All articles
Velocity Risk Is The Threat Most Security Teams Have Not Designed For
Neil Watkins, Veteran CISO and Founder of MondayMove, on why responding to agentic AI calls for redesigning workflows and returning to fundamentals.

Make The Security Digest one of your go-to sources on Google
The biggest misconception in cybersecurity right now is that AI changed something. It didn't. It just made the things we've always dealt with happen faster.
The security industry is spending enormous energy debating whether AI represents a new category of threat. It doesn't. Rather than inventing risks that defenders have never seen, AI is taking the attack patterns the industry has fought for three decades and running them faster, broader, and with more intelligence than human attackers ever could. The threat is real, but it's familiar, and the controls that stopped it before still stop it now. What has changed is velocity, and velocity is the thing most organizations are least prepared to defend against.
Neil Watkins is a veteran CISO and the Founder of MondayMove, crowdsourced cybersecurity practitioner network. Watkins has nearly 30 years of leadership experience across security, risk, compliance, and privacy functions, having served as CISO, COO, and chief compliance officer across the payments, insurance, healthcare, technology, and legal industries. That breadth, spanning both the technical and business sides of security, shapes his view of the current transition period as a familiar operational landscape requiring disciplined resilience.
"The biggest misconception in cybersecurity right now is that AI changed something. It didn't. It just made the things we've always dealt with happen faster," he asserts. That reframing matters because it changes what the right response looks like. If AI is a fundamentally new threat, the logical reaction is panic-buying new tools to counter it. If AI is the same threat moving faster, the logical reaction is to get better and faster at the fundamentals the industry already knows, and to apply AI as a force multiplier on the defensive side. The first path leads to expensive tooling layered over weak design. The second leads to operational rigor that holds up regardless of how fast the threat accelerates.
AI created the market it now forces us to answer
The first thing Watkins wants security leaders to understand is that AI is generating its own threat marketplace by putting more capability into more hands. Tasks that were once too slow to be economically viable for attackers are now fast and cheap at scale, which changes the risk calculus on the offensive side. "The velocity of risk has exponentially changed. Things used to take a long time, thus making them economically not viable. Now at scale, we can do the simple things quickly and with a rigor we couldn't before. AI itself is the answer to the AI threat."
The irony, as he puts it, is that the defensive response is the same capability. As red teams get better with AI, blue teams have to match that capability with AI of their own. The driver is not efficiency, despite the industry chasing it for 20 years. It's velocity, and velocity demands a faster response than human-only operations can provide.
The patterns haven't changed, so the detection doesn't either
The comparison Watkins returns to is the advanced persistent threat. Fifteen years ago, human attackers would land in an environment, study the detection methodology, and move only when the metaphorical security camera panned away. AI agents do the same thing, just with more patience and more attempts. "A human could come in and say, I'm going to do these 10 things, and if it doesn't work, I'm going to bail out because I don't want to be detected. An AI agent could come and do the same thing and do 100 things with clarity."
Though the volume scales, the underlying behavior does not. Command-and-control mechanisms, callout patterns, and the design traps built to catch abnormal behavior all still apply. AI is the epitome of a polymorphic threat, capable of intelligent change on landing, but the defenses that catch polymorphic behavior, identity controls, segmentation, boundary enforcement, and behavioral anomaly detection, remain effective. "If you could catch the advanced persistent threat 15 years ago, you can catch the AI agent today. Design still wins. That's it," he says.
Velocity is the risk most teams haven't designed for
Watkins' sharpest analogy is about a fast car. "Its danger isn't just that it's fast. Its danger is that nobody around it knows how fast it really is, so they don't expect it to be where it is. But if everyone is moving at that same speed, it becomes normal again."
The defensive lesson is to build for velocity explicitly: to ask what happens if a known attack pattern executes far faster than the team is accustomed to, whether existing observation would catch it, and whether the environment has traps designed for speed. Once teams normalize the new pace, the velocity advantage erodes. The danger lives in the window before that normalization happens.
The economics require redesign, not just faster execution
Watkins offers a practical warning about the cost of doing AI wrong. He draws a direct line to the cloud migration era, when organizations lifted and shifted on-premises environments into the cloud and watched their bills explode because on-prem behavior was never designed for cloud economics. "Telling an AI agent to do the nine steps I used to do will chew up tokens and cost a lot of money," he explains. "But if you ask it how it could do it more efficiently, suddenly you can do it in two steps. Now we're leveraging it for its capability."
The organizations that simply point AI at their old workflows will get the AI equivalent of a runaway cloud bill. The ones that redesign processes around what AI does efficiently will capture the economic value. Until that redesign happens, the economics will not justify the investment, just as they didn't in the early cloud years.
Augmentation, fundamentals, and risk language
Watkins's conclusion is that AI will augment security teams rather than replace them, and that the organizations best positioned for the shift are the ones that already have the fundamentals in place. Even deepfakes, which alarm many executives, resolve back to validation discipline and risk-based decision-making. "Is anybody ever going to write a $50 million check based off a Zoom call? If so, then you have a bigger problem. It comes back to validating through another means."
The throughline is that AI exposes weak fundamentals rather than inventing new ones, and the defense is the same risk language the discipline has always used: likelihood, probability, velocity, and potential loss, translated into investment decisions a board can act on. "Who taught AI? We did. What did we teach it? All of our mistakes. If we just did the basics right 30 years ago, we'd be way ahead. Like a Super Bowl team, they still go back to blocking and tackling. The fundamental rigor still applies."







