“AI Is Forcing Us to Redefine Risk”

For years, cybersecurity has revolved around implementing controls, complying with regulations, and ticking off compliance requirements. But according to Mandy Andress, Chief Information Security Officer at Elastic, that era is no longer sufficient. She believes cybersecurity has reached a tipping point. With the rise of AI and autonomous AI agents, traditional security models are becoming increasingly ineffective, requiring organizations to fundamentally rethink how they approach risk.

Mandy Andress is one of the keynote speakers at Cybersec Netherlands 2026 (9–10 September, Jaarbeurs Utrecht). During her keynote, “Redefining Risk in the Age of AI: Cybersecurity at a Tipping Point,” on the second day of the event, she will explain why artificial intelligence is forcing organizations to completely rethink their view of risk. “AI is no longer an emerging technology; it is already a powerful force fundamentally reshaping today’s cyber threat landscape. The question is no longer whether cybersecurity needs to change, but how profound and how rapidly that change must take place.”

Her message comes at a time when organizations worldwide are struggling with the impact of AI. Not only are employees increasingly adopting AI tools, but cybercriminals are leveraging the same technology to launch attacks that are faster, smarter, and more scalable than ever before.

A Fundamental Shift

According to Andress, the current transformation is unlike previous technological developments in cybersecurity. “We are at a genuine tipping point. This is not a gradual evolution. Organizations need to stop treating security as a compliance exercise and start managing it as a strategic, risk-driven discipline.” Her perspective aligns with a broader shift across the industry. In recent years, organizations have focused heavily on regulatory compliance and demonstrable security controls. With the introduction of frameworks such as NIS2, DORA, and stricter digital resilience requirements, businesses have invested significantly in governance, reporting, and compliance initiatives.

At the same time, there is growing recognition that regulatory compliance alone does not guarantee adequate protection. Compliance frameworks typically address known risks, whereas AI introduces entirely new and constantly evolving threats. According to Andress, this means boards, CISOs, and risk managers must begin asking a different question: how much risk is the organization truly willing to accept?

Cybercriminals Are Moving First

The pace of AI development makes this discussion more urgent than ever. Cybercriminals are already experimenting extensively with generative AI for phishing, social engineering, malware development, and automated vulnerability reconnaissance.

Where attacks once required extensive preparation, threat actors can now operate far more quickly and scale their activities with ease. “Attackers are already using AI to move faster, operate at greater scale, and attack with a level of sophistication that traditional security models were never designed to handle,” says Andress.

She believes this represents one of the biggest challenges organizations face today. Most security programs are based on threat models that have remained relatively stable over time. However, the speed at which AI is creating new attack opportunities is causing those models to become outdated much faster than before. “I used to make predictions ten years into the future. Today, my planning horizon has shrunk to five years, and sometimes even to a single quarter. The pace of change is unprecedented.”

The Rise of AI Agents

Beyond AI-powered cyberattacks, Andress identifies another major development that will significantly impact organizations: the rise of AI agents. Unlike traditional AI assistants, AI agents can independently gather information, make decisions, execute workflows, and take actions within business environments. While this creates enormous opportunities for efficiency and innovation, it also introduces entirely new categories of risk that many organizations have barely begun to assess. “AI agents are creating completely new risk categories for which most organizations have not yet developed assessment frameworks,” warns Andress.

Questions surrounding autonomy, access rights, decision-making, data usage, and accountability are becoming increasingly important. Who is responsible when an AI agent makes the wrong decision? How do you monitor systems that act independently? And how can organizations prevent AI agents from becoming a new entry point for attackers? These are challenges for which many existing security frameworks still offer no clear answers.

AI Is Also the Solution

Despite these concerns, Andress does not see AI solely as a threat. On the contrary, she believes the same technology empowering attackers can become one of defenders’ greatest strengths.

Within Security Operations Centers (SOCs), AI is rapidly evolving from an experimental capability into a core operational component. It is increasingly used to detect anomalous behavior, analyze incidents, and accelerate threat response. At a time when organizations continue to struggle with a shortage of cybersecurity professionals, AI can help security teams gain faster insight into emerging risks and threats.

“AI is both the threat and the opportunity,” says Andress. “The organizations that actively leverage AI as a defensive capability and consciously lead this transition will ultimately build a competitive advantage.” As a result, cybersecurity is shifting from a reactive discipline to a proactive one. Rather than simply blocking attacks, organizations must continuously understand, anticipate, and manage risk within an increasingly dynamic digital environment.

A New Era for Cybersecurity

According to Andress, the cybersecurity industry is entering the most significant transformation in its history. It is not only technology that is changing, but also the way organizations approach security, governance, and risk management.

“Cybersecurity is on the verge of its greatest transformation ever,” she says. “The organizations that will succeed are those that move beyond purely compliance-driven models, embrace AI as a defensive capability, and actively shape this transition.”

That will be the central message of her keynote at Cybersec Netherlands 2026. Because if there is one conclusion to be drawn from today’s developments, according to Andress, it is that the era of reactive cybersecurity is coming to an end. The future belongs to organizations willing to redefine risk—and act accordingly.

Visit Cybersec Netherlands 2026

Discover the latest developments in cybersecurity at Cybersec Netherlands on September 9 and 10, 2026, at Jaarbeurs Utrecht. Be inspired by industry experts, real-world case studies, and innovative solutions.