing campaigns and enabling Ransomware-As-A-Service business models.
At the same time, cyberattacks have become much more sophisticated. Today’s phishing campaigns are no longer generic; It is very personal. AI tools extract vast amounts of publicly available data, from social media profiles, provided by our companywebsites and professional bios and use that information to craft messages that convincingly emulate colleagues, family members or trusted organizations. The result is a new class of cyber threats: one that is more frequent, more scalable, and more believable.
Even small details are important. Recently, my husband received what appeared to be a legitimate fraud alert from his bank. Only upon closer inspection did he realize that she was using American spelling in a letter from a Canadian bank. This subtle discrepancy was the only evidence that it was a scam. He investigated directly with the bank, and the suspicion was confirmed. But in an environment of increasingly refined deception, these clues are disappearing.
Friction problem
This imminence points to another problem. Organizations have spent years improving seamless, frictionless digital experiences. We are conditioned to click, agree, and move quickly. But when it comes to cybersecurity, friction is often the guarantee, not the enemy.
Multi-factor authentication, verification prompts, and transaction delays are seen as inconveniences. In reality, they are intentional pauses designed to interrupt automated or impulsive behavior and help users — whether human or machine — check actions. AI-driven threats exploit exactly what frictionless systems enable: speed without reflection.
As cyber risks evolve, individuals and organizations need to rethink their relationship with comfort. Slowing down, questioning the message, checking the order, and pausing before clicking are some of our most effective defenses.
Skill transformation happens in real time
While much of the conversation around AI in cybersecurity focuses on threats, there is an equally important shift happening within the workforce. AI is rapidly being integrated into daily workflow, changing not only how work is done, but also the skills required to do it.
In the field of cybersecurity, this shift is particularly evident. Tasks that were once the domain of entry-level analysts — such as monitoring alerts, identifying patterns, and triaging incidents — are increasingly being automated by AI-powered tools. On the surface, this is a positive development. It allows organizations to operate more efficiently and frees talent to focus on higher-value work.
But it also raises a critical question: If basic tasks are automated, how can future professionals build the essential skills needed to advance? Does the baseline need to shift? Do we need to maintain any of these skills? The challenge is becoming more pressing as organizations continue to deploy robust systems such as those capable of identifying vulnerabilities at scale, as highlighted by Cloud Mythos’ announcement. But cybersecurity offers a particularly clear lens to this challenge. When entire layers of entry-level experience begin to disappear, traditional career paths collapse.
Without intentional intervention, we risk creating a generation of professionals who are fluent in using tools but who lack the basic knowledge to use them critically.
The illusion of intelligence
This challenge is further exacerbated by a growing tendency to overestimate what artificial intelligence actually is. Much has been written about AI hallucinations, but to really understand it, we need to think about how these systems work. Today’s models are powerful, but they are not human. They don’t think the way we think; They identify patterns in the data and predict the most likely sequence of outputs based on what they have seen before.
It can assist, accelerate and enhance, but it cannot replace human judgement. While AI systems may contain all the data related to a given situation, qualities such as context, empathy, and nuanced understanding remain distinctly human. However, many organizations are deploying AI tools at scale without adequately preparing their workforce to use them critically.
This strongly highlights the issues surrounding the safe and secure use of this technology. AI is not infallible. There are many examples of bias or model skew, as well as intentional spot manipulation that can lead to unplanned outcomes that tend to cause more harm than good. The result is a sharp and urgent gap: we rely on AI more than ever, but we are not necessarily better informed about how to use it safely, securely, and effectively.
The leadership gap is in the making
These shifts point to a broader issue that has been part of industry discourse for more than a decade: cybersecurity is not just a technical function. It is a strategic, organizational and humanitarian challenge. This requires a kind of leadership that goes beyond simply enhancing technical expertise.
Although this is important, it is no longer sufficient in itself. Leaders should aim to understand artificial intelligence, systems thinking, data management, human behavior, organizational environments, and organizational change simultaneously. They must be able to ask not just “Can we implement this technology?” but “Should we, and how do we do it safely and responsibly?”
At the same time, they must deal with an overworked and overworked workforce. Employees are being introduced to an increasing number of AI tools, often without clear guidance, while also grappling with fears of job displacement. Tool fatigue is real, and without proper support, it can lead to misuse or disengagement.
In many organizations, these leadership capabilities are still emerging. The result is an ever-widening gap between the pace of technological change and the willingness of those charged with leading that change.
Rethinking talent for an AI-driven future
Addressing this gap will require a radical rethink of how talent is developed. First, we must embrace the idea of lifelong learning, not as a slogan but as a necessity. The pace of change in AI and cybersecurity means that static skill sets quickly become outdated. Continuous education, skills improvement and re-acquisition must be integrated into the fabric of organizations.
Second, we need to create new pathways for skills development. If traditional entry-level roles are evolving or disappearing, we must define a new baseline of essential skills and design alternative ways for professionals to gain the experience they need. This should include learning in simulated environments, training or rotation programs or work-integrated learning models that combine theory and practice.
Third, organizations must invest in empowering their employees, not just in deploying tools. This means providing clear policies, guidance, training and governance frameworks that help employees use AI safely, responsibly and effectively.
Finally, cross-sector collaboration is crucial. The challenges posed by AI and current and emerging cyber risks do not fit neatly into any one domain. Partnerships between industry, government and academia will be essential to build the talent pipelines and knowledge ecosystems needed to keep pace with progress.
The way forward
None of this is an argument against artificial intelligence. AI has enormous potential to enhance cybersecurity, improve efficiency, and unleash new capabilities. But, like any powerful tool, its impact depends on how we use it.
The organizations that succeed in this new landscape will not be those that embrace AI the fastest, but those that embrace it smartest, balancing innovation with control, speed with intent, and automation with human judgment.
Cybersecurity has always been about staying one step ahead of the threat. In the age of artificial intelligence, this step is no longer just technological; He’s a human being. Closing this gap will be critical to maintaining our digital resilience into the future.
Judith Ports is a Senior Director at Rogers Cybersecurity Catalyst, the national center for cybersecurity training, innovation and collaboration at Toronto Metropolitan University.
