Wouldn't it be nice if enterprise cybersecurity were as easy as recalculating your route on Waze?
I vividly remember a time early in my career, sitting in a rental car in San Jose with a dozen printed MapQuest pages on the passenger seat, lost and 30 minutes late for an interview. The directions were accurate when I printed them, but MapQuest had no way of knowing about the closed exit ramp off the 101 or that I missed the third turn after the Thai restaurant.
Today, Waze automatically connects to my car's "infotainment" system and makes driving, even in a strange city, a non-issue. It achieved that not by giving me better static information, but by making the map aware, adaptive and able to update in real time.
Enterprises should use this dynamic model to think about their technology stacks. But when I look at how most organizations approach AI and cybersecurity right now, I see a lot of printed MapQuest directions.
Mythos made AI threats very real
For years, the discussion around AI's destructive effects on cybersecurity lived mostly in research papers and conference keynotes. The introduction of Anthropic's Claude Mythos made the abstract concept a reality that organizations must address urgently.
Mythos can autonomously identify software weaknesses, probe systems at machine speed and operate continuously without fatigue or human intervention. Anthropic itself said Mythos was too dangerous to release publicly and limited its access, prompting widespread concern.
Prominent influential voices counter that the existential fear is overblown. Whichever camp you fall into, the technology is here, and CIOs and IT leaders must learn how to handle it.
Why AI security is already behind
When I look at how most organizations approach AI and cybersecurity right now, I see a lot of printed MapQuest directions.
The instinct in most organizations is to treat AI threats as a security problem: The IT team hands them off to the chief information security officer (CISO) and moves on. That division of labor made sense in a slower world, but it won't suffice in the world we're becoming.
Only 26% of organizations report having comprehensive AI security governance policies in place, according to the Cloud Security Alliance's State of AI Security and Governance report issued late last year. That means three-quarters of enterprises make high-stakes AI decisions -- including which models to deploy, which data to expose and which workflows to automate -- without a coherent framework to manage risk.
To make matters worse, CIOs and CISOs often don't realize which AI tools employees use. Gartner's Global Labor Market Survey for Q1 2026 found 88% of employees with access to enterprise AI tools also use personal AI tools for work. And more than 78% of technology leaders reported that AI adoption is surpassing their organization's ability to manage the associated risks in EY's recent Technology Pulse Poll.
The underlying challenge is speed. Attackers using AI-assisted tools can continuously scan, probe and exploit at machine speed. Most enterprise security responses still operate at human speed, with quarterly reviews, annual audits and governance documents that fall out of date almost immediately.
That disparity cannot be addressed by people creating better policies at human speed. We can only defend with better technology.
Fight back at AI with more AI
Waze did not beat unpredictable road hazards by waiting to see what its competitors would do or hoping the government would step in to limit the number of cars on the road. It succeeded by becoming more adaptive than the problem, creating software that constantly gathered information, learned from it and updated instantly.
Enterprises must adopt that model for AI security. The Cloud Security Alliance report encouraged security teams to take the lead in adopting AI security tools, and many are already available.
Knowing where to start can be difficult, especially when advances happen so quickly. The Cybersecurity Framework Profile for Artificial Intelligence, published by NIST, organizes the challenge into three focus areas: securing your AI environment, defending with AI and thwarting AI-enabled threats.
In practice, that translates to three functions where IT, if it moves quickly enough, can gain the upper hand. These functions are the following:
Increasing visibility.Shadow AI is a growing concern in organizations because you cannot defend what you cannot see. Major security vendors, including CrowdStrike, Netskope and Palo Alto, offer products that identify and map unapproved tools before they become incidents.
Using AI proactively to scan your own systems for vulnerabilities before attackers do. Microsoft said its new MDASH agentic scanning system, available in preview, recovered 96-100% of confirmed historical vulnerabilities in tested codebases.
Continuous monitoring of AI already running in production. Vendors, including Dynatrace and Cisco, are beefing up their observability platforms with agents that offer real-time insight into AI workloads.
Gartner predicted 75% of enterprises will use "AI-amplified" cybersecurity products for most cybersecurity use cases by 2028, up from less than 25% in 2025. The organizations adopting those products are not careless about risk. They have simply accepted that the only realistic answer to AI-speed threats is AI-speed defenses.
Nobody argues we should go back to printed MapQuest directions. The roads got more complicated, and how we navigate got smarter to match. How much longer can you afford to wait for your security systems to do the same?
Susan Fogarty serves as vice president of Editorial, Enterprise Technology at Informa TechTarget, overseeing a global team producing content for premier IT and telecom media brands including TechTarget.com, InformationWeek and Light Reading.
