
Who decides when a cyber AI tool is safe to deploy?
OpenAI and Anthropic are publicly disagreeing about whether their new AI cyber tools should be shared with European regulators.
OpenAI has offered Brussels access to its model. Anthropic is holding back, with Commission talks described as being at a different stage. Both have framed their position as the responsible one, and both arguments have merit.
But whether openness or restriction is the right call is ultimately a policy question and one that will take time to resolve. For organizations managing cyber risk today, the more immediate question is whether the teams are equipped to handle what these tools can already do.
Commercial subject matter expert (CSME) for cybersecurity at Firebrand Training.
AI systems can now autonomously carry out multi-step cyberattack tasks in controlled environments. Anthropic's Mythos completed a 32-step simulated corporate attack in testing.
Before it existed, no AI had ever done that in this type of full-chain simulation. Regulatory access to that kind of model matters for policy development. But the organizations that will be on the receiving end of attacks it enables are not waiting for that process to conclude.
The question of who decides when a powerful cyber tool is safe to deploy is important. But responsible deployment cannot just mean responsible release. It also means ensuring the organizations expected to defend against these capabilities actually have the people and skills to do so.
Most organizations are underprepared
Recent UK survey data found that only 27% of UK organizations are fully prepared for AI-powered attacks. Seven in ten are operating with partial or no AI-specific readiness, even though the vast majority of senior leaders already recognize that AI is increasing their risk. The awareness is there. The preparation is not keeping pace with it.
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Part of the issue is that cyber security has long been treated as a technical problem with a technical solution. Buy the right tools, run the right software and you are covered. AI fundamentally changes that assumption.
When attack tools can learn, adapt and probe defenses continuously, finding weaknesses, failing and trying again without getting tired, the humans on the other side need to be able to keep up. That requires expertise, not just familiarity with a dashboard.
The skills gap is an operational risk
AI identifying a vulnerability is only the first part of the problem. Someone still needs to understand what they are looking at, assess how serious it is, prioritize it against everything else on their plate and act quickly. That judgement does not come from a tool.
It comes from trained, experienced people who have built that capability over time. This is especially important as AI-generated attacks become harder to distinguish from legitimate activity. Threat recognition at speed requires pattern-matching built through experience and training, not simply access to the right software.
The data supports this. Among organizations that have invested in ongoing certification training, 86% report a measurable reduction in cyber risk, with an average reduction of nearly 48%. Certified teams also recover faster when something goes wrong.
Nearly half of UK organizations surveyed experienced at least one attack in the past 12 months, with the financial cost most commonly landing between £100,000 and £199,999 once recovery, downtime, regulatory fines and reputational damage are factored in.
Regulation is moving, but slowly
This is also where the governance question gets more practical. Giving regulators access to frontier AI models is useful for understanding what they are dealing with. But that access is only meaningful if the organizations it is meant to protect have the capability to act on what those models can do. A policy framework built around tools most security teams are not yet equipped to respond to does not close the gap.
AI security standards are still being written. Most security teams have limited awareness of what frameworks even exist, let alone what is coming. The EU AI Act, NIS2 (Network and Information Security Directive 2) and emerging sector-specific guidance are all moving targets. Organizations that build continuous training into how they operate will be better placed to keep up as those requirements take shape.
The fix is known
For most organizations, the question of whether they have the skills in their people to respond when it matters is the gap between awareness of risk and readiness to manage it.
The investment in trained and certified security professionals has a measurable impact on an organization's ability to deal with attacks. It also builds the kind of internal capability that makes it easier to maintain regulatory compliance as requirements evolve. This isn’t a glamorous answer but the evidence for it is consistent.
Organizations that view training as a core part of managing cyber risk, rather than something to be revisited after a breach, are generally in a much better place. The tools and the threats will evolve all the time. It is the difference between resilience and vulnerability.
Connect securely online with the best VPN service.
This article was produced as part of TechRadar Pro Perspectives, our channel to feature the best and brightest minds in the technology industry today.
The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/pro/perspectives-how-to-submit
View original source — TechRadar ↗
Related stories

I've been hunting for the best earbuds for travel — here are the 6 pairs our audio team recommends

AMD's Radeon GPUs may be the next victim of the RAM crisis

Pilot program to provide cheaper GLP-1 via Medicare stokes shortage fears
