The point: Deterministic security models are no longer sufficient when AI systems make unforeseen decisions at runtime and interact with APIs and environments in unanticipated ways.
Artificial intelligence differs fundamentally from previous technology shifts: it undermines the foundational assumption on which modern security programmes are based – the predictability of system behaviour. Agentic systems and large language models make decisions at runtime, pushing traditional prevention approaches to their limits.
Traditional cybersecurity was built around the assumption that systems behave predictably: applications behave identically upon repeated execution, infrastructure changes slowly enough to map dependencies and define trust boundaries. Security teams focused on hardening systems before deployment, identifying vulnerabilities and preventing access. Even with cloud migration, familiar security models could be transferred to new infrastructure.
AI systems break this premise fundamentally. Agentic systems make dynamic decisions. Large language models produce different outputs depending on context. AI systems increasingly interact with external tools, APIs and environments in ways that developers cannot always fully anticipate. When systems cease to behave consistently, the traditional prevention approach fails structurally.
A concrete problem arises from accelerated software development. According to a Harvard Business School study, code production increased by 12.4 per cent after the introduction of GitHub Copilot, while time spent on project management fell by almost 25 per cent – a shift that leaves less room for reviews and governance processes. Organisations are moving from hundreds of thousands to millions of lines of generated code per month, while security teams have less time to understand what goes into production.
At the same time, attackers are using AI to reduce manual effort in reconnaissance, exploit chaining and vulnerability validation. Vulnerabilities that long seemed difficult to chain are becoming operationalisable at scale through AI-driven automation. Security-by-obscurity – accepting known vulnerabilities because of high exploitation effort – no longer works.
Prevention remains important, but is insufficient. Security teams must prepare for the reality that risks continuously evolve at runtime: when identities inherit unexpected access paths, APIs change their behaviour, or AI agents interact with systems in ways that no architecture diagram has captured.
Source: www.csoonline.com · Published 18 June 2026
Lumi AI News — AI-assisted curation pursuant to Article 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.1.