Your AI security tool blocks nothing

1. Opening Claim

The AI cybersecurity market is selling outcomes it cannot prove. Vendors are pricing tools as if detection is a solved problem. It is not. The control surface has not changed. The marketing has.

I run red team operations against environments protected by these tools. The gap between what is advertised and what blocks an operator on a Tuesday morning is wide. AI labels on a SIEM do not change the identity boundary. They do not change execution context. They do not change trust relationships between systems. They change the dashboard.

Most of what is being sold as AI-powered defence is statistical anomaly detection wrapped in new vocabulary. Some of it works. Most of it adds alerts. Almost none of it removes attacker capability. That is the position. The rest of this is the breakdown.

2. The Original Assumption

The assumption behind the current wave is that machine learning models can identify malicious behaviour faster and more accurately than rule-based detection, and that the gain compounds as data volume grows. The pitch positions AI as a multiplier on existing security operations. Same analysts. More coverage. Fewer misses. That is the contract being sold.

That assumption depends on three conditions. The model has access to telemetry that captures the actual attack path. The training data reflects current attacker behaviour. The output is actionable inside the response window. If any one of these conditions is missing, the system produces volume, not defence. None of the three are automatic. Each is an engineering problem that the vendor does not own.

The market behaved as if all three were given. Procurement cycles compressed. Tools were deployed across identity, endpoint, network, and cloud layers in parallel, often without a defined detection contract. The shared assumption was that the model would close the gap regardless of how it was wired in. That is a procurement posture, not a security posture. It is not supported by control engineering and it is not supported by red team outcomes.

3. What Changed

Attackers adopted the same toolset. Generative models lowered the cost of phishing content, payload variation, and reconnaissance at scale. Credential stuffing campaigns now produce per-target context. Voice cloning is operationally available. The defender does not get the AI advantage alone. The attacker gets it cheaper, because the attacker does not have a compliance team, a procurement cycle, or a change window.

The detection surface also moved. Identity-based attacks (token theft, OAuth consent abuse, session hijack, federated trust abuse) do not look like malware. They look like a valid user doing valid things from a valid endpoint. A model trained on behavioural baselines cannot reliably separate a compromised session from a legitimate one without explicit signals at the identity boundary. Many environments do not emit those signals. That is a logging architecture problem. A model cannot solve it.

What changed is the cost structure on both sides and the location of the failure. In most enterprise compromises I have observed, the failure is not at the perimeter and not at the endpoint. It is at identity, federation, and third-party trust. AI tooling marketed for endpoint and network detection does not address that surface. Buying more of it does not move the boundary. The exact dwell time, scope, and persistence of attacker activity inside these environments is not confirmed in any standardised industry dataset I would cite as fact. What is confirmed is the location of the gap, and the gap is not where the spend is going.

4. Mechanism of Failure or Drift

The mechanism is substitution. A model label is placed on top of an existing detection pipeline and the pipeline is treated as upgraded. The underlying telemetry, the integration points, the response workflow, the analyst capacity. None of these change. The control surface is identical to what existed before procurement. What changed is the confidence the buyer has in it. Confidence is not a control.

When the model produces an alert the team cannot triage inside the response window, the alert is noise. When the model produces a verdict the team cannot act on without manual investigation, the model has not reduced workload. It has redistributed it. In several engagements I have run, average alert dwell in the analyst queue exceeds the time required for an operator to complete privilege escalation and stage exfiltration. That measurement is not confirmed as a uniform industry metric. It is consistent in the environments I have tested. The detection exists. The response does not.

Model drift is the second failure mode. A behavioural baseline trained on a six-month window does not reflect the environment after a cloud migration, a workforce change, or an identity provider swap. The model continues to issue verdicts. The verdicts no longer map to current conditions. Unless the vendor and the customer have a defined retraining contract and a feedback loop, the model degrades. Silent degradation of a control is worse than no control. The buyer is still operating on the assumption that the control is enforced. The attacker is operating on the assumption that it is not. Only one of those assumptions is being tested in production.

5. Expansion into Parallel Pattern

The pattern is older than AI. The same substitution mechanism appeared with SIEM deployments in the previous decade. A platform was purchased, log sources were connected, dashboards were built, and the security posture was reported as improved. The detection content was not written. The response workflow was not defined. The alerts that fired were not triaged. The platform was present. The control was not. AI security tooling is being deployed on the same procurement reflex, against the same gap, using the same logic.

The mechanism is the introduction of a labelled artifact where a defined control is required. A control is a stated decision about what behaviour is permitted, what is blocked, who is notified, and who is accountable when it fails. A model verdict is none of these by default. It becomes a control only when it is wired into an enforcement point with a defined owner and a defined action. Most current deployments stop at the verdict. The enforcement point is left as an exercise for the customer. The accountability is left undefined. The verdict is treated as if it carries authority. It does not. It carries an opinion.

This pattern produces a specific failure shape. The audit trail shows extensive detection coverage. The incident timeline shows the activity was visible. The response gap remains because nothing in the chain forces action on the verdict. The post-incident review identifies the detection as having worked. The compromise still occurred. The buyer concludes the tool needs tuning. The actual issue is that detection was never connected to a decision boundary. More tuning does not fix the absence of a decision boundary. More models do not either. The pattern is structural, not technical.

6. Hard Closing Truth

AI does not change the security contract. Identity is still the boundary. Execution context still determines blast radius. Trust relationships still define lateral path. A model that does not change one of these is not a security control. It is telemetry with a verdict attached. Telemetry with a verdict attached has a place in a security program. That place is upstream of a decision, not in place of one.

What must now be true. Every AI detection capability in the environment is mapped to a specific enforcement point, a specific owner, and a specific response action with a defined time window. If the verdict does not trigger an enforced outcome inside that window, the capability is logging, not defence. It can stay in the stack. It cannot be counted as a control. The distinction must be reflected in the risk register, in the control matrix, and in the way the program is reported to leadership. Calling logging a control is the mechanism that produced the original gap. Repeating it under a new label produces the same outcome at higher cost.

The operator position is direct. Stop buying verdicts. Buy enforcement. Where enforcement is not available, buy visibility that a defined human or automated process will act on inside a stated window, with named accountability when the window is missed. Anything else is shelfware with a model attached. The attackers using the same tooling are not subject to procurement cycles, change windows, or compliance reviews. The defenders are. That asymmetry is the operating condition. It is not solved by purchasing more of what produced it. It is solved by treating identity, execution context, and trust as the only surfaces that matter, and refusing to count anything that does not move them.

See also: NordVPN for tunneled traffic when operating outside controlled networks.

---

#ad Contains an affiliate link.