Cybersecurity Will Swallow Digital Policy in the AI Age

The history of the Internet is also a history of insecurity. For decades, cybersecurity evolved through a constant race between those building digital systems and those probing them for weaknesses. Yet even the most sophisticated cyberattacks were constrained by one critical factor: human capability. Expertise was scarce, exploits took time to develop, and offensive operations required coordination, resources, and skill. Artificial intelligence is rapidly removing those constraints.

This matters not only for cybersecurity, but for digital governance itself. As AI accelerates the sophistication and reach of malicious cyber activity, governments increasingly view digital infrastructure, data flows, platforms, and AI systems primarily through the lens of national security. For years, security concerns were frequently invoked to justify greater state control over the digital environment. Now, for the first time in a long time, governments may genuinely have something to fear.

AI is changing the security equation

AI is already reshaping cyber operations. Advanced systems can analyze vast codebases, identify vulnerabilities, generate exploit strategies, and automate attacks in ways that dramatically reduce the expertise, coordination, and resources once required to conduct sophisticated cyber operations. Google recently disclosed what appears to be one of the first documented cases of hackers using AI to discover and weaponize a previously unknown software vulnerability, including an attempt to bypass two-factor authentication through a zero-day exploit. The significance of the incident was not merely the attack itself, but what it represented: AI crossing from a supporting cyber tool into an active operational actor.

This changes the tempo of cybersecurity entirely. Tasks that once demanded significant time and specialized expertise, from vulnerability discovery to exploit development, can now be increasingly automated, while malware adapts dynamically during deployment and phishing campaigns become more convincing, targeted, and difficult to detect. The fragile buffer between “a flaw exists” and “a system is compromised” is beginning to disappear.

Modern digital infrastructure was never designed for this environment. Much of the Internet still rests on assumptions inherited from an earlier era, specifically that attackers are constrained by expertise, that exploitation is relatively costly, and that humans remain inside operational decision-making loops. AI erodes all three assumptions simultaneously.

This is what makes the current moment so consequential for digital governance. For years, governments used cybersecurity and resilience as justification for more top-down approaches to governing the digital environment, from data localization and platform regulation to restrictions on cross-border data flows and tighter oversight of networks and infrastructure. Often, those arguments overstated the actual security risks. In many cases, “security” became a convenient rationale for expanding state authority, fragmenting the Internet, and centralizing governance in the name of protection.

But acknowledging that security risks are real should not automatically validate the argument that centralized state control is the answer. If anything, AI exposes the limits of purely national approaches to digital governance. Cyber threats do not respect borders, vulnerabilities propagate across interconnected systems, and no government, regardless of power or capability, can secure the ecosystem alone.

That is the central tension now emerging in digital governance. Governments are likely to interpret genuine AI security risks as justification for even greater control over digital infrastructure, data, and technological ecosystems. Yet fragmentation and isolation may ultimately weaken security rather than strengthen it. The history of cybersecurity has repeatedly shown that resilience depends less on unilateral control than on collaboration: shared standards, coordinated defenses, information sharing, open research communities, and cooperation across governments, companies, technical experts, and civil society.

What emerges, therefore, is a dual strategic challenge. The security concerns are finally becoming real, but no single actor, including governments themselves, is capable of solving them alone.

This challenge is becoming more urgent as frontier AI systems are integrated into financial networks, healthcare systems, energy grids, public administration, software development, and military planning faster than governance and security frameworks can mature around them. Like the early Internet, the dominant incentive remains deployment first, resilience later. But unlike the early Internet, these systems are adaptive, increasingly autonomous, and capable of reasoning through complex tasks.

What makes this shift particularly significant is that AI systems are beginning to blur the distinction between tool and operator. Reporting around systems such as Mythos suggests that frontier models are evolving beyond narrow automation into more generalized strategic systems capable of reasoning across domains, executing complex workflows, and interacting with critical infrastructure in increasingly autonomous ways. The concern is no longer limited to the acceleration of cyberattacks, but the emergence of systems capable of independently adjusting tactics, selecting targets, and executing operations with minimal human oversight.

At the same time, initiatives such as Project Glasswing demonstrate the defensive potential of these same technologies. Advanced AI systems are already being used to analyze enormous codebases, identify hidden vulnerabilities, and propose remediation strategies faster than elite human security researchers. Some vulnerabilities uncovered by these systems had reportedly remained buried in critical infrastructure for decades. The problem is that the same capabilities that allow defenders to secure systems at unprecedented scale can also allow attackers to industrialize exploitation.

Together, Mythos and Project Glasswing illustrate the core governance dilemma of the AI era: the technologies most capable of strengthening cybersecurity are also those most capable of destabilizing it. That tension cannot be resolved through state control alone. It requires cooperation across governments, industry, researchers, and international institutions because the underlying infrastructure, and the risks attached to it, is fundamentally interconnected.

The convergence between cybersecurity and state power is therefore accelerating. Digital governance has always been, fundamentally, about infrastructure: control over networks, data, computing capacity, and the technical systems underpinning economic and political power. AI is intensifying all this by making computational capability itself a strategic security asset. Today, a small number of companies and governments control the most advanced models, the largest datasets, and the computing infrastructure necessary to train and deploy frontier systems. Control over AI increasingly resembles control over energy networks, financial rails, or satellite infrastructure. Access to advanced AI capabilities may soon determine which countries can effectively defend their critical infrastructure and which cannot.

The risk of security-driven fragmentation

The geopolitical consequences are already hard to ignore. Governments increasingly treat AI models, semiconductor supply chains, cloud infrastructure, and data ecosystems as strategic assets tied directly to national resilience. The logic behind digital sovereignty is therefore evolving from economic protectionism into security doctrine.

But there is also a danger in this shift considering that security-driven governance can easily become self-reinforcing. The more governments perceive AI and digital infrastructure as strategic vulnerabilities, the greater the temptation to centralize control, restrict access, localize infrastructure, and fragment the global digital environment into competing technological blocs.

History suggests that this instinct may ultimately undermine security rather than strengthen it.

The Internet taught governments a painful lesson: insecurity in one part of the network eventually becomes insecurity for everyone. Botnets assembled from poorly secured devices in one jurisdiction disrupted hospitals, pipelines, and financial systems in others. Cybersecurity became collective not necessarily because states preferred cooperation, but because interdependence made isolation impossible.

AI magnifies this logic dramatically. Vulnerable open-source models, compromised training pipelines, autonomous AI agents, or AI-enabled offensive tools will not remain contained within national borders. In an interconnected ecosystem, the weakest node can become the launch point for systemic disruption.

This is where the digital governance debate becomes most consequential. If security concerns drive countries toward technological isolation, fragmented standards, and restricted access to defensive AI capabilities, the result may be a less stable global digital environment. Countries excluded from advanced defensive systems will become easier targets, creating vulnerabilities that propagate outward through interconnected networks. Fragmentation may satisfy geopolitical instincts while simultaneously weakening collective resilience.

The challenge, therefore, is not whether security should shape digital governance. It already does. The real question is whether governance frameworks can balance legitimate security concerns with the need for openness, interoperability, and collective resilience.

That balance is becoming harder to maintain because AI also changes deterrence itself. Attribution becomes more difficult when attacks are automated, decision-making is increasingly delegated to autonomous systems, and offensive capabilities become broadly accessible through widely available models rather than confined to elite state actors. Advanced AI systems increasingly blur the distinction between tool and operator: prioritizing targets, adapting tactics, refining exploits, and interacting with environments in semi-autonomous ways. Digital governance frameworks built for platforms and data flows are ill-equipped to address these emerging security dynamics.

At the same time, international cooperation on AI governance remains fragmented and weak. This stalling is perfectly illustrated by the UN's Open-Ended Working Group (OEWG) on ICT security, which repeatedly failed to reach a consensus on substantive final reports. Deep geopolitical divisions, largely centered on how international law applies to cyberspace and mutual accusations of state-sponsored cyber warfare, have effectively blocked the creation of enforceable global norms for emerging digital technologies. States are racing to secure strategic advantage while global norms lag behind technological capability. Yet unilateral approaches are unlikely to succeed because AI-driven cyber risks are transnational by design.

The instinct to control AI capabilities is understandable but isolation is not a durable governance strategy. The trajectory of AI is diffusion. What is cutting-edge today will become widely accessible tomorrow. The question is whether that diffusion occurs within shared frameworks of accountability, transparency, and collective security, or within a fragmented environment defined by mistrust and competitive escalation.

The Internet era taught us that connectivity without security creates chronic vulnerability. The AI era may teach something even more destabilizing: security without cooperation creates chronic instability. The central challenge of digital governance is no longer simply regulating technology. It is preserving political, economic, and institutional stability in an environment where the capacity to discover, exploit, manipulate, and disrupt is becoming increasingly accessible, automated and difficult to contain. For the first time since the birth of the Internet, the world is confronting not merely a new technology, but a new operational status quo. The question is whether governance can evolve before security fears harden into permanent fragmentation.