As threat actors use AI to automate cyberattacks, companies must build an equally automated defense.
JP Calderon Del Vecchio, Global CISO, explains why the solution begins with mastering internal data governance instead of adding more AI tools.
Using AI to continuously test its own defenses allows teams to find and fix the most critical vulnerabilities first.
For every company scrambling to adopt AI, there’s an attacker who's already mastered it. Now, a growing number of adversaries are adapting the technology faster than most organizations can build defenses against it. The result is a new reality where some threat actors use AI to craft perfect phishing scams and deploy malware on demand.
Today, these automated campaigns operate at a scale and speed that overwhelm security teams. But the most dangerous vulnerability here isn't a sophisticated hack. It's a simple data governance failure that occurs whenever an employee feeds sensitive data into public AI tools. Already, the threat is forcing a fundamental reassessment of corporate security principles for leaders.
For an expert's take, we spoke with JP Calderon Del Vecchio, an information security executive with over 20 years of experience in roles like CIO and CISO at PVH Corporation, The Clorox Company, and Family Dollar. Today, he also serves on IBM's Cyber Security Board of Advisors and is a certified CISSP and CISM. From Del Vecchio's perspective, most organizations must rethink their entire defensive posture—starting with internal data governance.
"Automated threats are not new, but modern generative AI is less robotic, more authentic, more self-contained—and it's self-learning," Del Vecchio says. Unfortunately, that self-learning capability also happens to be precisely what most bad actors target.
Always on offense: Most attackers use AI to identify the blind spots in existing defenses, Del Vecchio continues. "AI doesn't sleep. In the past, a hacker could run a program, walk away, and come back again the next day. Now, AI does the work for you. Give it a command, and it just goes."
Bad data, bad bot: Because modern threats are highly sophisticated and increasingly AI-native, Del Vecchio says, they also create new attack surfaces. "We have to address threats to the AI systems themselves: prompt injection, data poisoning, and malicious inputs designed to trick an AI into finding a blind spot. The impact will be huge."
One key vulnerability that's often overlooked is the uncontrolled use of public AI by an organization's employees, Del Vecchio explains. For him, the origin of that problem is also a failure of data governance.
Mind the henhouse: Before securing anything, leaders must first know what they're trying to protect. "When you start deploying AI systems, you really don't know what's in your henhouse," Del Vecchio says. "Since you cannot stop people from using these tools, you can and must control the data they can use."
The problem often begins with a simple desire for efficiency, Del Vecchio says. "An employee might expose the entire org chart by accident through a public tool, for instance. Suddenly, that data is consumed by an outside model, and you have a major data exposure on your hands."
Garbage in, garbage out: But a leak like that also exposes a second risk: training proprietary AI on flawed historical data. "If you train an AI on 30 years of code, how many of those lines have vulnerabilities?" Del Vecchio asks. "A massive number. You have to ensure your models are not learning from that vulnerable code."
However, simply buying more tools is not the answer. In fact, a vendor-reliant strategy creates its own blind spots, Del Vecchio says. Here, he describes two layers of defense: a security vendor's controls and a corporation's own internal controls. Then, he explains how attackers already use AI to find and exploit the unprotected gaps between them.
Ring your own bell: Now, to combat these relentless, automated attackers, organizations must build a commensurate defense. "Train your own model to be the attacker," Del Vecchio suggests. "Tell it: 'Be an ethical hacker and try to break in.' When it finds a vulnerability, you need a workflow that goes directly to the process owner with a clear mandate: 'Close this immediately.'"
But first, the future of security requires a fundamental change in process, Del Vecchio says. For him, that means merging vulnerability scanning with automated penetration testing to create an autonomous feedback loop for risk posture and control validation. "Instead of facing 100,000 potential vulnerabilities, automated testing tells you, 'These are the five that are truly actionable.' Now you can prioritize," Del Vecchio explains. "Now you know for a fact they can be compromised, so you can focus on what matters."
The human bottleneck: Meanwhile, this new reality also has a direct human casualty: the Security Operations Center (SOC). "The human-centric SOC is collapsing. There's a persistent skills gap, while AI-powered threats are growing more complex. As a result, detection rates are falling."
Rise of the triage manager: Already, the collapse is happening across industries as autonomous security operations automate low-level analysis jobs. "Over the next two to five years, the human role will become more advanced," Del Vecchio predicts. "Your team won't be analysts staring at mundane data. They will be triage managers who understand end-to-end risk."
Instead of a threat, Del Vecchio frames the shift as an opportunity to evolve the security workforce and deliver more tangible value. For him, the ultimate goal is to create a dynamic, defensive system that transforms security into a function capable of keeping pace with AI-enhanced threats. "A truly autonomous SOC allows you to quantify your ROI by measuring the effectiveness of your security capabilities," he concludes. "Today, having a SOC is a given, but few can answer a simple question: How effective actually is it?"
