Bridging the Gap

The rapid, highly publicized advances in agentic AI have inevitably prompted debate about the potential cybersecurity implications – for both the “offensive” and “defensive” sides of the ledger – of AI agents capable of acting independently in global IT networks. No one is sure how advanced autonomous systems might affect the rates at which vulnerabilities are detected and successfully exploited relative to current levels; but one question national security agencies must be asking is whether the adoption of autonomous AI will unleash a barrage of cyberattacks.

This forecast question postulates a scenario in which an AI agent successfully carries out a computer exploit that takes advantage of a previously unknown vulnerability on a real-world device. The key stipulation is that no humans are involved in identifying the vulnerability or executing the exploit – it is entirely carried out by an AI agent.

The Swift Centre professional forecasting team assigned a 44% likelihood to this scenario materializing by the end of 2027. The distribution of forecasts ranged fairly closely and symmetrically around the median (the lowest was 20%, the highest 63%).

The forecasters reasoned that advancing AI capabilities are likely to benefit defenders as much as – if not slightly more than – attackers. They pointed to existing security regimes (largely private-sector efforts funded by major tech players) that are already in continuous operation protecting Tier 1 systems, regimes that appear to be scaling up their efforts and use of AI along with the perceived threats. Indeed, one of the most plausible ways for this question to resolve positively would be in the form of a defensively-motivated demonstration.

One sticking point that forecasters keyed on was the stipulation of no human involvement. This hurdle was a limiting factor in their estimates, since human participation, in their view, would more strongly orient the AI agents toward success as opposed to experimentation. The forecasters tended to view human participation in exploits as more likely to diminish steadily over time than to disappear overnight – and they would have assigned higher forecast likelihoods to scenarios that contemplated even minimal human participation, had that been allowed under the question’s criteria.

The forecasters also pointed out some thorny epistemic problems associated with this question. Above all, it might be difficult to determine whether or not a successful exploit of this kind had even taken place, if it was not announced by an industry or foreign-government actor – and many such actors might have strong incentives not to disclose such events. Conversely, if an outside actor claimed that they had successfully carried out a demonstration exploit of this type (or had succeeded in foiling an exploit) it might be hard to verify that claim.

Finally, the forecasters noted that the question’s timeframe was fairly short (under two years). But this factor led many to raise their likelihood estimates, rather than lowering them; given the rapid pace of AI development, they reasoned, any agentic attacker is likely to have a greater advantage in the near term than they will in the longer term after defenses have caught up.