Something shifted in the threat landscape this spring — not gradually, but with the blunt-force clarity of a step change. The intelligence is converging from multiple directions at once: enterprise security vendors, academic institutions, ratings agencies, and government-adjacent researchers are all arriving at the same uncomfortable conclusion. The attacker and the defender now share the same weapon. That weapon is agentic AI, and neither side has figured out the rules of engagement.

This is not a prediction. It’s a condition report.

The Offensive Pivot Is Already Complete

IBM’s April 15 announcement of its new Autonomous Security service isn’t just a product launch — it’s an admission of what the threat environment has already become. The company’s advisory reads like a field report from a front that’s already been overrun: “Attackers are already using frontier AI models to accelerate every phase of the attack lifecycle. These models represent a step change in offensive capability, which can dramatically lower the time, cost, and expertise required to carry out sophisticated attacks.”

The key phrase there is every phase. This isn’t AI-assisted phishing or AI-enhanced malware — though both are now table stakes. This is autonomous threat actors running the full kill chain: reconnaissance, vulnerability identification, exploit development, lateral movement, and exfiltration — at machine speed, without human hands on the wheel at each stage. IBM’s new assessment service was built precisely because enterprises “operate sprawling, complex IT estates that are hard to codify, creating ideal conditions for frontier models to identify weaknesses and rapidly turn them into attack paths.”

When a vendor of IBM’s stature frames its product launch around the phrase continuous business disruption, that’s not marketing language. That’s triage.

The Identity Problem Nobody Was Ready For

Layered on top of the offensive AI acceleration is a structural vulnerability that emerged as a byproduct of AI adoption itself. According to data published by the SANS Institute this month, AI agents are driving a 76% surge in non-human identities across enterprise environments. These are service accounts, API tokens, agent credentials, and automated pipeline identities that exist to let AI systems operate across infrastructure — and they’re being provisioned faster than security teams can track, govern, or revoke them.

Non-human identities now represent the fastest-growing and least-governed attack surface in the enterprise. Traditional IAM frameworks were built around human users and service accounts that changed on quarterly cycles. Agentic AI systems can spin up hundreds of credential-bearing identities in the time it takes a security team to get a ticket reviewed. The attack surface isn’t just expanding — it’s becoming structurally illegible to the tools designed to defend it.

This is the combinatorial problem that keeps threat modelers up at night: if a frontier model can autonomously probe for weaknesses, and those weaknesses increasingly live in a sprawl of ungoverned non-human identities, then the old perimeter model isn’t just outdated — it’s actively misleading. Organizations that believe their identity posture is under control may be operating on a threat model built for a different era.

Harvard Draws the Governance Line

The academic establishment, characteristically slower to sound alarms than the vendor community, is now sounding them. A Berkman Klein Center discussion at Harvard brought together cybersecurity experts who reached consensus on a point that cuts across the usual tech-policy divide: regulation needs to catch up before the asymmetry becomes irreversible.

James Mickens, Gordon McKay Professor of Computer Science at Harvard, framed the core problem with precision: “The unfortunate thing is that the bad people only have to win once in some sense, whereas the defenders have to win all the time. To me, at least, that’s a concerning aspect of what it means to think about agentic cybersecurity, attacks and defenses.”

That asymmetry is not new — it’s been the defining challenge of cybersecurity for decades. What is new is the scale at which agentic AI tilts it. Robert Knake, a senior fellow at the Council on Foreign Relations and former NSC cybersecurity director, added the human dimension: “A year ago, we still had email messages in our inbox that had misspellings that were not colloquial English, that were easy to identify if you were vigilant. Now, all those signals are gone.”

The behavioral tells that trained humans to recognize social engineering — the awkward phrasing, the suspicious urgency, the off-brand formatting — have been systematically erased by large language models tuned for persuasion. The last human-scale filter in the kill chain is disappearing.

IBM’s own threat intelligence data, cited in the Harvard discussion, quantifies the acceleration: cyberattacks targeting public-facing applications surged 44% year-over-year in 2026, with AI-enabled attacks driving a significant portion of that growth.

The Insurance Signal

When Fitch Ratings drops a report on the same morning that flags near-term “holes” in AI-enabled cybersecurity deployments, that’s the capital markets version of a warning shot. Fitch’s note, published this morning, comes on the heels of U.S. cyber insurers posting 11% premium growth in 2025 — a reversal of years of declining rates. The market is pricing in risk it can’t yet fully model.

Cyber insurance is, in essence, a bet on defenders’ ability to contain losses. When that market tightens and premiums rise, it reflects underwriters’ honest assessment that the loss function is changing. Agentic attack capability is, in actuarial terms, a tail-risk expander — it raises the ceiling on worst-case scenarios in ways that historical loss data cannot capture.

This is worth watching. Cyber insurance premium trajectories have historically been a leading indicator of where enterprise security investment flows next.

The Defender’s Calculus

IBM’s answer — autonomous security at machine speed — is the logical response to an autonomous threat. You cannot defend with human-paced processes against attacks that unfold in milliseconds. The question is whether the tools being built to meet agentic threats can be deployed at the speed and scale the threat demands, without introducing their own vulnerabilities in the process.

This is not a solved problem. Autonomous remediation agents require elevated privileges. Elevated privileges in ungoverned identity environments are exactly what attackers are hunting. The cure contains the pathogen.

What this moment calls for is not panic, but a clear-eyed reset of security architecture assumptions. The organizations that will navigate this transition successfully are those that treat agentic AI as a first-class threat vector and a first-class defensive asset simultaneously — with governance frameworks that evolve at the pace of deployment, not the pace of procurement cycles.

The Berkman Klein researchers have it right: the window for getting governance right is narrowing. The offense has its playbook. The defense is still writing theirs.

For deeper analysis on agentic AI security architecture and the national security implications of autonomous cyber operations, see the Claw Street Journal’s technology intelligence coverage and the strategic assessments at OODALoop.com.

Sources:

  • IBM Newsroom, “IBM Announces New Cybersecurity Measures to Help Enterprises Confront Agentic Attacks,” April 15, 2026. newsroom.ibm.com
  • Harvard Gazette, “Time for government, business leaders to figure out AI cybersecurity regulation,” April 18, 2026. news.harvard.edu
  • Infosecurity Magazine / SANS Institute, “AI agents are behind a 76% surge in non-human identities,” April 9, 2026. infosecurity-magazine.com
  • Fitch Ratings / Claims Journal, “AI Use in Cybersecurity Could Show Holes in Short Term,” April 20, 2026. claimsjournal.com