As the capabilities of artificial intelligence (AI) develop, experts warn that South African companies cannot rely solely on regulatory norms; they must invest in continuous protection against cyberattacks.
AI Limitations Do Not Guarantee Security
Some business leaders may have felt relief following the temporary suspension of access to some of the world's most advanced AI models, but cybersecurity specialists emphasize that restricting access to powerful AI is not a substitute for strengthening defense systems.
Richard Ford, CTO of Integrity360, noted that South African organizations should focus less on the presence of advanced AI models and more on the capabilities they have already demonstrated.
Examples of AI Threats
These remarks came after the US government's decision in June to suspend global access to Anthropic's Fable 5 and Mythos 5 AI models due to national security concerns. Access to Fable 5 was restored on July 1st after export restrictions were lifted and new precautions were implemented.
Ford warned that the brief suspension should not create a false sense of security. He stated: 'The instinctive reaction is to view the ban as a deterrent, but this is an incorrect conclusion for business leaders.' He added that while a deployed model can be turned off, the demonstrated technological capability cannot be undone.
The warning followed the documentation by Anthropic's own 'red team' that the Mythos Preview model is capable of independently finding and exploiting previously unknown software vulnerabilities.
Lowering Barriers for Criminals
One of the most significant findings was the discovery of a 27-year-old vulnerability in OpenBSD, an operating system considered one of the most secure in the world. The AI model was able to identify this flaw and develop a working exploit without human intervention, other than the initial prompt.
A more alarming aspect was the cost. According to Integrity360, one vulnerability search run cost less than $50, and conducting 1000 automated scans of the codebase cost less than $20,000. Ford believes this significantly lowers the entry barrier for cybercriminals.
Patching Issues and Skills
For South African organizations, the main difficulty lies in the time required to remediate vulnerabilities after they are discovered. Globally, companies typically require 30 to 90 days to test and implement software patches. In South Africa, this period is often even longer due to a shortage of qualified cybersecurity personnel.
According to the World Economic Forum's 'Global Cybersecurity Outlook 2026,' 70% of CEOs in Sub-Saharan African countries reported that their organizations lacked the necessary cybersecurity skills to meet current security goals, representing the largest skills gap in any region.
Changing the Risk Landscape
Ford warned that attackers operating at machine speed are fundamentally changing the risk profile. He noted that ransomware operators, who have already disrupted state enterprises and financial institutions in South Africa, will not hesitate to use AI to automate the search for weaknesses across thousands of local networks simultaneously.
He added that artificial intelligence has effectively removed one of the biggest barriers that previously restricted cybercriminals. 'AI removes the technical resource barrier that once limited these groups, making the traditional vulnerability management model obsolete.'
The Need for Continuous Monitoring
Ford also pointed out that the threat extends beyond individual companies, as businesses increasingly rely on suppliers, municipalities, and government entities, which often have fewer cybersecurity resources and longer patching cycles.
He is convinced that organizations should abandon periodic security checks in favor of constant monitoring of their digital environments. Integrity360 recommends using Continuous Threat Exposure Management, which continuously assesses vulnerabilities and prioritizes the most critical risks, as well as Managed Detection and Response services and real-time threat intelligence.
Ford stated that cyber resilience should no longer be viewed solely as an IT responsibility. 'For South African executives, continuous exposure management is becoming a fiduciary duty at many levels.'
While regulation remains important, Ford cautioned that organizations cannot count on government intervention or restrictions on advanced AI to protect against increasingly sophisticated cyberattacks. Instead, businesses need to focus on reducing the time between vulnerability detection and threat response. He concluded: 'Machine-speed exploitation is already happening in real-world scenarios, and the long-term solution is to build detection and response commensurate with the adversary's pace, and then work to reduce the window of exposure before a breach occurs.'