There is a moment in every technological shift when the conversation changes from optimism to consequence. Artificial intelligence has now reached that point in cybersecurity.
For years, enterprise leaders treated cybersecurity as a technical function delegated to infrastructure teams, compliance officers, or external consultants. AI was viewed separately, often as an innovation initiative owned by data teams or product organizations. But this week’s AI After Work (AIAW) Podcast Episode 183 revealed in a compelling discussion with cybersecurity expert and author Åsa Schwarz , those worlds are no longer separate. AI is now fundamentally reshaping both the defensive and offensive sides of cybersecurity, and many organizations are still operating with assumptions built for a completely different era.
Schwarz brings an unusually multidimensional perspective to this conversation. As CEO of Aranya Consulting, board member of Precise Biometrics and Enea, long-time cybersecurity strategist, and acclaimed crime fiction author, she combines technical expertise with an ability to explain systemic risk through storytelling. That combination matters because cybersecurity has become difficult to communicate to executive teams. The threats are abstract, fast-moving, and increasingly invisible until damage has already occurred.
One of the most important observations from the discussion was Schwarz’s definition of cybersecurity itself. Rather than framing it as merely protecting systems from hackers, she described it more pragmatically: cybersecurity is ensuring that a company can continue functioning even when something goes wrong or someone actively tries to compromise it. That distinction is critical. It shifts cybersecurity from a perimeter-defense mindset toward organizational resilience.
This transition is becoming urgent because AI dramatically changes the economics of cyberattacks. Historically, sophisticated attacks required highly specialized expertise. Today, generative AI lowers the skill threshold for attackers while simultaneously increasing the scale and speed of exploitation. Schwarz described a future in which attackers no longer need deep expertise because AI systems can automate discovery, exploitation, and even operational execution.
That is the strategic shift many organizations still underestimate. 
The conversation around AI often focuses on productivity gains, copilots, and workflow automation. Those developments are real and transformative. But the same technologies accelerating enterprise efficiency are also accelerating adversarial capability. Cybersecurity is therefore becoming the first major enterprise function where AI creates simultaneous exponential value and exponential risk.
The implications are profound.
Why AI Changes the Threat Landscape Completely
One of the clearest examples discussed during the episode was the emerging capability of AI systems to identify software vulnerabilities at scale. Schwarz referenced the widely discussed “Mythos” scenario, where highly advanced AI systems were reportedly capable of discovering zero-day vulnerabilities dramatically faster than traditional security research methods.
Whether specific implementations ultimately match the claims is almost secondary to the broader point. The trajectory is already visible. AI models are becoming increasingly capable of code analysis, exploit generation, vulnerability discovery, and automated testing. Security researchers at organizations like Google DeepMind, Microsoft Security, and Anthropic are actively exploring how large language models can improve defensive security operations. At the same time, governments and researchers increasingly warn that these same capabilities can be weaponized.
The danger lies not only in finding vulnerabilities faster, but in automating the entire offensive workflow. Schwarz highlighted an especially concerning evolution: AI systems that not only identify vulnerabilities but also generate working exploits. That dramatically lowers the barrier for cybercriminals. Previously, exploitation required specialized expertise and time. AI compresses both requirements.
This changes the asymmetry between defenders and attackers.
Defenders must secure everything. Attackers only need one successful entry point.
Historically, many organizations survived because attackers targeted the easiest systems first. Legacy infrastructure hidden deep inside organizations often escaped attention simply because exploiting newer, more exposed systems was easier and more profitable. AI changes that calculation. Schwarz made an important point about “security through obscurity” no longer being viable in an AI era.
An AI system does not get tired. It does not lose interest. It does not prioritize only familiar technologies. It can continuously analyze forgotten systems, outdated software, proprietary architectures, and old industrial infrastructure until it discovers exploitable weaknesses.
That is particularly concerning for Europe.
Many European enterprises and public institutions still operate complex legacy environments built over decades. Critical infrastructure sectors including healthcare, transportation, manufacturing, and utilities frequently depend on aging systems that cannot easily be replaced. AI-enabled offensive capabilities expose these environments in entirely new ways.
This is one reason why cybersecurity conversations are increasingly moving from IT departments into boardrooms.
The Failure of Treating Cybersecurity as an IT Problem
One of Schwarz’s strongest arguments during the episode was that organizations fundamentally misunderstand cybersecurity governance. Too many companies still treat cybersecurity as a technical implementation issue rather than a core business capability.
That mindset may have been survivable a decade ago. It is not survivable now.
AI adoption is accelerating across every enterprise function. Marketing teams use AI tools. Developers use AI coding assistants. Finance teams experiment with automation. HR departments deploy AI-driven workflows. Procurement organizations evaluate AI-enabled vendors. In many cases, these decisions occur outside traditional IT oversight.
This creates a fragmented risk landscape where organizations adopt AI faster than they establish governance structures.
Schwarz pointed out that cybersecurity and legal teams are too often brought into innovation projects late in the process, typically after strategic decisions have already been made. By then, business incentives make it difficult to slow deployment, even when risks are identified.
That dynamic mirrors what happened during the early cloud transformation era. Business units adopted cloud platforms because they accelerated delivery and reduced friction. Governance frameworks followed later. AI adoption is moving even faster.
The difference is that AI systems are not merely infrastructure tools. They can make decisions, generate code, process sensitive information, and interact autonomously with enterprise systems.
As Schwarz observed, organizations can no longer rely on cybersecurity teams to simply say “no.” Business pressure ensures innovation will continue regardless. The role of cybersecurity therefore shifts from gatekeeping to enablement.
That requires a completely different organizational posture.
Leading enterprises increasingly integrate cybersecurity directly into product development, procurement, software engineering, and operational governance. Security is becoming a design principle rather than an approval process.
This is where the concept of zero trust becomes strategically important.
Zero Trust Is Becoming a Survival Requirement
Zero trust is often misunderstood as a product category or networking architecture. Schwarz explained it more fundamentally: organizations must design systems under the assumption that breaches will happen.
That mindset changes everything.
Traditional cybersecurity models focused heavily on perimeter defense. If attackers remained outside the corporate network, systems were considered safe. But modern environments no longer have clear perimeters. Employees work remotely. Cloud infrastructure is distributed globally. APIs connect external services continuously. AI agents increasingly interact autonomously with enterprise systems.
In this world, implicit trust becomes dangerous.
Zero trust assumes every access request should be continuously validated, regardless of whether it originates inside or outside the organization. The goal is minimizing blast radius. Even if attackers gain entry, they should not move laterally across systems easily.
That principle matters even more in an AI-driven threat landscape because AI accelerates lateral movement and reconnaissance. Once inside a system, intelligent agents can map infrastructure, identify weak permissions, and escalate privileges faster than human attackers traditionally could.
Schwarz noted that some AI agents are already demonstrating surprising capabilities to gain additional access beyond intended permissions. While many of these experiments remain controlled research scenarios, they signal an important future direction: autonomous systems probing enterprise environments continuously.
This is one reason hyperscale cloud providers continue investing aggressively in behavioral monitoring, anomaly detection, identity management, and AI-assisted threat detection. Organizations like Microsoft Security Copilot and Google Cloud Security AI Workbench are building AI systems designed specifically to help defenders respond faster.
The future increasingly resembles AI defending against AI.
That may sound dramatic, but the logic is straightforward. Human analysts alone cannot process the scale, velocity, and complexity of modern attack surfaces. Defensive automation becomes essential.
Yet Schwarz also raised an important caution: while large cloud providers often offer stronger technical defenses than smaller organizations can build independently, cloud concentration introduces geopolitical and sovereignty risks.
That tension is becoming one of Europe’s defining strategic technology challenges.
Europe’s Growing Strategic Dependency Problem
One of the most thought-provoking moments in the episode came when Schwarz reflected on the concentration of advanced cybersecurity and AI capabilities within American companies.
Europe already lags behind the United States and China in foundational AI infrastructure. The concern now is whether the same dependency patterns will emerge in cybersecurity.
If advanced AI systems capable of discovering vulnerabilities, monitoring threats, and securing infrastructure are controlled primarily by a handful of large technology companies, geopolitical implications follow naturally. Access becomes uneven. Strategic leverage shifts.
This concern extends beyond cybersecurity tools themselves.
Cloud infrastructure, AI compute, semiconductor supply chains, foundation models, developer ecosystems, and security telemetry are increasingly interconnected. The organizations controlling these layers accumulate enormous strategic influence.
European policymakers are becoming more aware of this challenge. The European Union AI Act, increased investment in sovereign cloud initiatives, and expanding cyber resilience regulation all reflect attempts to reduce dependency and improve resilience.
At the same time, Europe faces structural disadvantages. Many European enterprises rely heavily on American hyperscalers because the economics and technical capabilities are difficult to match domestically. That creates a paradox: the most secure technical environments may also increase strategic dependency.
Schwarz framed this issue pragmatically rather than ideologically. Large cloud providers often do offer world-class security capabilities. The question is not whether those platforms are technically competent. The question is what happens when digital infrastructure becomes deeply entangled with geopolitical power structures.
This is likely to become one of the defining enterprise strategy debates of the next decade.
AI Coding Assistants and the Hidden Security Risk
Another emerging concern discussed during the episode involves AI-generated code.
AI coding assistants are rapidly becoming mainstream across software development organizations. GitHub Copilot, Claude, Gemini, and similar systems dramatically improve developer productivity. Enterprises are already reporting measurable gains in coding speed and experimentation capacity.
But productivity and security are not automatically aligned.
Schwarz raised a provocative possibility: what happens if AI models subtly bias generated code in ways that introduce vulnerabilities? Whether intentional or accidental, this risk deserves serious consideration.
AI systems learn from massive training datasets containing both secure and insecure coding patterns. Developers increasingly trust generated outputs without fully reviewing them. If insecure implementation patterns scale through AI-assisted development, organizations could unintentionally industrialize software vulnerabilities.
This challenge is amplified by speed.
AI allows organizations to produce software faster than ever before. But if testing, governance, and security review processes do not evolve equally fast, technical debt and security exposure accumulate rapidly.
Schwarz emphasized the need for organizations to use AI not only for software creation but also for security validation. Defensive AI must become embedded throughout the software lifecycle.
This reflects a broader reality: cybersecurity can no longer function as a downstream audit process. It must operate continuously and automatically alongside development itself.
DevSecOps principles have existed for years, but AI raises the stakes dramatically. Enterprises now need AI-native security operations capable of evaluating code, configurations, permissions, dependencies, and infrastructure continuously.
Organizations that fail to modernize these practices may discover too late that AI accelerated their vulnerabilities faster than their innovation.
The Human Side of Technological Transformation
Another interesting dimensions of the episode was the way Schwarz connected cybersecurity with creativity, storytelling, and human behavior.
Before the conversation shifted deeply into cyber risk, the discussion explored how AI affects writers, translators, and creative professions. Schwarz acknowledged that AI will likely disrupt parts of the writing profession just as it already affects translation work. But she also described a more nuanced future where AI expands creative reach and personalization.
That perspective matters because enterprise AI discussions often become overly technical.
The real impact of AI is not purely technological. It reshapes incentives, workflows, labor structures, communication patterns, and decision-making processes. Cybersecurity is fundamentally about human systems as much as technical systems.
Social engineering remains one of the most successful attack vectors precisely because humans are predictable under pressure. AI makes those attacks more scalable and personalized. Phishing emails become more convincing. Voice impersonation improves. Deepfake attacks become cheaper.
At the same time, AI also enhances defensive education, monitoring, and communication.
Schwarz’s background as a novelist gives her an unusual ability to explain technical complexity through narrative. She observed that cybersecurity is often difficult to communicate because it feels abstract to non-technical leaders. Storytelling therefore becomes a strategic capability.
That insight is increasingly important for executives.
Cybersecurity programs fail when leaders treat them as technical abstractions disconnected from operational risk. Successful organizations translate cyber risk into business continuity, operational resilience, financial exposure, regulatory compliance, and strategic trust.
In other words, cybersecurity leadership increasingly requires communication leadership.
The Coming Period of Instability
A sobering part of the discussion was Schwarz’s prediction that organizations should expect a period of instability as AI capabilities continue advancing.
That assessment aligns with broader industry signals.
The speed of AI adoption currently exceeds the speed of governance maturity across most organizations. Meanwhile, attackers benefit from asymmetry, automation, and rapidly falling operational costs. Critical infrastructure sectors remain exposed through legacy systems and fragmented operational environments.
This creates conditions for increased disruption.
The likely near-term future is not a perfectly autonomous AI security ecosystem where all threats disappear. More realistically, organizations will experience rising volatility while defensive systems gradually adapt.
Some companies will navigate this transition effectively. Others will struggle.
The differentiator will not simply be technology budgets. It will be organizational maturity.
Enterprises that succeed will likely share several characteristics. They will integrate cybersecurity directly into business strategy rather than isolating it within IT. They will modernize identity and access management aggressively. They will reduce implicit trust across infrastructure. They will embed security validation into AI-driven development workflows. They will improve visibility across distributed environments. And critically, they will treat resilience as a strategic capability rather than a compliance exercise.
The organizations that fail will likely continue operating with outdated assumptions about trust, infrastructure, governance, and ownership.
Why This Conversation Matters Beyond Cybersecurity
What made this episode especially compelling was that it ultimately became a conversation about power.
AI is changing who can create, who can attack, who can defend, and who controls infrastructure. Cybersecurity is simply one of the first domains where these power shifts become highly visible.
The broader lesson for enterprise leaders is that AI adoption cannot be separated from governance, resilience, and geopolitical awareness. Every AI deployment changes organizational exposure in some way. Every automation layer creates new dependencies. Every productivity gain potentially introduces new attack surfaces.
This does not mean organizations should slow innovation dramatically. The competitive pressures are too strong for that. But it does mean leadership teams must become far more sophisticated in how they think about risk.
The future of cybersecurity will not be defined solely by firewalls, antivirus systems, or compliance frameworks. It will be defined by how intelligently organizations manage trust in a world where intelligent systems increasingly interact autonomously.
That requires a strategic shift in mindset.
Security is no longer about preventing every incident. It is about designing organizations capable of surviving and adapting continuously under conditions of permanent technological acceleration.
In that sense, Schwarz’s definition of cybersecurity may be the most important takeaway from the entire discussion. Cybersecurity is not merely stopping attackers. It is ensuring the business continues functioning when disruption inevitably occurs.
That is no longer just a technical challenge.
It is becoming one of the central leadership challenges of the AI era.
*This article was enhanced with the help of AI tools, drawing on the podcast transcript and complementary online research. To go deeper into the source material, I encourage you to listen to the full episode and make your own learnings.
Listen to, or watch the entire episode at www.aiawpodcast.com
