In the realm of cybersecurity, a damaging cycle has persisted for decades, characterized by a rush to release products without adequate security measures. This phenomenon, where security considerations are overlooked in favor of speed, perpetuates a culture where security teams must manage the fallout. Organizations frequently adopt a mindset of “We’ll patch it later” or “Next release will fix it,” despite clear evidence illustrating the weaknesses of this approach. The latest 2025 Verizon Data Breach Investigations Report (DBIR) underscores this trend, revealing a concerning 34% year-over-year increase in breaches stemming from exploited vulnerabilities. Alarmingly, over half of the vulnerabilities identified in edge devices remained unaddressed a full year later.
This troubling pattern is now emerging in the field of artificial intelligence. AI systems are being rapidly developed and deployed, often with known shortcomings and insufficient safeguards. According to IBM’s Cost of a Data Breach report, a staggering 97% of organizations that encountered an AI-related security incident lacked adequate AI access controls. Yet, many vendors are vehemently arguing against the implementation of safety standards, claiming that such requirements would hamper development and progress.
The risks associated with prioritizing rapid deployment and marketing over security are manifesting in ways that render the traditional “penetrate and patch” methodology almost manageable by comparison. AI, being less understood than prior disruptive technologies, is evolving more quickly than security measures can adapt. Critical systems are being integrated with AI technologies before a comprehensive evaluation of potential risks has taken place.
AI agents are the latest innovation to be hastily integrated across various industries. However, their deployment introduces a unique internal threat that the existing security architecture is ill-prepared to handle. Unlike chatbots, these AI agents can autonomously create, delete, or modify files without human oversight, thereby presenting a new strain on security: autonomous actors with direct write access within sensitive frameworks. The 2025 Verizon DBIR noted a disturbing trend: incidents involving third-party breaches have doubled, from 15% to 30%. As AI agents become an additional layer of dependency on external sources, the associated risks are bound to escalate.
Further complicating matters, organizations are increasingly laying off trained cybersecurity staff in favor of AI tools or inexperienced personnel lacking domain-specific expertise. The professionals being dismissed possess a deep understanding of the context and threat landscape relevant to their organizations, a level of insight that AI does not replicate. The absence of this experienced workforce inevitably creates new security vulnerabilities. AI lacks the nuanced, contextual knowledge that seasoned professionals contribute; thus, by eliminating such expertise, organizations unwittingly accumulate technical debt.
Examinations of the current cybersecurity landscape reveal that several of these risks merit serious consideration, particularly concerning the assumption that regulation will impede innovation. In numerous technology-intensive industries, successful regulation has enabled progress without stifling development. The establishment of rigorous standards for genetic research, for instance, hasn’t prevented significant advancements in the field, with CRISPR-based therapies now in clinical use. Similar frameworks exist in the realms of nuclear energy, commercial aviation, and space exploration. The focus in these cases has never been whether to advance technology but rather how to advance it responsibly, preventing potential foreseeability harms.
For organizations adopting AI systems, the imperative is clear: security and safety-by-design principles must guide the introduction of such tools. The rigorous documentation of these principles, accompanied by verifiable evidence, is essential. Customer stakeholders should demand the same security assurances from vendors as they would for any critical system: comprehensive test results, detailed audit trails, and documentation of security considerations.
Human professionals must play an integral role in the verification process, as AI systems are prone to fabricating compliance audits just as often as they can generate secure code. An AI tasked with implementing “security by design” might falsely report success, echoing a well-documented tendency for sycophantic behavior, where the system provides affirmatives to please its directives.
For organizations already involved in AI initiatives, conducting an enterprise-wide audit of all AI tools in use is crucial, given that a significant portion may be unauthorized. An Upguard report indicates that 81% of employees and 88% of security professionals utilize unapproved AI tools at work, which increases both risk and costs considerably. Past incidents have shown organizations with unapproved AI tools facing significantly higher expenses when breaches occur.
Nevertheless, none of these considerations will be effective unless security leaders are prepared to challenge hype-driven timelines and advocate for a more responsible adoption of AI technologies. The ACM Code of Ethics and Professional Conduct explicitly states that professionals have an obligation to anticipate and mitigate harm. Security leaders must invoke these principles when discussing AI strategies with their boards, leveraging their expertise to identify potential risks associated with rapid implementation.
The decisions made in the forthcoming years will be pivotal in determining whether AI systems are built on a sustainable foundation or one that necessitates costly rebuilding in the future. Organizations that prioritize safeguards are more likely to create stable, trustworthy systems that foster long-term customer confidence. Conversely, those that neglect these precautionary measures may find themselves unable to rectify inadequate infrastructure, defending systems they do not fully comprehend and lacking the expertise to address emergent challenges.
The prevailing mindset advocating for rapid deployment in the absence of safeguards assumes that the fallout of caution is more burdensome than the repercussions of failure. However, evidence strongly suggests otherwise. IBM’s 2025 data breach report estimates the global average cost of a breach at approximately $4.44 million, with organizations managing extensive shadow AI liabilities incurring an additional cost of roughly $670,000 on average. No organization has yet demonstrated sustained market advantages gained from hastily deploying AI capabilities that ultimately necessitated retraction, patches, or public clarifications.
Long-term stability will favor those organizations whose systems withstand scrutiny from regulators, customers, and adversaries alike. Security leaders who effectively communicate this perspective to executive teams are not calling for a slowdown in AI innovation. They are advocating for a measured approach that prevents future setbacks. Decisions made hastily will invariably lead to regrettable consequences; ensuring that preventable disasters do not become the hallmark of AI integration remains a paramount concern for all stakeholders involved.