When it comes to breakthroughs, there are usually two sides to the same coin—just like Pandora’s box—and AI is no exception. Artificial intelligence has made its way into our lives, and corporate cybersecurity could not remain unchanged. Both defensive knowhows and attack capabilities have drastically changed over the last few years. One thing is certain: AI literacy is becoming a matter of survival—the same technology that can protect an organization can just as easily be used to compromise it. Ultimately, AI is not inherently good or bad; its impact depends entirely on how it is used.
AI has contributed greatly to the evolution of cybersecurity as a field. The ease with which huge amounts of data logs can be analysed and threats can be detected in a significantly reduced amount of time is a game changer for security teams. This results in faster responses to incidents and improved recognition of phishing emails and malware, an advantage that did not exist in the past. Furthermore, with AI assistance, vulnerabilities—also known as weaknesses or flaws in a system or process—can be identified and managed early on. On top of that, time is freed up so that professionals can handle other tasks such as strategy development, decision-making, and incident response. All of this can shift an organisation’s approach to threats from reactive to predictive and adaptive.
However, this is only one side of the coin. Threat actors have also benefited greatly from the rise of AI. In the past, so-called hackers were people possessing highly sophisticated technological knowledge. Nowadays, with AI’s assistance, almost anyone with basic computer knowledge can become an offender. The speed and scale at which an attack can be conducted has also changed, making large-scale attacks much faster and much easier. AI can now write malicious code, detect vulnerabilities, and assist in perfecting phishing emails with fewer grammatical errors. It can even track a person’s digital footprint via social media, constructing highly personalised scams. Deepfakes can be created using just seconds of a person’s voice or image, to the point where friends and family believe it is them.
But it’s not only the skills AI attributes to attackers; it’s also the misuse of it by companies themselves. Often enough, personnel are undertrained and may easily expose sensitive information to AI platforms or be manipulated by outside attackers. Even organisations with a more mature cybersecurity profile can invest excessively in state-of-the-art systems and software before they understand or implement the basics. As an example, more than 40,000 vulnerabilities were recorded in 2025, but only 400 of those were ultimately exploited, and just 40 of them were zero-day exploits. This shows that identifying an excessive number of vulnerabilities alone does not necessarily improve security; if anything, it can overwhelm teams and cause them to lose focus. If the foundation of cybersecurity is weak, this is where the problem lies, and AI can only make the issue more visible.
Companies now more than ever need to invest heavily in training their personnel and increasing awareness, while tackling AI literacy at the same time. Excessive use of AI or fear of it can result in similar negative implications. Before using AI, the cultural mindset of companies needs to shift towards a more proactive cybersecurity approach. Assets need to be recorded with care, access needs to be restricted, dependencies need to be identified, and prioritisation of which vulnerabilities are worth addressing becomes critical.
It is inevitable that stronger regulatory controls are required in the form of a legislative framework around AI. The EU has introduced the world’s first comprehensive legal framework, the AI Act. Along with regulations like NIS2, DORA, and GDPR, these aim to strengthen cybersecurity posture in a more aligned and systemic way. The AI Act divides AI systems into prohibited-risk, high-risk, limited-risk, and minimal-risk categories, where applications such as manipulative AI, social scoring, and certain biometric surveillance practices are prohibited entirely.
With respect to artificial intelligence, the greatest challenge companies face is whether they can build a strong cybersecurity foundation and shift personnel mindset in time, before threat actors catch up and take the reins of this breakthrough. Unavoidably, attackers will always be one step ahead, but whether companies remain a close second or fall behind entirely remains to be seen.
