AI has evolved from a tool to an autonomous decision-maker, reshaping the landscape of cybersecurity … More
Artificial intelligence has quickly grown from a capability to an architecture. As models evolve from backend add-ons to the central engine of modern applications, security leaders are facing a new kind of battlefield. The objective not simply about protecting data or infrastructure—it’s about securing the intelligence itself.
In this new approach, AI models don’t just inform decisions—they are decision-makers. They interpret, respond, and sometimes act autonomously. That shift demands a fundamental rethink of how we define risk, build trust, and defend digital systems.
From Logic to Learning: The Architecture Has Changed
Historically, enterprise software was built in layers: infrastructure, data, logic, and presentation. Now, there’s a new layer in the stack—the model layer. It’s dynamic, probabilistic, and increasingly integral to how applications function.
Jeetu Patel, EVP and GM of security and collaboration at Cisco, described this transformation to me in a recent conversation: “We are trying to build extremely predictable enterprise applications on a layer of the stack which is inherently unpredictable.”
That unpredictability is not a flaw—it’s a feature of large language models and generative AI. But it complicates traditional security assumptions. Models don’t always produce the same output from the same input. Their behavior can shift with new data, fine-tuning, or environmental cues. And that volatility makes them harder to defend.
AI Is the New Attack Surface
As AI becomes more central to application workflows, it also becomes a more attractive target. Attackers are already exploiting vulnerabilities through prompt injection, jailbreaks, and system prompt extraction. And with models being trained, shared, and fine-tuned at record speed, security controls struggle to keep up.
Patel pointed out that most enterprises take six to nine months to validate a model, but models themselves may only be relevant for three to six months. The math doesn’t work.
More models also means more inconsistency—each with different safety thresholds, behaviors, and guardrails. This patchwork of protections creates gaps. The only way forward, Patel argued, is “a common substrate for security and safety across all models, all agents, all applications, all clouds.”
Runtime Guardrails and Machine-Speed Validation
Given the speed and sophistication of modern threats, legacy QA methods aren’t enough. Patel emphasized that red teaming must evolve into something automated and algorithmic. Security needs to shift from periodic assessments to continuous behavioral validation.
He described one such approach as “the game of 1,000 questions”—an automated interrogation method that probes a model’s responses for signs of compromise. This kind of adaptive red teaming reveals how models might be tricked into unsafe behavior through indirect or deceptive prompts. “We literally jailbroke DeepSeek 100% of the time with the top 50 benchmark prompts,” he noted, “while OpenAI only broke 26% of the time.”
That kind of differential risk highlights the need for a standard, cross-model framework for runtime enforcement. Models can’t be treated as black boxes—they must be monitored, validated, and guided in real time.
Agentic AI: When Models Act on Their Own
The risk doesn’t stop at outputs. With the rise of agentic AI—where models autonomously complete tasks, call APIs, and interact with other agents—the complexity multiplies. Security must now account for autonomous systems that make decisions, communicate, and execute code without human intervention.
Patel warns that inter-agent communication creates new threat vectors, as models pass data and instructions between themselves. Without oversight, these interactions could amplify vulnerabilities or obscure malicious activity.
This trend is accelerating. By next year, we could see widespread deployment of agents that complete multi-step workflows with minimal human input. Securing these systems will require a blend of visibility, behavioral heuristics, and real-time enforcement—at a scale the industry has never attempted before.
“As AI gets smarter and more independent, the stakes for keeping it secure get much higher. We have to change how we think about risks and act faster than before,” cautioned Russell Fishman, senior director, global head of solutions product management for AI and modern workloads at NetApp. “This includes giving close attention to data provenance—ensuring we have visibility into, security of, and confidence in the data used to fine-tune and re-train models, as well as the information driving real-time inference. By tracking and securing this entire ‘chain of trust,’ we can minimize the risks tied to suboptimal agent responses and protect against increasingly sophisticated attack vectors.”
A Case for Shared Infrastructure and Open Collaboration
Patel warns that if every model, platform, and enterprise rolls out its own unique security framework, we’re heading toward chaos. What’s needed is a shared infrastructure—a neutral, interoperable foundation for AI security that spans clouds, vendors, and models.
Recognizing this, Cisco announced the launch of Foundation AI at RSAC 2025—a significant step towards democratizing AI security.
Foundation AI is presented as the first open-source reasoning model specifically designed to enhance security applications. By making this model openly available, Cisco aims to foster a community-driven approach to securing AI systems, encouraging collaboration across the industry to address the complex challenges posed by AI integration.
The introduction of Foundation AI represents a broader industry trend towards open collaboration in AI security. By contributing to the open-source community, Cisco is not only addressing the immediate security concerns associated with AI but also setting a precedent for other organizations to follow suit in fostering transparency and collective problem-solving in the AI era.
The Human Factor: Judgment Still Matters
Despite AI’s power, it doesn’t replace human intuition. Patel emphasized that even advanced models struggle to replicate instinct, nuance, and non-verbal reasoning. “Most of the things you and I engage on,” he said, “have some level of data—but then a lot of judgment.”
The best systems will be those that augment human expertise, not replace it. We still need people to ask the right questions, interpret the right signals, and make the right calls—especially when AI’s recommendations veer into gray areas.
Much like using GPS in a city you already know, humans must retain the ability to validate, override, and refine machine-generated suggestions. AI should be a co-pilot, not an autopilot.
Reimagining Trust in the Age of Intelligence
As organizations embed intelligence deeper into their systems, they must also embed trust. That means building models that are accountable. It means validating behavior continuously, not just at release. And it means working together—across companies, disciplines, and platforms—to ensure that AI enhances security without becoming its own liability.
Fishman summed up, “Real-time monitoring, smarter guardrails, and cross-industry collaboration—with transparency at every step—are essential to building trust in AI and safeguarding our digital world.”
AI is already transforming the cybersecurity landscape. The question is whether we can secure that transformation in time. The intelligence layer is here. It’s powerful. And it’s vulnerable.
Now is the moment to reimagine what security looks like when intelligence is everywhere.
