As AI continues to expand in the background of workflows, processes, and now critical infrastructure and systems, AI driven compliance audits, security, and security testing have become the next natural vector of exploration. Though advancing at an unprecedented pace, the core pillars of auditing and cybersecurity remain to be true; human validation is a requirement to evaluate context, confirm findings, and support reliable outcomes, regardless of the wealth of knowledge the AI was given, or the amount of prompt engineering was done to eliminate falsities.
We sat down with our CEO and Co-Founder Fabrice Mouret, and CCO and Co-Founder Sammy Chowdhury to explore their take on the use and credibility of AI in the advent of uncharted security and compliance waters. In this interview Fabrice and Sammy explore AI, its detriments and opportunities, and where security and compliance auditing fit in – as well as have the opportunity to thrive in a way they haven’t been able to before. Follow along as we explore security and compliance in a newly AI driven world.
Fabrice Mouret: “Humans are both the safeguard and the bottleneck. The goal is to keep human auditors for oversight and ethics, while minimizing manual toil and error.”
Sammy Chowdhury: “People for creativity and complex scenarios; AI for constant coverage, regression, and wide attack surface scanning.”
Fabrice Mouret: “Correct. We need human validation for proper exploitation. We also need human interaction to validate the method before any exploitation to avoid DNS and / or risk of client data exfiltration.”
Sammy Chowdhury: “AI can learn faster than a human but it also has the blind spots of not having full business logic context.”
Sammy Chowdhury: AI cannot find zero-days easily. It expedites the pace of critical thinking but it cannot replace years of domain experience.
Fabrice Mouret: Similar to my earlier comment, zero day vulnerabilities are hard to find and usually require that you create a mindset for a back door trojan. AI is not ready for this yet.
Fabrice Mouret: Yes, algorithms fight algorithms, but humans remain essential for strategy, governance, tuning, and responding to edge cases and failures.
Sammy Chowdhury: Humans also remain an important social element in governance, communication, rationalization, influence and prioritization.
Fabrice Mouret: Absolutely. Just like we have seen on the audit side. Automation has unlocked security audits for smaller organizations at an affordable cost. We want to move to continuous testing, and for AI to solve for this. Quality will be impacted and we will have missed findings but it's better than no findings at all.
Sammy Chowdhury: AI can help simulate some advanced techniques, giving smaller orgs broader testing coverage at a reduced cost.
Fabrice Mouret: This is why AI testing should never be in a production environment with client data. It’s too risky and there’s not enough control of the situation.
Sammy Chowdhury: We don't need a human for every fix, but we need a human to oversee the logic of the automation.
Fabrice Mouret: Low risk findings can be auto-fixed.
Sammy Chowdhury: Continuous AI plus a human audit can stop compliance programs from spiraling out of control.
Fabrice Mouret: Yes, that is exactly what is happening in the audit and compliance sphere and hence why we should see the same in pentesting and continuous monitoring.
Sammy Chowdhury: AI-enabled security will become table stakes. Not adopting it is a strategic disadvantage in resilience, recovery speed, and trust.
As the rate and speed of organizations adopting AI steadily increases, so do the adversaries who are actively integrating AI to enhance the speed, scale, and sophistication of cyberattacks, transitioning from theoretical risks to active, AI-orchestrated operations. As Fabrice and Sammy highlight above, not coming prepared to these kinds of instances is a dangerous strategy. AI-enabled attacks increase the need for faster detection, broader observability and more adaptive response workflows. The human element of compliance and security testing must also remain intact, for governance purposes and for critical context that only a human can have. Though the use of AI in compliance and penetration testing is still novel in concept, the rise of AI-orchestrated attacks supports ia stronger case for AI-assisted security monitoring and testing as part of a broader security program.
AI-assisted security testing and compliance monitoring should be deployed with appropriate safeguards, including written authorization, defined scope, rules of engagement, data-handling controls, human oversight, and documented validation of material findings. AI can expand coverage and speed, but it should complement, not replace, expert judgment, formal audit procedures, or organization-specific risk decisions.