Home / Blog / AI is not going to make security obsolete. It is going to make it more important.

AI is not going to make security obsolete. It is going to make it more important.

"Professional soldiers are predictable; the world is full of dangerous amateurs."

-- Murphy's Laws of Combat Operations

Anthropic's recent security incident is a striking example of exactly this. Even one of the most sophisticated AI companies in the world, with some of the brightest minds in tech, was not immune to an unauthorised access incident. Not because their technology failed, but because the threat landscape doesn't care how advanced your stack is.

The fundamentals don't go away

The faster AI evolves, the more we seem to forget the security fundamentals. Two things caught my eye recently that illustrate this well.

Power grids remain a soft target. The electricity sector is a growing area of cyber-risk, and the infrastructure underpinning it was not designed with the current threat landscape in mind. Critical systems that were air-gapped by design are increasingly networked, and the attack surface keeps widening.

Then there's bitsquatting. Researchers documented this attack vector over a decade ago: attackers register domain names that differ from legitimate ones by a single bit flip, exploiting random hardware errors caused by cosmic rays or memory faults. Not a sophisticated exploit. Not an AI-powered zero-day. A single bit. And it still works.

These are not fringe concerns. They are a reminder that attackers are not waiting for the technology to catch up. They are using whatever is already there.

The attack surface with AI is wider than we think

The "dangerous amateurs" Murphy warned about now have access to tools that even professionals could not have imagined a decade ago. AI lowers the cost of reconnaissance, of generating convincing phishing content, of finding exploitable patterns in large datasets, of automating attacks that previously required significant skill to execute.

At the same time, AI systems themselves introduce new categories of risk: prompt injection, model inversion, data exfiltration through inference, supply chain attacks on training data. These are not theoretical. They are happening in production systems today.

The attack surface has not shrunk because AI is involved. It has grown.

Security is not a problem AI will solve for us

There is a version of the future where people assume AI will handle security the way it handles spam filtering or anomaly detection: you deploy a model, it watches the traffic, problems get caught automatically. That framing is dangerous.

AI can assist with detection. It can help triage alerts, correlate signals across large datasets, surface anomalies faster than a human analyst could. These are real and useful capabilities. But they do not replace the underlying discipline of designing systems that are hard to compromise in the first place. They do not replace access controls, least-privilege principles, patch management, incident response planning, or any of the other fundamentals that were important before AI and remain important now.

The Anthropic incident is a useful reminder precisely because Anthropic is not a naive organisation. They think carefully about safety and security. They have smart people and real processes. And they still had an incident. Not because they were negligent, but because this is hard, and the adversarial pressure is constant.

The lesson is not "even the best companies get breached, so why bother." The lesson is the opposite: if this is hard for the most capable organisations, the fundamentals matter even more for everyone else.

Security is not a problem AI will solve for us. It is a problem we must solve for AI.