AI and Cybersecurity in 2026

Here at Pythia Cyber we engage in real-world consulting. We don't provide you with theoretical solutions to real-world problems. This means that we really try to avoid cool-seeming (but actually useless) topics like "AI and Cybersecurity in 2026."

Eye-catching as these headlines are, they either presage a bland and shallow take on a complex issue or they make deep and simplifying assumptions. An example of the bland take is "AI is going to super-charge the cybersecurity threat environment in 2026!" An example of the deep and simplifying assumption is "AI is going to make all phishing into spear phishing in 2026!"

You might as well ask "what about electricity and cybersecurity in 2026?" Well, lots of things in cybersecurity will be affected by electricity in 2026, to a high degree; what will thinking about this do to help you protect your digital assets? Not much.

Here in the real-world we know that we cannot take perhaps the most general-purpose technology ever created (AI) and map it to an enormous endeavor that evolves rapidly (cybersecurity) and come up with a nice little nugget of wisdom.To any anything meaningful about the interaction of these two giant topics we have to get specific and we have to consider context. If we were forced to do a short blog post about a vast subject, it would go like this:

In order to talk about cybersecurity in a meaningful way we need to break down the enormous endeavor into meaningful parts so that we have a context in which to think about AI. We will use the NIST CSF because we are a NIST CSF shop.

Identify

Identify is the phase in which we take stock of our digital assets, the cyber things whose security we wish to ensure. Given the way human beings work this phase is mostly easy and partly excruciatingly difficult. The easy part is listing the data and systems that are front of mind. The hard part is listing the data and systems so familiar that we don't even see them any more.

AI doesn't have the problem that familiarity breeds invisibility. AI is good at high-level pattern-matching. You could turn an AI agent loose on a variety of sources--network traffic, subscription bills, service contracts--to double-check your human-generated digital asset list. Neither list will be perfect, but the combination of the two lists will be better or more trust-worthy.

Protect

Protect is the phase that everyone thinks is easy but always turns out to be hard. Leaders are confident that their job is done once they assign priorities to the digital assets list. Cyber defenders are confident that their job is done once they codify the steps they take to protect those assets. Managers are confident that the priorities from above and the procedures from below align with the policies.

But there is most pattern-matching cross-checking to do here. An AI agent could do the grunt work of matching every version / revision level of every digital asset with both the CISA Cybersecurity Alerts & Advisories and any updates from the vendor or support company. This is the kind of import but mind-bendingly boring task that suits AI so well. And AI won't complain if you want this run every month or every week.

Detect

Detect is the phase for which AI poses a real dilemma. Lemma the first: this kind of rote pattern-matching at scale is something for which AI was made. Lemma the second: this task is much too important to just hand over to a bot. Someone has to stay proficient in order to train the bot on the ever-emerging new threats or you will have a highly automated but slightly out-of-date Detect program.

Keep in mind that the bot will (eventually) do a pretty good job but that the early stages will be ugle and there will always be the burden of quality control and continuing education. There is the additional problem of having your cyber defenders' skills atrophy if they stop doing this job and let the bot do all of it.

This makes Detect the perfect place to show how well you understand both cybersecurity and AI. Train a bot to do what your cyber defenders do and then have the cyber defenders both review the results and do a randomly selected part of the work independently.

Respond

Here we have another dilemma: on the one hand, there are parts of the Respond phase that can and should be automated as time will be of the essence. Automated alerts are a great idea. Automated initial communication can be great. A very, very, VERY carefully considered set of real-world actions might be given to a bot, such as shutting down external network connections, etc.

I stress again that I would be very, very, very careful about what real-world actions I would cede to a bot, especially given the tendency of bots to take unexpected and extreme action like deleting everything.

Recover

The Recover phase is often only partly done: you clean up the mess, your repair the damage and then you heave a huge sigh of relief. You know that you should, after a short break, review the Recover plan and review the actual actions you took during the the Recover phase and you should certainly create a detailed timeline of events from Incident to Recovery. But you almost certainly won't do any of that, let alone all of it.

A bot might make this tedious task less tedious to the point where you actually do it, which would be a big win.

Conclusion

We are all for thoughtfulness. We love planning. We feel that writing policies and then turning those policies into procedures or processes and then monitoring those procedures or processes are all great things to do. AI will certainly make cyber threats worse and could possibly make cybersecurity better. (Why do the bad guys seem better at exploiting technology than we are?) But there are many big devils in all those little details.