Post cover image

June 5, 2026

The AI Security Test We Should All Be Paying Attention To

When an AI system can find a vulnerability, but hesitates to touch it, what exactly are we measuring?

Pawan Jaiswal

6 min read

A strange thing happens when artificial intelligence gets close to real work.

The question stops being, "Can it do the task?"

It becomes, "Should it be allowed to?"

That shift sounds subtle, but it changes almost everything. Especially in cybersecurity, where the same action can look either responsible or dangerous depending on who is doing it, why they are doing it, and what system they are pointing at.

Imagine building a deliberately vulnerable app. Not a real victim. Not a production service. A controlled test environment. The kind of thing security researchers use all the time to measure tools, train teams, and understand failure modes.

Now imagine handing that app to a set of modern AI models and asking them to find the hidden issue.

Some of them try. Some wander in circles. Some get surprisingly close. Some refuse. Some burn through huge amounts of time, tokens, and money without proving anything useful.

At first glance, that sounds like a benchmark story. A leaderboard. A neat little race between models.

But the more interesting story is not which model scored highest.

The real story is what the experiment reveals about the awkward future of AI-assisted security work.

None

Security is the worst possible place for simple answers

Cybersecurity has always lived in a gray zone.

A penetration tester and an attacker may run the same command. A malware analyst and a malware author may read the same code. A defender trying to understand a vulnerable system may need to think like someone trying to break it.

Intent matters. Authorization matters. Context matters.

Unfortunately, AI systems are not great at context in the way humans mean it. They can process instructions, infer goals, and follow patterns, but they do not truly understand institutional trust, professional responsibility, or the legal boundaries around a particular engagement.

That creates a messy problem.

If an AI assistant is too permissive, it may lower the barrier for abuse. If it is too cautious, it may block legitimate work. The line between "help me secure my app" and "help me exploit an app" can be thin on the page, even when the real-world difference is enormous.

This is not just a policy problem. It is a product problem, a trust problem, and increasingly, an economic problem.

Capability is no longer the whole score

When we compare AI systems, we often talk as if intelligence is the main thing that matters.

Can it reason? Can it code? Can it debug? Can it solve the challenge?

Those are useful questions, but they are incomplete. A powerful model wrapped in restrictive behavior may be less useful than a weaker model that can actually complete the authorized task. At the same time, a model that eagerly attempts everything may be impressive in a lab and reckless in the wild.

So what are we measuring?

Raw skill? Practical usefulness? Safety posture? Willingness to act? Cost per successful outcome? Reliability across repeated attempts?

The answer is probably all of the above.

That is why small, imperfect experiments can be so revealing. Even when they are not scientific evaluations, they expose the parts of AI performance that polished demos often hide. The model's answer is only one part of the system. The harness matters. The prompt matters. The budget matters. The failure handling matters. The refusal behavior matters. The surrounding workflow matters.

A model that solves something once is interesting.

A system that solves it repeatedly, safely, affordably, and with evidence is much more valuable.

The false comfort of "the API looked secure"

One of the more important lessons in this kind of test is how easily an AI agent can get trapped by the most visible surface.

A backend API might look clean. The endpoints may enforce authorization. The obvious object references may not leak data. The app may appear well structured.

But modern applications are rarely just a backend API.

They are mobile clients, cloud services, third-party platforms, embedded configuration files, storage rules, authentication providers, build artifacts, and forgotten trust assumptions taped together into something that mostly works.

Attackers know this. Good security researchers know this. Automated tools often struggle with it.

AI agents can struggle too.

They may inspect the obvious path, fail to find a bug there, and conclude the system is secure. That is not intelligence. That is tunnel vision with a nice writing style.

The uncomfortable lesson is that AI can produce a beautifully organized wrong answer. It can document its reasoning, summarize its attempts, and still miss the one architectural shortcut that matters.

This is where AI security tooling needs to mature. The goal should not be a single agent that "goes off and hacks the app." That sounds exciting, but it is a recipe for wasted tokens and overconfident reports.

The better direction is structured investigation.

Plan. Explore. Form hypotheses. Test them. Validate findings. Reject false positives. Escalate uncertainty. Keep evidence. Know when to stop.

In other words, security work needs process, not just prompts.

Guardrails are not the enemy, but they are not the product either

It is easy to get annoyed when an AI assistant refuses a legitimate task.

It is also easy to forget why those refusals exist.

Most users should not casually hand credentials, production access, or sensitive logs to an autonomous tool and hope for the best. Most organizations do not yet have the controls, monitoring, sandboxing, or approval flows needed to let AI agents operate freely in security-sensitive environments.

A refusal can prevent a bad day.

But a refusal can also prevent a good day from becoming productive.

This is the heart of the problem. Security professionals need tools that understand authorized work without turning every dangerous-looking verb into a red flag. Developers need help investigating their own systems. Incident responders need to inspect suspicious code. Cloud engineers need to trace access paths. Product teams need to understand whether their architecture leaks data through a side door.

Blanket caution does not solve this. Blanket permission does not solve it either.

The future probably belongs to systems that can distinguish between unsafe freedom and controlled authority.

That means scoped environments. Explicit authorization. Audit trails. Sandboxes. Read-only modes. Temporary credentials. Policy-aware workflows. Human approval at the right moments. Evidence-based reporting. Clear separation between testing a toy target, reviewing your own infrastructure, and attacking someone else's system.

The answer is not simply "remove the guardrails."

The answer is better rails.

Cost is part of capability

There is another detail that deserves more attention: these experiments can get expensive fast.

AI agents do not just answer. They loop. They inspect. They retry. They generate plans. They chase dead ends. They produce reports. Sometimes they confidently pursue the wrong path for a very long time.

That matters.

A model that technically can solve a task, but needs millions of tokens and repeated runs, may not be practical. A cheaper model that succeeds less often might still be useful if paired with the right workflow. A more capable model that refuses late in the process can waste both time and money.

This is where the market will become interesting.

Security teams will not pay for vibes. They will pay for reliable outcomes: validated findings, lower false positives, explainable evidence, clean integration, predictable cost, and fewer wasted investigations.

The winner may not be the "smartest" model in isolation. It may be the product that turns probabilistic reasoning into a disciplined security workflow.

That is less glamorous than a leaderboard.

It is also much closer to reality.

The bigger question

AI-assisted security is coming whether teams are ready or not.

Developers will use it to review code. Attackers will use it to speed up reconnaissance. Vendors will wrap it into scanners. Security teams will use it to triage alerts, inspect logs, test apps, and generate reports. Regulators and insurers will eventually ask awkward questions about how these systems are controlled.

The stakes are not theoretical.

If AI makes defenders faster, that is a big deal. If it makes attackers faster too, that is also a big deal. If it gives both sides more confidence than they deserve, that may be the biggest deal of all.

The lesson is not that AI can hack everything. It cannot.

The lesson is not that AI should be locked down until it becomes harmless. A harmless security tool is often just a useless one wearing a helmet.

The lesson is that we need a more mature way to think about capability.

Can the model find the issue? Can it prove the issue? Can it avoid making things worse? Can it explain its uncertainty? Can it operate inside clear boundaries? Can it help a professional do better work without pretending to replace professional judgment?

That is the bar.

Not magic. Not panic. Not blind trust.

Just useful, controlled, evidence-driven assistance in one of the few fields where being almost right can still be very expensive.

The most interesting question is no longer whether AI can break into a vulnerable app.

It is whether we can build AI systems that know how to help us secure the real ones.