AI Cyber Threats and Cybersecurity: An Evolving Landscape
Artificial intelligence is reshaping the digital landscape, and therefore cybersecurity. Everyday scams are now good enough to fool seasoned professionals. AI cyber threats are causing huge changes to both defensive and offensive security. Today’s threats look very different than they did even a few years ago. And it’s forcing everyone to rethink what it means to be safe.
See Past, Present and Future of AI Agents with Chris Kirschke for a complete transcript of the Easy Prey podcast episode.
Chris Kirschke is the field CISO at Tuskira. A field CISO is essentially a Chief Information Security Officer whose role is more about building relationships and connecting than securing the company itself. Chris supports multiple teams within Tuskira. He supports the sales team with CISO-level questions and helping customers build strategies around leveraging the Tuskira platform. He supports the marketing team by doing outreach and going to events. And he supports the product team by keeping an eye on what the market is doing, what customers are asking for, and what features they should add to their platform.
Chris ended up in the field somewhat by accident. In 1997, he was a bartender in Washington DC, and his roommate was a biochemist who decided to get out of that field and into IT. A lot of his customers at the bar were also in IT, and they told him it was a good idea. So he bought an e-machine and Windows NT 4.0. A week later, he was a Microsoft Certified Professional. He didn’t really know anything beyond how to install and uninstall NT on an e-machine, but at the time, that was the big thing. He went to a job fair, got a job with the Patent and Trademark Office, and never looked back.
The Sophistication of AI-Powered Scams
Chris has encountered plenty of fraud, scams, and cybersecurity incidents through his career. But a recent one really demonstrates the power of AI cyber threats to the average person. A few months ago, he was bored on Facebook and saw an interesting ad. He clicked it, went to the website, and bought the product. Not twenty minutes later, he saw a post from the vendor saying there were AI deepfakes imitating them on Facebook. He realized then that he’d fallen for a fake ad.
It was especially frustrating because he’d paid through PayPal, but when he filed a report, they said it looked like a legitimate vendor. He even provided the post from the real vendor explaining what happened and that it was an imitation. But PayPal still said it looked like a legitimate checkout process.
Chris is pretty good at being careful. But AI can make it look almost identical. He looked at all the usual things to check for legitimacy, and he never saw a warning sign. The AI imitation was just that good. It was the first time in about two decades Chris had gotten caught. He prides himself in being careful. But he still fell for it this time. If experts can’t get it right, people who don’t live and breathe this stuff will find it that much harder to figure it out.
AI is the Next Frontier of Information Security
There are four stages of evolution in information security (InfoSec). First there was the web. Then HTTP showed up, everything was on the internet, and we had to build web application firewalls. Next was mobile, and mobile device management became a thing. Then there was cloud, where all your data was in someone else’s data center. Security pros had to adopt the web, support mobile, and test in the cloud because their company was doing it. They ended up always behind and reactive.
From the get-go, [InfoSec teams] end up having to play catch-up.
Chris Kirschke
With the cloud, the concern was that you could upload a file and the InfoSec team didn’t necessarily know where it was going. Now with AI, models are also training on those files. It’s easier to find a needle in a haystack than to get a specific piece of training set data out of an AI model, so data leaking isn’t a huge risk. But that concern did make people pay attention right away.
One company had an interesting experience when they first launched Copilot AI for Office 365. It used the standard SharePoint permission model, which often isn’t up to date. Once Copilot was on, people could get answers to things like who got a bonus and if the company was planning layoffs. The business world is saying that AI is going to revolutionize how we work and make us more productive. But it also means we have to rethink how security works to account for AI cyber threats. We have an opportunity to be proactive instead of reactive.
[AI] is going to revolutionize the enterprise and how people work. Well, it forced us to ask the question, how’s it going to revolutionize how security works?
Chris Kirschke
How AI is Changing Cybersecurity
AI doesn’t just boost cyber threats and attacks. It can also help with cybersecurity. Penetration testing is important, but the test results are stale after a few days or the next update. But AI can do ongoing monitoring and constantly get data that keeps it relevant.
They also make monitoring and managing cybersecurity easier. These days, AI can do more than just talk to you – it can take actions on its own. Chris isn’t a developer, and when he was an engineer, he struggled with scripts. But AI agents allow you to use low-code platforms to connect systems, build business process workflows, and orchestrate the agents. It’s game-changing. You can operate your entire world out of a single console. It’s also going to make breaking in much harder without a base level of skill from the start.
AI Agents Introduce Risk
An agent by definition is something that acts on behalf of someone else. Chris has had a few interesting conversations about AI responsibility lately. One was with an HR person who wanted to fire someone for work their AI agent did. They argued that if this employee did something malicious or against policy, they would get fired, and because this employee’s AI assumed their identity and role, they should be held responsible for that. On the other extreme, a CISO at a different company said they would never fire anyone for what their AI agent did because they want their employees to experiment.
These are very different responses, and Chris doesn’t think either extreme is reasonable. Both are scary in their own way – that you will always be held personally responsible for something the system does, or that no one will be held accountable if a poorly-managed AI becomes a cyber threat.

The nice thing is that the security industry does try to solve big issues in the community. There’s always going to be venture capitalists and entrepreneurs trying to solve problems for us and sell us something to do it. But also look at the open source community. Engineers are building solutions and publishing them. It’s phenomenal to watch.
Are Commercial AI Agents Safe?
For the average person using commercially-available AIs, yes. They are safe. Chris would even say it’s safe to have an AI plan a vacation for you. He wouldn’t turn over his payment details to an AI – instead, he’d ask it to let him know when it was time to enter his credit card information. But he’s actually done this himself. He recently went to Oktoberfest in Germany and booked the entire trip using AI to find hotels and cheapest airfare. He didn’t ask it to coordinate mileage reward programs with the bookings. But he could have. There are a lot of options.
One challenge is that we’re going to see an industry of scams not targeting us, but our AI agents. They’ll try to get them to do things we don’t expect them to do or to book trips on fake travel websites. Since we often book trips pretty far in advance, we might not know the booking is fake until we show up to the airport. That’s why it’s crucial to have a human in the loop at some point. You can’t trust it unequivocally. You shouldn’t give an AI your credit card and tell it to plan your vacation and let you know what it did. There has to be some human responsibility in the process at some point.
How AI Revolutionizes Context
If you look at the various security companies that have come up around AI, a lot of what they’re doing is leveraging context. Many of the new technologies are built around the ability to find and use context that humans used to have to find and figure out how to use on their own. It’s made us exponentially faster.
A lot of the various technologies … that have come up are around the ability to use context that normally humans had to go get on their own or figure out on their own.
Chris Kirschke
Right now, we’re in the early stages of context engineering for security and infrastructure. But we’re seeing a lot of innovation. We’re seeing organizations start asking how we leverage all the context we now have access to. A lot of the cyber mesh architecture that’s coming up is laying a good foundation. And a lot of organizations are transitioning from the traditional data lake concept to the new context lake and trying to figure out what they can do with all that context.
It’s a bit like the Wild West in the world of technology, AI, cybersecurity, and cyber threats. But that’s exciting in its own way. It’s not yet clear which way everyone is going to go, and we don’t yet know what path is best. We’re very early in this journey. Some PhD is going to break a preset rule of AI and take us back to the beginning. And someone is eventually going to figure out how to run AI without using 500 terawatts of power. It’s a phenomenal time right now.
AI Won’t Replace Humans
People keep coming up with applications of AI in areas that nobody thought to apply AI to before. And some people don’t want to get their hopes up. Because there’s a lot of hype around all the great things AI could do and how many problems it could solve, and many people and organizations are putting all their hopes in it. It makes some people nervous about putting that much reliance on tech that is so new.
One important thing to remember is that we’re always going to need people. We’re going to need humans who can provide experience and thought leadership and actually do things. It’s unlikely we’ll ever get to the point where the human’s role is just to babysit the AI. Chris still believes in humans’ ability to take expertise to a farther point than AI. AI will probably be a good support platform and tool, but humans will still drive the direction.
We’re always going to need the people … I don’t think we’re ever going to get to the point [where we just] babysit the AI.
Chris Kirschke
It’s a bit like security. Despite all of the tech aspects, security has always been a relationship business. You have to build relationships with the company, understand how it makes its money, and know who runs it at a functional level. It’s a concept important to Tuskira. Move the muck work to AI not just to save money and headcount, but so you can have teams that focus on the relationship aspects of security. Instead of harassing people about fixing vulnerabilities, let the AI deal with the lower-level cyber threats and fixes and give humans time to work on secure coding, improving architecture, and building those relationships. It’s a force multiplier more than anything.
AI Doesn’t Have Soft Skills
AI is really good at binary things. If you’re talking about code vulnerabilities, there either are vulnerabilities or there aren’t. If there are, you can rewrite the code right, and then it’s no longer vulnerable. When there’s a binary situation where it’s either good or it’s not, AI is amazing. But anything that requires prioritizing or soft skills, AI is terrible at it. This is why Chris sees it as a force multiplier. Offloading the lower-level cyber threat defense to AI can get teams focused on what matters most and free up time to focus on relationships and work on big-picture things.
When you have that binary relationship between good or bad, then AI is phenomenal. When there’s a soft aspect, it’s horribly bad.
Chris Kirschke
Security is full of soft skills. Chris once did a mock deposition to help him be prepared in case he ever had to testify. The lawyer told him that his record was 36 seconds of questioning before he could turn to the jury and say, “Obviously this CISO is incompetent.” Being able to take a deposition is a soft skill that AI can’t do. You can leverage AI to have the knowledge and context you need to get through a deposition without looking incompetent. That bridge between the tech and the human always has to be there. There’s no situation Chris can imagine where AI entirely replaces security personnel – just like it won’t replace HR or lawyers.
Considerations for Implementing AI
If you want to integrate AI into your corporate workflow, there are a few things you need to think about first so your new AI doesn’t become a cyber threat. First, remember what AI is. It’s a machine, but instead of running on oil, it runs on data. Partner with your legal, privacy, and data teams to figure out what data it can use. Make sure that data is clean and properly classified. Put in guardrails. The last thing you want is for it to access confidential data and shove it into your workflow. That’s a major incident.
Next, and more than anything, understand your use case. Is this AI truly going to help with what you’re trying to do? And define what “help” looks like specifically. Ask your marketing team how they define ROI. Ask your BizOps team how they define ROI. Get some ability to make a spreadsheet show the AI will actualy be useful.
Don’t hire somebody to do this – do it yourself. Figure out how to screw it up and fix it before you deploy. Kurt Siefried at CSA found over a dozen AI servers with API keys and password tokens just open on the internet. And know what your AI can do before you set it free. There have been incidents where an airline implements a chatbot, the chatbot doesn’t have an answer for a policy question, so it makes up one based on what most airlines would say. This causes huge problems for customers and companies. Know what happens when it runs into a problem it doesn’t know how to solve before you deploy it. Don’t be another example of a poorly-implemented AI.
Learn more at Tuskira at tuskira.ai or on LinkedIn. You can also connect with Chris Kirschke on LinkedIn.
Related Articles
- All
- Easy Prey Podcast
- General Tech Topics, News & Emerging Trends
- Home Computing to Boost Online Performance & Security
- IP Addresses
- Networking Basics: Learn How Networks Work
- Online Privacy Topics to Stay Safe in a Risky World
- Online Safety
- Uncategorized
A Former Fraudster’s Tips for Protecting Your Personal Information in a Connected World
Technology is evolving so fast and is ever increasingly integrated into our world. It’s becoming less and…
[Read More]Awareness and Safety Go Hand-in-Hand: Tips to Protect Yourself
Scams are often (though not always) technology-based, and physical danger happens in the physical world. But both…
[Read More]We Created EasyPrey.com Scam Help Page to Help You
WhatIsMyIPAddress.com and our sister website, EasyPrey.com, focus on providing content and links to information and resources for...
[Read More]EasyPrey.com Resources for Scam Victims
We’ve compiled a list of resources for all victims (and near victims) of scams, fraud, and identity…
[Read More]The BBB Scam Resources Are There to Help You!
The Better Business Bureau is on YOUR side, helping consumers with real-time scam tracking, which you can...
[Read More]Amazon Scams Come in All Shapes and Sizes. Are You Prepared?
Tell Amazon ASAP if you’re a victim of a delivery scam. Amazon takes fraud and scams quite...
[Read More]





