Simon Griffiths

Focusing on Data, Architecture and AI

Simon Griffiths architects data-first systems, and is sceptical about the rest.

Drawing on long experience across enterprise data, architecture, and AI, he prefers platforms designed for reality, not just the latest narrative.

AI Is About to Expose Your Security Posture — Not Improve It

There’s a growing narrative that AI can now scan codebases, find subtle bugs, and even uncover vulnerabilities that humans have missed for years.

You’ll see this framed as progress. Better tools. Safer software. “Many eyes,” but automated.

I’m not so sure.

What I think is actually happening is simpler, and less comfortable:

AI is turning latent security problems into active ones.

The comforting illusion we’ve been living with

For years, most systems have operated under a kind of quiet assumption:

  • Yes, there are vulnerabilities
  • Yes, patching is inconsistent
  • But discovery is hard, expensive, and relatively rare

So things “tick along”.

Particularly in the mid-tier:

  • Internal APIs exposed to the internet
  • Small custom apps running on cloud compute
  • Services built for a specific purpose and never really revisited

They work. They deliver value. And from a security perspective, they sit in a sort of tolerated grey zone.

Not secure. Not actively under attack either.

AI changes the economics completely

Tools emerging from companies like Anthropic are starting to show what happens when you apply large-scale reasoning to code.

This isn’t just better static analysis.

It’s the ability to:

  • Understand intent, not just syntax
  • Explore edge cases systematically
  • Traverse large dependency graphs
  • Identify chains of weaknesses across layers

The important shift isn’t technical—it’s economic:

Finding vulnerabilities is becoming cheap, fast, and scalable.

And that changes everything.

The real asymmetry

If AI made systems more secure by default, this would be a non-issue.

But it doesn’t.

It improves discovery, not response.

And most organisations are structurally weak on response:

  • They don’t have a complete inventory of what’s running
  • Dependencies are poorly tracked
  • Patch cycles are slow or reactive
  • Ownership of “non-core” services is unclear

So you end up with a widening gap:

  • Attackers can scan broadly and continuously
  • Defenders still operate in bursts, often manually

The attack surface is being industrialised. The defence model isn’t.

Where this bites hardest

It’s not the platforms you’d expect.

Hyperscalers will adapt. Core databases will adapt. Managed services will adapt.

The real exposure is in the long tail:

  • Custom-built services on AWS or similar
  • Admin endpoints that “no one really uses anymore”
  • Legacy microservices still reachable via old routes
  • Internal tools that quietly became internet-facing

These systems often:

  • Haven’t been reviewed in months or years
  • Depend on outdated libraries
  • Sit outside formal security processes

They were already vulnerable.

They were just hard to find.

From latent risk to active risk

This is the key shift.

Historically, a vulnerability might exist for years without being exploited because:

  • It required expertise to find
  • It wasn’t worth the effort

Now:

  • Discovery can be automated
  • Patterns can be reused
  • Exploits can be scaled

So the same vulnerability moves from:

“theoretical risk”

to:

“reliably exploitable condition”

without anything in your system actually changing.

This isn’t about open vs closed source

It’s tempting to reach for that conclusion.

It’s also wrong.

Closed code doesn’t fix this:

  • Internal systems have the same patching problems
  • AI can infer behaviour without source access
  • Most “closed” systems depend heavily on open components anyway

The real dividing line isn’t licensing.

It’s this:

Maintained systems vs unmaintained systems.

The uncomfortable conclusion

A lot of what’s currently running in production would not meet a modern security bar if it were assessed continuously.

It’s just never been assessed that way.

AI changes that.

Not by making systems worse—but by making their actual state visible, at scale.

What actually needs to change

This isn’t a tooling problem. It’s an operating model problem.

A few implications:

1. “Deploy and forget” is no longer viable
If it’s internet-facing, it needs continuous scrutiny. Otherwise it shouldn’t be exposed.

2. You need a real inventory
You can’t defend what you don’t know exists. Most organisations are weaker here than they think.

3. Time-to-patch becomes the only metric that matters
Not whether vulnerabilities exist—they always do—but how long they remain exploitable.

4. The long tail is your primary risk surface
Not your flagship systems. The things you built three years ago and stopped thinking about.

Final thought

There’s a tendency to see AI as something that will improve software quality and security.

It probably will—eventually.

In the short to medium term, it’s more likely to do something else:

It will reveal, very quickly and very clearly, how good your operational discipline really is.

And for many organisations, that’s going to be an uncomfortable moment.

Leave a comment

Navigation

About

Simon Griffiths architects data-first systems, sceptical about the rest. Drawing on long experience across enterprise data, architecture, and AI, he prefers platforms designed for reality, not just the latest narrative.