More AI, more security? Why continuous validation alone is not enough



June 12, 2026



Cyber Security

The new US strategy focuses on AI-powered cyber defence – but technology cannot solve every security problem

The White House’s new Executive Order on promoting AI innovation and cybersecurity sends a clear signal: the United States intends not only to regulate artificial intelligence, but also to actively use it as a tool to strengthen cyber defence. Continuous vulnerability analyses, AI-powered defence systems and automated security validation are intended to help keep pace with the speed of modern threats.

From a cybersecurity perspective, this approach is understandable. Attacks today are automated, scalable and often occur in real time. Traditional security models involving periodic audits and annual penetration tests are increasingly reaching their limits. The call for continuous monitoring of critical systems is therefore fundamentally correct.

Nevertheless, the current discussion raises an important question: does this actually result in greater security – or, above all, more technology?

The illusion of permanent security

Synack argues that automated vulnerability detection, combined with human expertise, represents a decisive step forward compared to traditional security approaches. The company highlights its platform’s ability to analyse attack surfaces at machine speed and continuously validate vulnerabilities.

This argument is sound. Indeed, modern systems can test significantly more assets than human teams alone. Continuous monitoring is particularly useful in complex infrastructures with thousands of endpoints, cloud services and applications.

At the same time, however, there is a risk of a false sense of security. For the mere fact that systems are constantly being tested does not automatically mean that they are secure.

Security managers have been aware of this problem for years: the greatest challenge is often not finding vulnerabilities, but prioritising and addressing them. Many organisations already have long lists of known security vulnerabilities, the resolution of which fails due to a lack of resources, complex dependencies or organisational hurdles.

Continuous validation therefore only yields a security benefit if companies simultaneously invest in processes, personnel and governance.

More data does not automatically mean better decisions

Another aspect deserves special attention. The Executive Order relies heavily on AI-supported analytical methods. Systems are intended to detect threats, assess attack surfaces and provide recommendations for action.

Yet, particularly in the field of cybersecurity, it is repeatedly evident that additional information does not necessarily lead to better decisions.

Many Security Operations Centres are already struggling today with alert fatigue, information overload and a flood of alerts. If the number of detected risks is further increased without simultaneously improving the ability to assess and prioritise them, the opposite effect is likely: security teams will lose track of the big picture.

The crucial question is therefore not how many vulnerabilities AI finds, but which of them are actually relevant.

Human expertise remains the bottleneck

It is noteworthy that Synack itself emphasises the importance of human expertise. The statement “AI finds more. Humans determine what is important” ultimately describes the real challenge of modern cybersecurity.

Despite all the progress made in automation and artificial intelligence, risk assessment remains a human task. Security decisions require contextual knowledge, industry expertise and an understanding of operational contexts.

A vulnerability in a test system has a different relevance than the same vulnerability in a control centre, a hospital or an energy supply facility. No AI can reliably perform this assessment as yet.

This is precisely why the current debate seems, at times, too technology-centric. The real bottleneck in many security programmes is not the detection of vulnerabilities, but the shortage of qualified specialists.

Critical infrastructure needs more than just new tools

This is particularly evident in the field of critical infrastructure. The Executive Order identifies hospitals, banks and utility companies as priority target groups.

However, many of these organisations are not primarily struggling with a lack of security tools, but with outdated systems, budget constraints and staff shortages. An additional AI platform will not solve these structural problems.

Rather, there is a risk that policymakers will confuse technological innovation with actual resilience. Security does not arise solely from better detection technologies, but from an interplay of technology, organisation, processes and qualified personnel.

The real challenge is implementation

It is, however, correct to recognise that traditional security models are becoming increasingly ineffective in the face of automated attacks. The idea of continuous security validation therefore represents an important step forward.

It becomes problematic, however, when this gives rise to the expectation that technical platforms can solve security problems largely automatically.

The reality is different. Every vulnerability found must be assessed, prioritised and remedied. Every recommendation for action requires decision-makers who understand its implications. And every security strategy must be tailored to an organisation’s individual risks.

This is precisely where it is decided whether AI-supported security programmes are actually successful.

Conclusion

The White House’s new Executive Order addresses a real problem: cyber threats are evolving faster than many traditional security programmes. The call for continuous validation, AI-supported analysis and stronger protection of critical infrastructure is therefore fundamentally correct.

At the same time, the discussion must not be reduced to technology alone. More automation does not automatically mean greater security. Continuous vulnerability detection is no substitute for governance, risk management or human judgement.

The real challenge does not lie in finding more vulnerabilities. The challenge lies in drawing the right conclusions from the insights gained. As long as companies and public authorities underestimate this organisational dimension, the vision of a permanently secure infrastructure will remain an ambitious goal, even in the age of AI.

Bavaria: Herrmann on the current challenges facing civil protection and civil defence

Jun 12, 2026

Interior Minister Herrmann, Lieutenant General Bodemann, Vice-President of the County Council Dr Bär and the President of the State Office for Civil Protection Zacher on the current challenges facing civil protection and civil defence – clear guidelines and viable...

Germany establishes centre of excellence for AI security

Jun 9, 2026

New institute to assess risks of modern AI systems and help shape international standards The German government is stepping up its activities in the field of artificial intelligence and establishing a new body to assess the opportunities and risks of modern AI...

Commentary: When 40,000 households are left in the dark, there must be no room for a policy of providing information blindly

Jun 8, 2026

This is an incident of considerable significance: at 1.43 am on the night of 8 June 2026, several fires broke out at a substation in Reutlingen. The result is massive power cuts, which, according to the city, temporarily affect around 40,000 households and 7,600...