Necessary, costly, sometimes strategic, but rarely considered as a structuring subject of competitiveness or organization, cybersecurity is still perceived by many managers as a relatively peripheral protection function.
In the age of artificial intelligence, however, this reading is becoming largely obsolete. AI is gradually transforming cybersecurity into a permanent operational discipline, with direct implications for governance, operations, technology investments and the very ability of businesses to operate in a digital environment that has become much more unstable.
We must understand that generative models are no longer just used to produce code or automate workflows. They are now capable of analyzing entire infrastructures, identifying vulnerabilities and reconstructing attack chains at a speed inaccessible to human teams.
The change is less technological than economic. For a long time, security operated at a relatively human pace. Vulnerabilities were discovered gradually, and IT teams still had time to patch and correct systems, while a significant portion of the world’s technical debt ultimately remained “manageable” because it remained difficult to map or exploit.
AI abruptly changes this equation. If a model becomes capable of writing code in the majority of cases, it becomes mechanically capable of identifying bad code, architectural errors, or vulnerable dependencies with likely greater efficiency.
For businesses, this means that all the technical debt accumulated over twenty years suddenly becomes more exploitable and much more urgent to address. But this debt is massive. Behind modern interfaces there are still historical infrastructures, aging ERPs, complex middleware, fragmented open source layers and business software sometimes developed more than fifteen years ago. A significant portion of the global economy still operates on architectures designed before the cloud explosion, before generative AI and sometimes even before modern cybersecurity standards.
According to various sector estimates, more than 70% of the critical infrastructures of large companies still partially rely on legacy systems or hybrid architectures that are difficult to modernize. In the banking sector, some core systems still operate on technologies developed more than thirty years ago. Same situation in industry, health or public administrations, where a significant part of digital infrastructures are based on historical software layers interconnected to recent cloud services.
This fragmentation creates massive attack surfaces. The Log4Shell episode in 2021 had already illustrated this systemic dependence: a simple open source Java library present in millions of systems had forced companies and administrations around the world to launch emergency correction operations for several months.
With AI, this type of vulnerability could now be detected, mapped and exploited at an even greater speed. The first figures from Anthropic’s work already give an idea of this acceleration. As part of its “Glasswing” research project, the company says its Mythos Preview model has identified more than 10,000 critical or high-risk vulnerabilities in widely used open source software, including more than 6,200 considered critical or severe. Cloudflare indicates for its part that it has detected nearly 2,000 bugs using the system, including around 400 critical or high-risk vulnerabilities.
Anthropic explains above all that the main problem is no longer the discovery of flaws, but the human capacity to check them and correct them quickly enough. According to several researchers involved in the project, more than 99% of the vulnerabilities detected still remain unpatched. One of the most telling examples even involves AI’s discovery of a 27-year-old vulnerability in OpenBSD.
Until now, the main obstacle has been the cost of modernization. Now the real problem has become the pace of exposure. Vulnerabilities that would have taken a decade to identify can now be discovered in just a few months. Technology governance can therefore no longer reduce cybersecurity to a simple compliance exercise. It must now approach it as an issue of operational continuity and organizational resilience.
Because the real subject is not simply the discovery of vulnerabilities, but the capacity of companies to absorb the pace of necessary corrections.
Thus, an IT team used to managing a few fixes per week could tomorrow have to deploy several hundred. Behind this phrase lies probably one of the biggest operational challenges of the coming years, and most organizations are not designed to scale at this pace.
This involves a much deeper transformation than simply purchasing additional cybersecurity tools. Companies will have to operate as adaptive systems capable of constantly detecting, correcting and reconfiguring their own infrastructures. In other words, general management will have to start considering their information systems as living infrastructures.
The subject becomes even more critical with the generalization of agentic architectures, because at the very moment when companies are trying to secure their historical infrastructures, they are massively deploying new autonomous systems whose governance standards still remain largely immature.
Moreover, no company really knows how many models or agents are already active in its infrastructures. Organizations download open source models, connect agents to MCP servers, open access to their CRMs, their document databases or their internal workflows, often without a stabilized security architecture.
Anthropic also showed that advanced models become capable of identifying software vulnerabilities, manipulating development environments or executing complex chains of actions through different connected tools. In several security benchmarks published in recent months, researchers observed that some models significantly improved their performance when they had persistent access to tools, endpoints or cloud environments.
This rise in agentic systems is also beginning to produce new risk surfaces on a very large scale. Security researchers recently identified a critical vulnerability in the Model Context Protocol (MCP) developed by Anthropic, considered one of the emerging standards for connecting AI models and external tools. According to OX Security, the flaw could potentially affect more than 150 million software downloads and up to 200,000 exposed servers.
In several demonstrations, researchers succeeded in executing code remotely via attack chains combining prompt injection, agentic tools and connected infrastructures. This type of incident shows that the new risks linked to AI no longer concern only the models themselves, but all the orchestration architectures which now allow agents to interact with critical systems.
The phenomenon is strongly reminiscent of the beginnings of the cloud and shadow IT in the early 2010s. Except that here, the objects deployed are no longer simple passive software. They are systems capable of acting, executing tasks, making decisions and sometimes interacting autonomously with critical environments.
For CEOs, this situation creates an important paradigm shift. For a long time, digital performance was mainly based on the ability of companies to quickly deploy new tools. Tomorrow, performance will probably depend more on their ability to govern autonomous systems that have become extremely complex.
This opens a new industrial battle around AI gateways, agentic governance, model observability, real-time supervision systems, kill switch architectures and platforms capable of mapping agents and AI flows deployed in organizations.
Cybersecurity is thus becoming much more than a defensive layer and is gradually transforming into an autonomous business management infrastructure.
The most relevant historical parallel is probably not that of software, but that of critical infrastructure. As businesses rely on autonomous systems that can interact with each other, digital resilience will become a topic comparable to managing an energy grid, logistics infrastructure, or complex industrial system.
AI therefore does not only transform products or professions. It transforms the very rhythm of how organizations operate.
And in this new economy, the companies that survive will likely not be those that have simply adopted the most AI tools, but those able to operate in an environment where vulnerabilities, patches and technological reorganizations become permanent. The question is therefore no longer just one of technological adoption, but of the capacity of organizations to absorb an unprecedented level of operational instability without slowing down their execution.
