AI adoption is accelerating at an unprecedented pace. In the past year alone, valid AI-related vulnerabilities reported on the HackerOne platform surged by 210%. For enterprises, this growth underscores a sobering reality: those that fail to keep pace risk escalating financial, operational, and reputational damage.
The rise of AI autonomy—where systems evolve beyond co-pilots to independently make decisions and execute tasks—introduces risks unlike any seen before. Threats such as prompt injection, excessive agency, and data leakage now allow adversaries to manipulate AI behaviors directly, sometimes without even touching critical infrastructure.
Attackers are adapting in parallel, blending human creativity with machine-driven persistence. The result: AI-powered exploits that scale faster than defenders can respond. The message for executives is clear: as AI broadens the attack surface, enterprises must adopt a new security playbook.
AI expands the attack surface
Every new AI model, integration, and data pipeline widens the enterprise attack surface. Over the past year, most security leaders reported rising concern over AI-driven risks.
Attackers are evolving just as quickly—using AI to discover and exploit vulnerabilities at machine speed. Their combination of human ingenuity and automated persistence is exposing the limits of traditional defenses.
The takeaway: AI adoption is creating new entry points faster than legacy defenses can adapt. Security programs must evolve in months, not years.
Bionic hackers redefine defense
On the defensive side, a new force is emerging: the bionic hacker. These researchers combine human creativity with AI automation to uncover vulnerabilities faster and at greater scale. AI accelerates reconnaissance, triage, and simulation, freeing human experts to focus on the highest-risk exposures where judgment is irreplaceable.
The impact is transformative. Tasks that once required weeks—drafting reports, building proofs of concept—now take hours. In fact, most ethical researchers are already using AI to accelerate testing.
The takeaway: enterprises that embrace bionic hackers turn the same forces that empower attackers into a decisive defensive advantage.
CISOs at the frontline
CISOs are now the de facto stewards of AI security, with more than 80% responsible for safeguarding AI systems and data privacy. Yet as responsibilities expand, budgets often fail to keep pace. Traditional board metrics like ROI overlook the value of what security prevents—breaches, downtime, and reputational damage.
A new measure is gaining traction: Return on Mitigation (RoM). RoM reframes security as measurable value, showing how effectively investments reduce risk and avert costly incidents. In 2025 alone, HackerOne customers realized $3 billion in cumulative mitigated loss savings—delivering a 15x return on every dollar spent.
For CISOs, RoM provides a clear way to demonstrate to boards that offensive security reduces risk in line with how attackers operate: campaigns are priced based on the value of data at risk.
The takeaway: boards must empower CISOs with the right resources, metrics, and support to secure AI.
Strategic imperatives
Meeting today’s threats requires more than incremental fixes—it demands a fundamental shift in enterprise security strategy. Three imperatives stand out:
- Harness AI agents. Detection and response must operate at machine speed. Emerging agentic systems can chain tools, adapt to feedback, and make real-time decisions. The next frontier is coordinated teams of agents that turn raw signals into validated, prioritized outcomes.
- Keep humans in the loop. Human expertise remains essential to guide and refine AI agents. Teams must develop skills that span both AI mechanics and business context. Defenders who connect vulnerabilities to real-world impact ensure AI-first defenses address the risks that matter most.
- Tap the diversity of the crowd. AI autonomy brings new challenges—balancing risk, protecting data privacy, and securing deployments. Bug bounties, vulnerability disclosure, and penetration testing extend internal teams with the reach and perspective of global researchers, uncovering vulnerabilities that would otherwise remain hidden.
The takeaway: these imperatives aren’t optional—they define who will stay secure in the age of AI autonomy.
Winning in the age of AI autonomy
AI autonomy has redrawn the security battlefield. What was once human versus human is now AI against AI, with both attackers and defenders wielding machine power. The surge in vulnerabilities—from prompt injections to model exploits—demands a renewed focus on offensive security backed by defense-in-depth.
The mandate is clear: security leaders must act decisively. Those who rapidly evolve their programs to integrate adaptive, AI-powered defenses will hold the advantage in this new era. The time to act is now—hesitation only benefits the attacker.
