Skip to main content

AI is forcing a rethink of endpoint security assumptions

security

I was struck recently by an email promotion for a webinar focused on a topic that should concern every executive, cybersecurity professional, and risk manager: how artificial intelligence is accelerating both the speed and volume of cyberattacks.

The webinar focused on identity controls and how organizations can combat a new era of AI-generated attacks. The message was straightforward. AI is changing how fraud appears across financial services. Tactics that once required significant planning and coordination can now be generated, adapted, and scaled almost instantly. Traditional identity controls are becoming easier to bypass, creating a difficult challenge for risk teams that must catch more fraud without creating friction that slows business growth.

The promotion noted that many of today’s security signals were built for a different internet. Point-in-time verification checks and surface-level identity data are increasingly insufficient. Organizations need deeper visibility into behavior over time and across multiple platforms.

While reading that message, I found myself returning to an argument my good friend TJ Tajalli at OnSystem Logic has made repeatedly over the years: the cybersecurity industry must finally confront the reality of the enormous execution surfaces that have become accepted as normal in enterprise security.

It is time for that thinking to change.

Large execution surfaces should never have been accepted as a permanent condition of modern computing. Yet over time, the industry largely normalized an approach where vast amounts of arbitrary execution are considered unavoidable, and security teams focus primarily on determining whether that execution is malicious after it has already begun.

Detection and response were never intended to become the entire security model; but here we are.

For years, this approach has been supported by increasingly sophisticated tools that attempt to identify malicious behavior after execution starts. Endpoint Detection and Response (EDR), Extended Detection and Response (XDR), behavioral analytics, machine learning, and now AI-driven security operations have all improved the ability to recognize attacks in progress.

But recognition is not the same as prevention.

And to badly paraphrase Peter Drucker “more work isn’t the same as more of the right work.”

That distinction becomes increasingly important as AI transforms the threat landscape.

Today’s attacks are no longer limited by human speed. Exploit variations can be generated automatically and deployed at machine scale. Malicious activity increasingly executes inside trusted applications and legitimate business processes. Attackers routinely chain together approved administrative tools to avoid detection. And now autonomous AI agents are emerging as entirely new operating system-level execution surfaces that organizations must somehow govern.

These developments expose a fundamental weakness in the industry’s heavy dependence on detection-based security models.

The challenge is not simply identifying bad activity. The challenge is that the potential execution surface has become too large to monitor effectively. As AI accelerates attack creation and execution, defenders face an impossible task: trying to distinguish malicious activity from legitimate activity across an environment where almost everything is allowed to run.

Many security professionals already understand the value of application control, runtime enforcement, and execution governance. These concepts are not new. The ability to constrain execution, restrict software behavior, and enforce trusted pathways has long been recognized as a powerful defensive strategy.

Unfortunately, many of these traditional implementations failed operationally.

Security teams often encountered brittle policies that broke legitimate business processes. Endless tuning cycles created administrative burdens. False positives frustrated users and administrators alike. Deployment complexity limited scalability. In many cases, the operational overhead outweighed the perceived security benefits.

As a result, organizations bought and deployed the above solutions but then scaled back or even terminated their use. Instead, they fell into accepting large execution surfaces as the practical cost of doing business.

That acceptance may no longer be sustainable.

The rise of AI-assisted exploitation and autonomous AI systems is forcing a broader reassessment of endpoint security assumptions. The question is no longer whether detection capabilities can become more intelligent. The question is whether organizations should continue relying on security models that permit enormous amounts of unrestricted execution in the first place.

A few, far too few, security architects are revisiting a different approach—one focused on reducing the execution surface itself rather than attempting to recognize every possible malicious variation after execution begins.

This philosophy centers on several key principles:

  • Complete executable allowlisting
  • Deterministic in-memory execution path enforcement
  • Execution governance and orchestration constraints
  • Operating system-level governance for AI agents and autonomous tooling

Rather than treating unrestricted execution as inevitable, these controls seek to minimize opportunities for unauthorized execution to occur at all.

Equally important, modern implementations must address the operational shortcomings that hindered earlier execution control technologies. Security controls that cannot be deployed practically, managed efficiently, or operated at scale will never achieve widespread adoption regardless of their theoretical effectiveness.

I am encouraged by the efforts of leading EDR vendors regarding some of the above principles, but I only know of one vendor who has addressed all of them in their solution.

The future likely requires both prevention and detection, not one or the other. AI-powered analytics, behavioral monitoring, and automated response remain valuable capabilities. But they should complement a strategy designed to reduce attack opportunities before execution begins.

As AI continues to accelerate the speed, scale, and sophistication of cyberattacks, organizations will increasingly discover that detection alone cannot solve a problem rooted in excessive execution freedom.

The industry has spent years investing in the ability to identify malicious behavior after it starts. The next phase of cybersecurity may require equal attention to a simpler question:

Why was the behavior allowed to execute in the first place?

That conversation is long overdue.

Daily Credit Union News – Straight to Your Inbox

Join thousands of credit union industry professionals who start their day with the latest news, events and technology supporting the credit union industry.