Post by Pablo Rice

I rarely offer hot takes on recent developments unfolding at the intersection of AI and cybersecurity, a topic I have spent most of my time on since 2024. This kind of post tends to age badly, and fast. But the timing this time was hard to ignore. A few hours before last Friday's US government directive suspending foreign access to Anthropic's Fable 5 and Mythos 5, its most cyber-capable models, I was invited at Sciences Po to speak precisely about... cyber & AI. Some of what I said there should certainly be adjusted in light of this latest psychodrama. But the core arguments I shared come out, if anything, stronger. The governance challenge at the AI-Cyber nexus remains, above all, one of noise. And it shows up at two levels: 1️⃣ 𝗡𝗼𝗶𝘀𝗲 𝗶𝗻 𝘁𝗵𝗲 𝗽𝘂𝗯𝗹𝗶𝗰 𝗱𝗲𝗯𝗮𝘁𝗲. We are somewhat caught between a narrative-driven economy that seems to chase its own tail, and unilateral, volatile government decisions that will likely be revised one way or the other. Either way, the world watches with little real grip on what happens next. Both come back to the same root: a persistent and massive evidence gap on AI misuse risks in cyberspace, on which informed and defensible decisions could be based. We naturally need better evaluations of AI's cyber capabilities, tested in conditions closer to the real world. But we also need to stop neglecting the part that too often remains a blind spot: post-deployment monitoring and incident reporting. The point is to identify not just what AI "could" do in theory, but how it is already being used in the wild, and with what impact. 2️⃣ 𝗡𝗼𝗶𝘀𝗲 𝗮𝘁 𝗮 𝗾𝘂𝗶𝗲𝘁𝗲𝗿, 𝗺𝗼𝗿𝗲 𝘁𝗲𝗰𝗵𝗻𝗶𝗰𝗮𝗹 𝗹𝗲𝘃𝗲𝗹: 𝘁𝗵𝗲 𝗲𝘃𝗲𝗿𝘆𝗱𝗮𝘆 𝗰𝘆𝗰𝗹𝗲 𝗼𝗳 𝗳𝗶𝗻𝗱𝗶𝗻𝗴, 𝗿𝗲𝗽𝗼𝗿𝘁𝗶𝗻𝗴 𝗮𝗻𝗱 𝗳𝗶𝘅𝗶𝗻𝗴 𝘀𝗼𝗳𝘁𝘄𝗮𝗿𝗲 𝘃𝘂𝗹𝗻𝗲𝗿𝗮𝗯𝗶𝗹𝗶𝘁𝗶𝗲𝘀. Much of the software our economies run on is kept secure by this cycle, and AI is now flooding it from both sides. It lets anyone generate plausible-looking flaw reports faster than defenders can triage them, while helping attackers turn published fixes into working exploits before everyone has patched. A telling sign: a few weeks ago, Linus Torvalds, the creator of Linux, described his project's security inbox as almost unmanageable under the volume of AI-generated reports, many of them polished enough to deserve serious review. This second layer is far less visible than the headlines. It probably deserves more of our attention than it gets. Thanks to the Technology and Global Affairs Innovation Hub at Sciences Po for the invitation Pierre NORO Constance de Leusse and to my co-panelists for this stimulating discussion Hector de Rivoire Armand Lacombe Nicolas Miailhe Meni Anastasiadou.