AI Has Made Offense a Commodity. Cyber Resilience Needs to Catch Up.
Governments just restricted access to frontier AI over cyber risk. Here is what the offense-defense asymmetry means for your security program.
.png)
June 17, 2026
.png)
The U.S. government just restricted access to Anthropic's Fable 5 and Mythos 5. A researcher bypassed its guardrails within 48 hours of launch. The government pulled it days later. Governments now treat frontier AI capability as a national security issue..
The concern has documented precedent.. In recent U.S. congressional testimony, Gambit's research was cited as evidence of how AI is already being used in active cyber operations: one operator, two AI platforms, nine government agencies breached in a single campaign. Not a nation-state. One person with off-the-shelf tools.
AI does not need to invent new attacks to change the game. It makes existing attacks cheaper, faster, and easier to execute.
Why don't attackers need expertise anymore?
AI has eliminated the expertise barrier for cyber offense. A single person can now do what once required a team: understand unfamiliar systems, generate scripts on demand, troubleshoot failures, and maintain operational momentum across multiple targets.
That shift happened because AI compressed the learning curve that once separated a capable attacker from an amateur. Tasks that previously demanded deep technical knowledge — interpreting scan results, adapting tools to a new environment, processing exfiltrated data — are now AI-assisted. Cyber capability is no longer scarce. It is a commodity.
Why does AI favor attackers over defenders?
Offensive AI just needs to be useful enough to find that one path that matters. It does not need to be precise, contextual, or explainable.
Defensive AI has to be precise, contextual, and reliable across thousands of assets, identities, cloud services, APIs, and workflows. That surface never stops growing. Attackers need one entry point that works.
AI is unlikely to help prevention tools with the same speed, efficiency, or margin for error it gives attackers. That gap does not close as defenders buy better tools. It is why prevention alone is no longer enough.
How does recovery speed become a competitive advantage?
Organizations that can restore critical business functions in hours rather than days after a breach hold a structural advantage over those that cannot. The question that separates them is specific: if your three most revenue-critical systems go down at 9am Monday, what is your actual recovery time, and when did you last test it?
Most organizations have an answer in theory. Fewer have tested it. And of those, most tested against an environment that no longer exists. Every deployment, configuration change, and new dependency since then is untested ground. Recovery readiness has a shelf life.
Good recovery testing is not a scheduled drill where the outcome is known. It is a realistic failure simulation: systems go down unannounced, teams recover against a clock, and the result either validates or resets your recovery time objective. Organizations that run this regularly know their actual recovery time. Most who have not are working from an estimate.
Disruption will come from ransomware, from AI-assisted intrusion, or from an internal AI malfunction that corrupts or deletes business-critical data. The organizations that absorb it fastest are not the ones with the most prevention layers. They are the ones that know which functions matter most, have reduced blast radius around them, and have practiced recovery before they needed it.
The real board question is not about attack surface or compliance posture. It is: if this system goes down, how fast does the business get revenue back?
Resilience is now the strategy
This Anthropic Fable/Mythos episode shows that governments are starting to treat AI cyber capability as a national security issue. The congressional testimony referencing Gambit's Mexico breach research shows why.
AI is making offense cheaper, faster, and more accessible. It can help defenders too, but not with the same margin for error. Prevention still matters. Resilience is what absorbs the breach prevention didn't stop..
The next generation of security programs will be judged not only by how many attacks they stop, but by how confidently the business continues operating when one gets through.
The question is whether the business can keep running when a breach gets through.
You ask? We answer
Cyber resilience is an organization's ability to anticipate, withstand, recover from, and adapt to adverse cyber events. That definition marks a shift from traditional security thinking. Classic cybersecurity focuses on keeping threats out. Cyber resilience accepts that some threats will get through. The goal becomes minimizing downtime and keeping critical business functions running through and after an incident. A resilient organization has mapped its critical functions, reduced blast radius around them, and has tested recovery before needing it.
Prevention is still necessary. The argument is that prevention alone is no longer sufficient. AI-powered attacks increase the volume and speed of attempts, raising the probability that one eventually succeeds. Resilience is the layer that absorbs the breach that prevention did not stop.
When a ransomware attack or AI-assisted intrusion hits two similar organizations, the one that restores critical business functions in hours rather than days keeps its customers, meets its obligations, and limits its financial exposure. That operational gap is measurable, and over time it determines which organizations retain trust in high-stakes sectors.
There is no universal threshold, but the right framing is business impact rather than technical metrics. The question is: how long can each critical function be unavailable before it affects revenue, customer trust, or regulatory standing? That answer should drive recovery time objectives, not the other way around. For most enterprises, critical systems need to be back within hours, not days. Recovery Time Objective (RTO) is how long a system can be down before causing unacceptable damage. Recovery Point Objective (RPO) is how much data loss is tolerable. Both should be set by business impact, not IT convention.
Gambit's researchers documented a single operator using two AI platforms to breach nine Mexican government agencies. The research showed how AI compressed the skill and time requirements for a sustained intrusion across multiple targets. It was subsequently cited in U.S. congressional testimony as evidence of AI's real-world role in cyber operations. The full technical report is on the Gambit blog.
Resilience, verified. In your inbox
The latest from Gambit: research, insights, and live sessions
