The microscope moment for cyber resilience
AI models are being placed inside controlled security harnesses
IN THE 1670s, Antonie van Leeuwenhoek peered through a homemade microscope and reported tiny life forms, what he called “animalcules” that made the heretofore invisible visible.
Those observations later seeded microbiology, better hygiene, and eventually, the germ theory of disease. People did not fall ill because such discoveries existed. They simply helped explain why.
Seeing hidden debt
A similar shift is now underway in cyber security. More capable artificial intelligence systems are helping defenders inspect software, configurations and access controls at a depth and speed not previously possible. More issues are surfacing in systems that once looked acceptable, and emergency patches outside normal release cycles are expected to rise.
Most weaknesses discovered by these advanced tools are not born on the day they are found. They are usually the residue of technical and security debt. These are the legacy code, rushed integrations, forgotten environments, excessive access rights and outdated controls.
A common direction is emerging among model providers and technology vendors, including Anthropic, OpenAI and Microsoft. AI models are being placed inside controlled security harnesses. These are structured environments of prompts, tools, sandboxes, checks and evidence that support discovery, validation, prioritisation and remediation.
Anthropic and Microsoft have disclosed critical and high-severity security issues across web browsers, operating system components, networking services, authentication functions and development platforms, with fixes or remediations made available.
Left unaddressed, such weaknesses can affect businesses and resilience.
For boards, what is uncomfortable is that the weaknesses were already there. AI only removed the excuse for not seeing them. A better lens does not change the underlying loss exposure. It changes what is known about it. Without understanding this exposure, oversight is effectively conducted in the dark.
The correct response is not panic, but disciplined treatment. Improved detection should translate into better software quality, stronger controls, faster remediation and more resilient infrastructure. The opportunity is to address issues before they become material events.
From model access to operating discipline
AI capabilities will continue to evolve. No organisation should anchor its resilience to any single model, or assume that today’s leading capability will remain the benchmark. The more useful question is how such AI systems can be used safely and consistently to strengthen the business.
A practical approach is to build controlled testing environments that allow teams to examine a system, surface weaknesses, test realistic scenarios and check whether the outcomes are safe and repeatable. The purpose is not to admire a finding, but to verify it, understand its impact and remediate what matters.
This matters because the defensive window is narrowing. Attackers will use AI to find and exploit weaknesses. We are now past the Mythos moment where Anthropic has shown that malignant AI actors can possibly discover and exploit critical software vulnerabilities at a scale and speed that outpaces most of our defensive capabilities. Organisations should in turn use AI to find, validate and fix those same weaknesses first, provided that use is governed, tested and directed towards reducing risk.
Boards should therefore focus less on which AI model found a particular issue, and more on whether findings are translated into actions that measurably reduce loss exposure.
Has each finding been validated? How likely is it to lead to a loss event? How large could the loss be? How much does fixing it reduce that loss? And has it been fixed and verified? These are governance questions, not technical details.
The board’s questions have not changed
More capable tools do not replace foundational controls. They reinforce them. Boards should press management on three imperatives.
First, see clearly. Management should know where the organisation’s critical services, sensitive data and important systems are, and where unnecessary exposure exists. Unused systems, dormant accounts and excessive privileges should not be left for an attacker to find.
Second, act quickly, but safely. When software updates are available, the organisation should reduce the time taken to test and deploy them. Staging, phased rollout and rollback plans remain important. The objective is to shorten exposure without creating avoidable disruption.
Third, govern proportionately. Users, devices or applications should not be trusted simply because they are inside the organisation. Access should be verified, limited and reviewed. Defence-in-depth means using layers of controls so that one failure does not become a material event. Together, these make attacks harder and reduce the impact when they occur.
Most importantly, cyber risk should be expressed in business terms. Boards should ask management to quantify probable loss exposure over a defined period and translate it into financial impact. This allows cyber risk to be compared with other enterprise risks, prioritised against scarce resources and treated within the organisation’s risk appetite.
Moving forward, boards must treat this as a resilience opportunity. The lesson from Leeuwenhoek is not that new instruments make the world more dangerous. On the contrary, they make ignorance harder to defend. Frontier AI should be treated in the same way. It is a chance to see more clearly, govern more deliberately and turn findings into action before weakness becomes a crisis.
The purpose of a better lens is not to alarm boards, but to hold them accountable for what is now known.
The writer is a member of the Finance Committee of the Singapore Institute of Directors.
Decoding Asia newsletter: your guide to navigating Asia in a new global order. Sign up here to get Decoding Asia newsletter. Delivered to your inbox. Free.
Share with us your feedback on BT's products and services
TRENDING NOW
With AI, it’s not about coding better; workers need to think better: Koh Boon Hwee
E-commerce job cuts signal S-E Asia’s shift from scaling to deeper user engagement
Early payout from Philippines’ Maharlika Investment Fund raises eyebrows over its true nature
The quest for global capital: Vietnam eyes MSCI upgrade as Indonesia fights downgrade risk