A new rapid expert consultation from the National Academies of Sciences, Engineering, and Medicine warns that artificial intelligence is fundamentally changing cybersecurity - giving attackers an immediate edge but also creating a path to stronger, automated defenses. Nadya Bliss, co-author of the report and executive director of the Advanced Capabilities for National Security Institute at Arizona State University, said the current moment demands urgent coordination to shorten the window where bad actors hold the advantage.
"It used to be that you had to be a pretty sophisticated attacker to launch a sophisticated attack, and now that is no longer true," Bliss said. "This is not something we can sweep under the rug. We have to address this shift to protect our digital systems."
The asymmetry at the heart of cybersecurity hasn't changed: an attacker needs to succeed just once, while a defender must get it right every time. AI widens that gap by enabling less skilled adversaries to generate convincing phishing emails, craft malware, and probe for vulnerabilities in both machines and human behavior.
What individual users should do now
For people managing bank accounts, passports, and medical data online, the same advice holds - but the stakes are higher. High-profile organizations are strengthening their defenses with two-factor authentication and passkeys. Bliss said individuals should avoid clicking suspicious links, sharing passwords, or giving out information over the phone. Attackers now use AI to automate and scale these social engineering efforts, making vigilance more critical.
Bridging the gap between attacker and defender advantage
The report argues that in the near term, attackers are advantaged. In the longer term, defenders can pull ahead - but only with deliberate investment. Bliss described the goal as compressing the time between those two states. That requires effective coordination, public-private partnerships, and incentive structures that push organizations to bake AI into their defensive systems just as attackers already do.
"We need defenders to use AI across their systems," she said, "just as attackers could now do pretty readily."
Lessons from the internet's early days
Bliss drew a parallel to the late 1990s and early 2000s, when the internet and social media became household fixtures. She recalled thinking at the time, "There are so many holes in all of this." Data breaches and social media harms were obvious risks, but it took years of negative consequences for guardrails to catch up. The hope now is that society learns from that pattern and doesn't repeat it with AI.
"We tend as a society to overfocus on the capability and underfocus on security," Bliss said. "Things are moving a lot faster, but we also know a lot more. So let's do this better than we did with the internet."
The case for continuous rapid assessments
The report's format - a rapid expert consultation - reflects a larger need. Bliss said AI's diffusion is happening at an unmatched scale, and even experts often cannot explain precisely why generative models work. That gap between understanding and usability argues for ongoing, rapid reassessments across industries, from health care and finance to entertainment and national security.
National security and AI
The Pentagon is aggressively pursuing AI adoption, both to enable the warfighter and to protect against adversaries using AI. Bliss said AI is central to protecting critical infrastructure - energy, health care, water supply - and maintaining the ability to operate in contested environments. ASU is running projects that apply AI to hospital cybersecurity, military training performance, and space-based communications speed.
Why this matters for IT and development professionals
For the people building and maintaining digital systems, the report's message is direct: defensive AI adoption can't wait. It's not enough to limit the release of dangerous models, as was done with the recent Claude Mythos model. Teams need to push for systemic resilience and defense-in-depth, weaving AI into detection, response, and recovery workflows. Continuous risk assessment, not just one-off audits, will be part of the job. The lesson from the early internet era is clear - security can't be an afterthought when the technology is already in every user's hands.
Your membership also unlocks:
