Have you ever been caught off guard by an unexpected question, comment, or remark in a social, academic, or business setting? Chances are, you have—and you probably wished you had more time to craft a thoughtful, appropriate, or clever reply. Instead of having the chance to plan your response, you were forced to react on the spot. Unsurprisingly, the outcome is rarely ideal.
Looking at this from a broader perspective, there’s a valuable security lesson to be learned. Security teams are far more effective at protecting their organizations when they can act strategically rather than simply reacting to events as they unfold. In the realm of application security, this means involving security experts and integrating security practices much earlier in the software development process.
In recent years, most security professionals have been closely following the AI hype cycle. The rapid rise of AI has introduced many unresolved questions around governance, risk, and compliance. While security professionals have been thinking about these issues carefully and strategically, they’ve been puzzled by the fact that, despite all the buzz around AI, its operational impact on their daily work has been minimal.
Recently, one explanation for this has become apparent. As is all too common in the security field, security has often been treated as an afterthought. While there are exceptions, in many organizations, security teams were kept out of the loop by application owners, development teams, and others who were experimenting with AI use cases. Not surprisingly, when some of these AI experiments proved valuable, organizations began deploying them into production. This trend has accelerated in recent months, and once again, security teams have frequently been left out of the conversation.
As mentioned earlier, being caught off guard is far from ideal. Yet, unfortunately, it seems to be a recurring reality for those of us in the security profession. Given this, how can security teams prepare for the possibility of being blindsided by AI applications that suddenly move into production and urgently need to be secured?
While there are likely many strategies, here are several that I’ve found particularly helpful for organizations:
- Data-driven discussions: Most security teams don’t have as strong a relationship with application owners and development teams as they’d like. They also recognize that strengthening these relationships is a critical step toward involving security earlier in the software development lifecycle. That said, building these relationships isn’t straightforward. While there are many ways to tackle this challenge, using real data to drive conversations can be highly effective. Approaching application owners and development teams with abstract risk concepts and generic threat information won’t inspire action. Instead, try presenting them with concrete figures around potential financial losses, damage to brand reputation, or other risks, along with specific vulnerability data, sensitive data exposures, or other threats. This approach is far more likely to spark productive discussions that can strengthen these important relationships. This, in turn, can help security teams get involved in the development of AI applications much earlier, which obviously makes securing those applications much easier.
- Agility: It’s no secret that today’s enterprise environments are far more complex than they once were. The on-premises world was relatively simple compared to today’s hybrid and multi-cloud landscape. While this evolution has brought many benefits—most notably the ability to bring features and improvements to market much faster—it has also created a host of security challenges. These include enforcing security policies, implementing preventive and detective controls, investigating incidents, and responding to and mitigating threats, among others. All of these factors make securing AI applications that catch us off guard significantly more difficult. Security agility is the key here—security teams, unfortunately, need to prepare themselves to operate effectively in this kind of environment. Simplifying complexity becomes an essential capability when it comes to defending AI applications.
- Operational workflow: If the security operations workflow is robust and mature, it becomes much easier to integrate new data, events, alerts, and other information from AI applications. As you might expect, this greatly enhances the security team’s ability to quickly incorporate AI applications and their associated data into the operational workflow. It may require some effort and resources to ensure the security operations workflow is ready for the AI era, but the investment is well worth it. It’s another way security organizations can prepare for AI applications being suddenly thrust upon them.
- Future-proofing: With all the hype, excitement, and fear surrounding AI, it’s worth remembering that while AI applications have some AI-specific components, large portions of these applications are built on top of existing application and API technology stacks. Because of this, much of the security needed to properly protect AI applications already exists within current application and API security frameworks. What we need to do is ensure these frameworks are future-proofed as much as possible. If we do this well, we’ll simply be able to activate or integrate new AI-specific security measures that our existing security layers don’t cover. That’s essential—starting from scratch and building AI security from the ground up takes far too long, especially when we find ourselves in a reactive position.
- Proactivity: When it comes to our teeth, our health, and our bodies, being proactive and maintaining good hygiene is far easier and more effective than being reactive when a problem arises. The same principle applies to securing our applications. Good security hygiene is essential, and a key part of this hygiene is continuous scanning of application security, API security, and AI security layers. This allows us to identify and address risks, vulnerabilities, sensitive data exposures, and other issues before they escalate into serious problems. When a strong and mature proactive security hygiene routine is already in place, it’s much easier to integrate new, rapidly emerging AI applications into that routine. This is another important strategy to help security teams handle AI applications being thrust upon them with little warning.
- Contextual awareness: Earlier, I mentioned that the AI layer requires unique security capabilities beyond what we already have at the application and API layers. In addition to continuously and proactively identifying security issues, we must also be prepared to detect and respond to runtime security issues. Doing so requires a significant degree of contextual awareness. This demands specialized technological capabilities that can parse, analyze, and understand the AI layer in context, and use that understanding to identify attacks, abuse, fraud, DDoS, and other threats in near real-time. This contextual awareness is critically important for security teams as they find themselves confronted with AI applications on short notice. Without it, they lack essential resources needed to defend against attacks at the AI layer.
Security teams are almost certain to be blindsided by AI applications transitioning from the experimentation phase into production. There are several steps security organizations can take to improve their readiness in these situations. While this state of affairs is far from ideal, by taking a number of important strategic steps, security teams can significantly enhance their ability to respond quickly, flexibly, and effectively.
Related: Mythos Proves Potent in Vulnerability Discovery, Less Convincing Elsewhere
Related: AI Coding Agents Could Fuel Next Supply Chain Crisis
Related: AI Fuels ‘Industrial’ Cybercrime as Time-to-Exploit Shrinks to Hours
Related: Why Agentic AI Systems Need Better Governance – Lessons from OpenClaw
