teissTalk: Quantifying emerging cyber risks from AI and quantum

Views on news

It might feel like a worthwhile shortcut to skip designing and enforcing guardrails upfront in favour of adoption and experimentation, but it’s likely a slower, costlier route to try to retrofit oversight later. According to a recent Deloitte survey of 3,235 information technology and business leaders, only 21% of respondents say their organizations have a mature governance model in place for agentic AI. If not properly monitored and centrally controlled, AI agents can make unseen mistakes, work at cross purposes, reveal sensitive information, offend a customer, invite a cyberattack, and more. These risks could compound if governance challenges aren’t solved before enterprises scale pilots to full production. As agenting AI is developing at breakneck speed, it’s hard to collect reliable, up-to-date data about the guardrails that businesses have currently in place. Moreover, clear visibility of agentic AI use is further obscured by shadow AI. Giving autonomy to AI agents presents governance with yet more challenges. More alarmingly, the authentication and authorisation frameworks are still missing for agentic AI. Governance theatre won’t work here. Rather, what is required now is tools and frameworks that can be implemented immediately. 

Implementing guardrails for agentic AI, shadow AI and PQC

Today, identity and access management or authentication isn’t prioritised by businesses, which produces security gaps that agentic AI will render untenable. Alongside AI governance, it’s also key to build an inventory of what type of AI and how is used across the company. Zero trust is yet another security concept whose relevance gets accentuated by agentic AI deployments. However, cyber security teams will need additional resources to ensure that these controls are all in place in preparation for agentic AI deployments. While building guardrails for the use of new types of AI, businesses must also prepare for managing the infosecurity step change that quantum is expected to bring about in the medium term. Investments in quantum computing are on the rise too. Currently, there are two groups of risk associated with quantum computing – one is  “harvest now, decrypt later” (HNDL); the other is the threat to digital signatures, including certificates, tokens, UB keys and TPMs. Replacing all those established systems will be a massive challenge to organisations. 

In the US, federal agencies have a mandate to get PQC compliant by 2035. Moving to quantum resistant technological decisions is, however, isn’t an insurmountable task. Existing quantum resistant algorithms  are standardised and widely accepted by regulators across the globe and are supported by software vendors. The size of the quantum threat will also depend on whether benign or malicious actors will develop the technology first, as well as how costly the technology will be. It’s a more likely scenario that quantum won’t burst onto the stage with a bang but appear gradually before it gets fully mature. Others, however, believe, that it will emerge as a fully-fledged technology as did the atomic bomb. But no matter when and how crypto computers will enter the scene, busineess would do well to start adopting crypto agility now, well before new cryptographic standards and frameworks appear. 

 

The panel’s advice

• We can’t tell when the last piece of the quantum technology will emerge, rendering current security systems useless, therefore migration to post-quantum cryptography must be on every company’s strategic agenda.
• The threat of HNDL is tempered by the fact that most of the data will get out of date by the time bad actors can decrypt it.
• Experts at Ariel.re have found that rather than being a game changer, Mythos is more of an accelerator.
• You can’t afford gold-plated controls everywhere – consider zoning and have some safe sandboxes where people can experiment and become more conversant with AI and quantum technology.