As organizations race to adopt AI, many are treating AI itself as the security problem. But an argument can be made for the opposite. AI is not creating fundamentally new security vulnerabilities—it is simply exposing longstanding weaknesses that organizations have ignored for years. Rather than chasing the latest AI threats, he believes organizations should return to the fundamentals: eliminate implicit trust, strengthen identity verification, reduce attack surfaces, and build security into infrastructure from the start.
During a meetup with Tech-Channels at Infosec Europe, Albert Estevez Polo, Global Field CTO at Zero Networks, challenged conventional thinking around AI security, patch management, and application protection, advocating for a "secure-by-design" mindset that emphasizes containment over detection and prevention over reaction.
Q. Is AI introducing fundamentally new security risks?
A. There is a lot of hype with AI. Every time that there is a problem, we try to find a solution instead of spending time thinking what is the real problem. Now with AI agents, we think this is something new that is harder to protect."
Honestly, we have the same products that we had for the last 20 years. Our infrastructure, our networks are so open. There is a lot of implicit trust between everybody in the network. Agents are not creating new vectors of security. They are exposing faster the ones that you have, the ones that you were ignoring for many years.
Q. What should organizations focus on instead of chasing AI-specific threats?
A. The problems that we need to solve are those two—how we remove implicit trust and how we make username and password useless. If we solve these, it doesn't matter if we have agents running in our infrastructure. Instead of focusing on AI, you focus on cleaning your house first. Close the doors. Reduce the attack surface. Put something in place that makes AI irrelevant. Then you will not have to care about AI or agents or any new things that will pop up in the near future.
Q. Why are organizations suddenly feeling so much pressure around AI security?
A. Any technology that is faster than a human will expose that you are not secure. Are you less secure than yesterday? No. If you focus on how to protect AI but your house is still open, tomorrow something else will pop up. And you still have your house open.
But if you close the doors, shut the windows and ask for identity before you can do anything in your infrastructure, you will see how you reduce the risk in your infrastructure.
Q. How should organizations rethink cyber resilience?
A. Our mission is not to protect you from being infected. You will be infected at some point. We all know that. We help our customers to embrace the breach. Embrace it. Our mission is to be sure that the attack doesn't translate into a successful attack. Be sure that attack is automatically contained. They cannot move laterally. They cannot move to any other server, any other asset, or any other IoT device.
Q. Why are usernames and passwords no longer enough?
A. Username and password by themselves don’t mean anything. I need an MFA. I need your phone. I need your Face ID. Your fingerprint. Something that a regular hacker will not get from you. I can steal your username and password. Now I'm impersonating you. What happens if you ask me for my authenticator application? Those usernames and passwords are then irrelevant. They're not the keys to the castle anymore.
Q. How can organizations simplify security?
A. Today you need to open and expose your applications to everybody. Now you start thinking, how can I protect that application? I need a WAF. I need anti-DDoS. I need a firewall. I need DLP. How many layers of security do I need?
Why don't we just close the application? Now it's not exposed. Now I don't need all those layers of security. The exposure has been reduced.
Q: How can organizations build a stronger security culture?
A. Security is always a trade-off. Usually, you need to sacrifice a bit of usability. I think it pays off. Security is usually the last thing that you are worried about. Everybody wants connectivity first. Security, they say, they will figure that out.
But security should be the first thing to consider. Awareness is something that all the companies need to focus more. Users need to understand that the first thing that matters is security. Otherwise, you're exposing your company, your IP. And you could lose your job.
Q. How has the drive for speed increased cyber risk?
A. Top management focuses more on providing the solution. Everything moves at a really fast pace. Nobody wants to be falling behind. “If we do this this way,” they say, then “I can have this available tomorrow."
If I need security teams then maybe it will take a month. Let's release it tomorrow. We will figure that out securely later. That's a high risk. We're seeing it every day. Fast is better. Securing is slow.
Q. Why are software supply chains becoming more attractive targets?
A. What is easier—trying to steal credentials from a company or going to this Git repository?
You pull request, add some changes into the code and the next time applications retrieve new libraries. And I'm already in. I get access to all those companies from the inside. Who has the time to review the code of any of the libraries? It all happens fast, fast, fast.
Q. How is AI changing vulnerability management?
A. AI finding bugs is crazy. Every new patch, before it contained tens of bugs, now it will contain thousands. How many things can go wrong now? Companies will require even more time to validate. The exposure is going to increase. And who is going to check them? Who is going to validate them?
Q. What advice would you give organizations preparing for the AI era?
A. Lock down the port. Lock down applications and open only to your users. Prove their identity first. By doing that, you are removing all the noise from the rest of the world. You will not be attacked. You have the time. Take your time to validate. You know your application is vulnerable, but only your users can exploit it.
You need to shift the way you're thinking about security. Instead of trying to do catch up—mean time to detect (MTTD), mean time to respond (MTTR)—you need to contain first.
AI is not the root cause of today's security challenges—it is an accelerator that exposes weaknesses organizations have long accepted. Rather than responding to every new AI capability with another security product, enterprises should focus on eliminating implicit trust, strengthening identity verification, minimizing application exposure, and reducing opportunities for attackers to move laterally.
Estevez Polo reframes cybersecurity around fundamentals. By assuming breaches will occur, designing systems for containment, and making security an architectural principle rather than an afterthought, organizations can build resilience that extends beyond today's AI threats and prepares them for whatever may happen.
.png?width=1816&height=566&name=brandmark-design%20(83).png)