Over the past couple of years, my 14-year-old son has become a competitive Pokémon player.
How competitive? Let’s just say that if he were this good at basketball, we might already be in conversations with Nike.
Last month, for example, he competed in an event in Toronto in which he finished seventh in his division.
That’s a big deal. They take your photo. They give you exclusive “Top 8” swag. They send you home with hundreds of dollars’ worth of Pokémon cards and a pretty good size check.
If you’re not familiar with Pokémon, here’s how it works: First, a player… *[3 hours later]*… and that’s all there is to it. Don’t worry, I’m not going to explain everything.
Suffice to say that Pokémon is a complicated, strategy-based card game. New cards are “released” all the time, and players compete with a 60-card deck of their choosing (there are literally thousands of cards available).
A couple of weeks after the Toronto tournament, my son was scheduled to compete in the European International Championship (EUIC) in London. But we ran into a problem…
Just before the EUIC, we learned that a critical rule had changed: certain new cards — cards that everyone assumed would be available — were not shipped on time, making them illegal to use.
My son had been practicing for hundreds of hours leading up to the event, all with the assumption that the new cards would be in the mix. The 11th hour rule change required him to rethink his entire tournament strategy.*
(*I’m happy to say he did pretty well anyway. He is now ranked in the top 50 in North America in the 12-16-year-old division.)
AI’s Significant Cybersecurity Impact
As with Pokémon tournaments, what’s true today in cybersecurity may no longer be true tomorrow. The rules change quickly. And unlike a tournament, nobody sends out an announcement explaining what just happened.
AI is intensifying the problem. New tools, agents, and integrations are appearing inside organizations faster than most security programs were designed to handle.
As a result, several basic areas of cybersecurity — things you may already think you have under control — require a fresh look. Here are five areas worth paying attention to…
#1. Inventory — *what AI is running inside your organization?*
You’ve always kept track of the hardware, software, data, and applications used across your organization. Now you also need to track AI models, API keys, and agents.
For example, does your team tell you when they deploy an agent? Do you know which models it uses? Is it running in the cloud… on a virtual machine… on someone’s laptop?
These tools are easy to turn up and deploy, which makes them easy to lose track of. If you don’t know what’s running inside your organization, you’re exposing yourself to real risk.
#2. Identity — *who (or what) has access to your systems?*
AI agents are automated systems that can take actions on behalf of a business. But they are already creating serious security risks.
First, because many companies still control them with weak tools like static API keys or shared logins, which makes them easier to break into and harder to monitor.
Agents also tend to accumulate more permissions than they actually need. It often starts simply: an agent needs to perform a task, so someone gives it admin access. Then it needs another system, so it gets admin there too. Before long, the agent has more access than almost anyone in the organization.
In theory, companies should reduce those permissions once they know what the agent truly needs. In reality, that rarely happens. Teams worry that tightening access will break something or limit future use, so the permissions stay.
The solution is to treat every AI agent as you would an individual user, with strict oversight, limited access, and clear visibility into what it’s doing.
#3. Vendor Management — *what are your key vendors doing with your data?*
Are they training their AI tools on it, potentially giving access to your trade secrets, internal processes, and customer data to… gulp… *everyone*?!
This applies to every vendor that regularly touches your data, including your CRM, ERP, marketing platforms, analytics tools, and others. At some point, one of your employees may have clicked “agree” on updated terms that quietly granted those vendors broad rights.
Review your agreements! Understand whether your data is being retained or used for training, and whether you have the ability to limit or opt out of those uses. Make sure you are not giving away more access than you realize.
#4. Data Management — *what data is allowed to go into AI tools?*
I hope you are providing guidance to your team, because if you are not, they are probably (okay, definitely) doing things you do not want them to do.
Maybe a well-meaning employee pasted a list of customers into an AI tool and asked it to analyze business patterns and suggest marketing ideas. Maybe someone uploaded a draft contract and asked the AI to rewrite it in clear language.
You may already have policies about releasing data and controlling who has access to it. But AI tools and their ease of use complicate this. Data can easily be pasted into chatbots, fed into agents, or copied from one tool to another.
These kinds of things are helpful in the moment and absent clear policies, your employes are going to use them. The key consideration is how to balance the value to your organization against the risk of where the data may end up.
#5. Acceptable Use — *which AI tools are your employees allowed to use and for what use cases?*
You are explicit about prohibiting things like movie downloads or visiting gambling sites on company devices. You need to do the same kind of thing with AI use.
The difference with AI is that the environment changes all the time. Today it’s ChatGPT, but tomorrow you may want everyone using Claude, based on pricing changes, new client agreements, or something else. AI use is a moving target.
That’s why we recommend creating a separate policy for AI acceptable use, with the focus on AI-specific use cases.
The Changes Keep Coming
That’s five different parts of cybersecurity that have changed more or less overnight. But the truth is, we probably could pick *any* cybersecurity bucket and note the changes AI has brought.
So you need to stay on top of this. Where AI is involved — and these days, that pretty much means everywhere — the dust isn’t going to settle for a long time.
Gotta run. We are off to Houston this weekend for a Pokémon Regional tournament. I’ll let you know if Nike calls.
—
Want to get great cybersecurity content delivered to your inbox? Click here to sign up for our monthly newsletter, Tales from the Click.
