AI Security will be Bolted On

Every category of cybersecurity has security bolted on, and there’s a sensible reason for this.

‍

Many voices in cybersecurity are rallying around the idea that we must secure AI from the start, build it safely, align it properly, and prevent misuse before it scales. This is what cybersecurity practitioners generally mean when they say, “secure-by-design.” The sermon is simple: get the design right upfront and we can avoid catastrophe. It is a mix of genuine concern and familiar optimism, and yes, a reliable way to attract attention and budget.

‍

Secure-by-design is reasonable advice, but it has significant efficacy limits. The idea assumes that if insecurity shows up later, someone must have cut corners, and that with enough discipline we could have anticipated what was coming. If that were true, cybersecurity would be understandable in advance and ultimately controllable.

‍

It is not.

‍

If secure-by-design were enough, we would have solved cybersecurity already. The reality is simpler and far less satisfying.

‍

No matter how disciplined you are, no matter how much time, budget, and thought is allocated, you cannot defend against attack techniques that do not yet exist or that you do not yet recognize. Absolutely nothing, including AI, changes the nature of the problem. We have seen this pattern repeatedly across every form of software and system since the beginning.

‍

Attack techniques such as cross site scripting, SQL injection, CSRF, buffer overflows, off-by-one, NOP sleds, return oriented programming, heap spraying, use-after-free, heap overflows, and hundreds of others were not anticipated when the underlying technologies were first conceived and implemented. Flaws are still found in long established encryption algorithms years after formal approval. Not because people were careless, but because the research and playbook did not exist yet. These attacks were discovered way later, often after widespread adoption, then refined and scaled.

‍

We do not simply miss things. We are introduced to things we could not have known to miss in the first place. And yet we treat security like a static engineering problem, something you can design correctly once and trust. Adversaries are not static. They only need to find one primitive that works and reuse it everywhere.

‍

Which brings us to AI.

‍

We have to secure AI, but we do not yet know what that means in practice. The taxonomy is incomplete. The geopolitical rules are unclear. The playbook is unwritten and impossible to future-proof authorship. So we will do what we always do when we have no other option. We will guess.

‍

We will build guardrails, constrain access, monitor behavior, and try to get ahead of it. Some guesses will be right. Many will not. We will be wrong more than we would like. That is not failure. That is how this works. And unless we see a fundamental breakthrough in computer science, such as solving the halting problem, it will always work this way.

‍

Therefore, some amount of AI security will be inevitably bolted on. Not because we failed, but because it is not possible to fully understand the threat landscape upfront. The real signal only shows up after deployment, through research, incident response, and actual breaches. That is when we learn how systems are manipulated, which paths lead to compromise, and what actually drives loss.

‍

We as defenders do not decide what matters. Adversaries do, by what they exploit repeatedly at scale.

‍

Security does not struggle because we did not think about it early enough. It struggles because what needs to be defended is not fully knowable in advance. The mistake is not failing to bake in security. It is assuming we can fully bake it in. Our job is not to predict everything upfront. It is to adapt to what proves to matter.

‍

For example, bank robbery is not solved by making each branch an impenetrable fortress, it’s solved by making the act and reward not worth the risk.

‍

For AI, that means focusing on where it can take action, access sensitive data, or trigger downstream systems. Those are the paths that create real loss. Everything else is noise until proven otherwise. Instrument those paths heavily. Constrain them aggressively. Watch how they behave in the wild. Then act on what you learn, faster than before.

‍

Budgets are finite. Every dollar spent on theoretical risk is a dollar not spent on what drives real loss. The winners in AI and beyond will not be the ones who guessed best at the start. They will be the ones who adapt fastest once reality shows up. That’s why security will always be partially bolted on, because the game is not fully knowable ahead of time.

‍

In cybersecurity, survival is optional and reality always gets the final say.