MSPs and other cybersecurity professionals have a crucial role to play when it comes to the shape of AI over the next few years. Jen Easterly, cybersecurity expert and former CISA director, spoke to attendees of Gartner’s IAM summit in December, making it clear that this stage of AI development is a critical one for the cybersecurity landscape. Because while AI can fuel incredible cybersecurity capabilities, it also opens up significant risk.
“Identity systems have to assume that adversaries can mimic anything or anyone,” Easterly said. “Over the past couple years, AI has rightfully captured the world’s imagination. But I fundamentally believe that it is the responsibility of all of us as leaders, as security professionals, as innovators, as technologists, to ensure that we can leverage the power of that imagination, without suffering a failure of imagination. We have to be able to tap into powerful AI, but ensure that we can effectively secure these capabilities because if not, we’re going to face threats of an entirely different order of magnitude.”
Getting identity right is a critical component to that objective. “Because, if we don’t know who is accessing our systems and our data and our models, nothing else really matters,” Easterly said. And it’s what, not just who, she pointed out.
“Machine identities now outnumber human identities by some 45-1 in enterprise environments. And that number’s going up week by week.”
AI Ushers in a New Age of Security
AI will be the most powerful technology of our lifetime, Easterly said, capable of changing the way we live and work. “AI is not just another technology,” she said. “It’s a fundamental shift in how we approach every single problem.”
AI will help create capabilities that can detect cyberattacks before they negatively impact businesses, says Easterly. It “can identify vulnerabilities that no human ever could, that can deploy countermeasures and learn from every attempt to breach them. At its core, AI gives us phenomenal leverage—leverage that’ll allow one person to do the work of 10, and then dozens, hundreds, and thousands. AI is going to make brilliance accessible and, ultimately, democratize genius.”
The Risk Run by Progress
But that doesn’t mean AI is without risks. The French philosopher Paul Valio said, “When you invent the ship, you also invent the shipwreck. When you invent the plane, you also invent the plane crash. When you invent electricity, you also invent electrocution,” Easterly quoted. “Every single technology brings with it negativity that is invented at the same time as technical progress. The AI that can protect can also attack, that can identify a vulnerability can also exploit one, that can prevent fraud can also commit it,” she said.
Easterly pointed out that AI is already being used to create highly personalized, nearly perfect phishing emails, and the threats will only get more advanced going forward. “Throughout my career from West Point to the White House, to Baghdad to Wall Street and back, one thing has remained constant—the threat landscape has never stopped evolving,” Easterly said. “It’s a landscape of danger, propelled by a data revolution, and one that will be turbocharged by powerful AI.”
Preexisting Vulnerabilities in the Security Framework
Historically, security hasn’t been the first priority of technological innovation, Easterly pointed out. “Since the dawn of the internet, technology development has followed the same pattern. It’s been about features, getting to market first, driving down cost, and convenience—all prioritized over security. Security has lagged; security has been a bolt-on” feature, Easterly explained. “We’ve been moving fast and breaking things.”
“It’s why we have an internet still full of malware, why we have software riddled with vulnerabilities, why we have social media full of misinformation. And here we are, hurtling towards building and leveraging the most consequential technology of our lifetimes,” Easterly said, referring to AI. “And we’re at a moment of decision. The question is, will we finally get it right this time? Will we finally prioritize security? Because this time the stakes are different. It’s not just software; it’s intelligence. Intelligence that can ultimately serve humanity in incredibly positive and powerful ways, or do irreparable harm.”
The Security Problem
“The mechanisms that we’ve been trusting to validate identity tokens and authenticate privileged accounts are now among our biggest vulnerabilities,” Easterly said. “Identity is not a security problem. Identity is the security problem. And the answer isn’t stronger authentication; it’s intelligent identity systems, systems that don’t just validate credentials, but understand context and behavior and intent, powered by agent AI identity that is continuously verified and contextually authorized.”
But to take advantage of the incredible opportunities AI can offer and drastically improve cybersecurity capabilities, Easterly said the industry must first acknowledge an uncomfortable truth: “We don’t actually have a cybersecurity problem,” she said. “We have a software quality problem.”
“We need products—technology products, software products, identity products—that are built with security as a top priority,” Easterly said. “Vendors can drive the most significant change at scale. Yes, the economic incentives do favor speed over security. But we know that when vendors prioritize security in their products, the whole ecosystem thrives.”
Solving the Legacy Code Problem
Easterly is most excited about AI’s ability to solve what she deems cybersecurity’s biggest problem: legacy code critical infrastructure, which “is built on decades and decades of flawed and insecure, defective code that’s been patched and patched into a big rickety mess,” she said. “Up until now, it’s been too expensive and too risky to do anything about it. Now, we’re seeing the potential for AI to read code, to understand that code, and to refactor and transform that code at scale. That is truly revolutionary. If its trajectory holds, and we are able to build these capabilities to be secure by design, it means an end to the soulless cycle of patch after patch, and a path to a more resilient and secure digital ecosystem.”
“That, to me, is the real promise of AI—the ability to solve the software quality problem that led to bolt-on security solutions and the ability for this incredible community to use our talent and our innovation and our experience and our expertise to solve the most difficult, the most challenging, the most intractable security problems—not to spend our time compensating for poorly designed software. It won’t mean the end of cybersecurity threats, but I do think it means we will see a massive, radical increase in software quality and a significant decrease in cyber risk. A world where ransomware is not a multitrillion-dollar business, but rather a shocking anomaly.”
Have a Hand in Shaping AI
Finally, Easterly encouraged security professionals to “shape AI before it shapes us. Let’s build identity strong enough to withstand a world where the difference between real and fake is increasingly blurred. Let’s have the wisdom and courage to take advantage of this unique moment, where identity is reimagined as the foundation of digital trust in an AI-powered world. Where identity is not a security gatekeeper, but the entire security architecture. If AI is going to defend rather than be a danger, identity must be the strongest link. If we get that right, everything else is possible.”
For more on where AI and cybersecurity are headed, take a look at what MSPs are betting on heading into 2026.
