Artificial intelligence is already shaping cybersecurity in two opposing roles: it intensifies threat scenarios through novel attack methods while simultaneously unlocking enormous potential for faster and more precise defense. 

For companies, this means that those who strategically integrate AI-driven defense systems can significantly reduce response times, achieve long-term cost efficiencies through automation, and strengthen trust among customers and investors – provided these systems are implemented responsibly and transparently. 

This ambivalence makes it essential not only to understand the technology from a technical perspective, but also to master its strategic, legal, and ethical dimensions. 

New Threats from Generative AI 

With the rise of generative AI (particularly large language models like GPT-4 and code generation tools), the entry barriers for cyberattacks have dropped dramatically. Even actors without deep technical expertise can now: 

• craft highly convincing phishing emails and distribute them at scale 
• create manipulative content and deepfakes (including synthetic voice cloning for CEO fraud) 
• develop or enhance malicious software using AI-assisted coding tools, though fully autonomous malware creation remains limited 
• automate reconnaissance and vulnerability discovery 

According to industry research, a significant majority of companies are already observing an expansion of their attack surface due to generative AI. For instance, Gartner predicts that by 2025, GenAI will be involved in 30% of outbound cyberattacks, while 81% of German companies expect an increase in AI-assisted attacks (Bitkom, 2024).  The real danger lies in the combination of speed, scalability, and deception quality that characterizes these new forms of attack – making traditional, rule-based defenses increasingly ineffective. 

 

AI as a Defense Tool 

On the other hand, AI is also revolutionizing defense mechanisms. Companies are increasingly relying on: 

• AI-powered threat detection (SIEM, EDR/XDR, UEBA) that identifies anomalies and attacks in real time through behavioral analysis 
• AI-enhanced vulnerability management that prioritizes risks based on exploitability and business context, including automated penetration testing 
• risk-adaptive identity and access management (Zero Trust, adaptive authentication) that dynamically adjusts permissions based on user behavior, context, and risk scores 

To ensure these systems operate effectively and in compliance with regulations, companies need support with: 

• tool and vendor selection tailored to their specific IT landscape, including evaluation of AI explainability, data residency requirements, and integration capabilities 
• data and privacy frameworks o ensure compliance with GDPR, the upcoming EU AI Act (2025), and industry-specific regulations such as NIS2, DORA, or sector-specific requirements 
• quality assurance and continuous monitoring to minimize false positives/negatives, detect model drift, and ensure unbiased decision-making 

In this context, consultancies take on the role of technology orchestrators: they design integration strategies, assess effectiveness and risk, and establish governance frameworks for the responsible use of AI. 

Regulatory Landscape: The EU AI Act 

The EU AI Act, coming into force in 2025-2026, will significantly impact AI-driven cybersecurity systems. Many defense applications (e.g., biometric authentication, critical infrastructure protection) are classified as “high-risk” and must meet strict requirements: 

• Comprehensive risk management and impact assessments 
• High-quality, representative training data 
• Transparency and explainability for security personnel 
• Human oversight mechanisms 
• Continuous monitoring and performance validation 

Consultancies must help clients navigate these requirements while maintaining security effectiveness – balancing regulatory compliance with operational needs. 

Securing AI Systems – Trustworthy AI 

A young but rapidly growing field of consulting is the security and trustworthiness of AI systems themselves – encompassing both technical security measures (AI Security) and broader aspects such as fairness, transparency, and accountability (Trustworthy AI).This includes protective measures against: 

• adversarial attacks, in which inputs are deliberately manipulated to deceive AI models 
• data poisoning and backdoor attacks during model training 
• model extraction and intellectual property theft 
• prompt injection attacks (particularly relevant for LLM-integrated systems) 
• bias detection, to prevent discriminatory or erroneous decisions 

While standards such as NIST AI RMF, ISO 42001, and the EU AI Act are emerging, practical implementation guidance is still evolving – creating opportunities for consultancies to position themselves early as trusted advisors and help shape industry best practices. 

Internal Use of AI in Consultancies 

• It’s not only client systems that benefit from AI — consultancies themselves are increasingly using it to boost efficiency and service quality. Examples include: 
• automated security code review using AI-powered SAST tools (e.g., GitHub Copilot, Snyk) 
• anomaly detection and threat hunting across large log datasets in SIEM platforms 
• automated penetration testing and attack simulation (e.g., Pentera, Cymulate) 
• AI-assisted incident documentation that structures reports, identifies root causes, and generates actionable recommendations 
• threat intelligence aggregation from multiple sources (OSINT, dark web, CVE feeds) 
• client risk assessments using AI-driven asset discovery and vulnerability scoring 
• Such internal tools can evolve into independent intellectual property assets or productized services (e.g., AI-driven risk assessment platforms, automated compliance reporting tools), significantly expanding a consultancy’s product portfolio and creating recurring revenue streams. 

Strategic Recommendations for Consultancies 

• Build expertise early in AI security and governance:
  • Obtain certifications (e.g., NIST AI RMF, ISO 42001 Lead Implementer) 
  • Establish an internal AI Security Center of Excellence 
  • Monitor emerging regulations (EU AI Act, NIST guidelines) 
  • Develop proprietary methodologies for AI risk assessment 
• Develop practical training programs for clients: 
  • AI threat awareness (phishing, deepfakes, social engineering) 
  • Secure AI adoption workshops (data handling, model selection) 
  • Tabletop exercises simulating AI-assisted attacks 
  • Executive briefings on AI governance and regulatory compliance 
• Rigorously evaluate AI tools internally before client deployment: 
  • Test for accuracy, bias, and robustness on diverse datasets 
  • Assess data privacy and residency compliance 
  • Validate vendor claims through independent testing 
  • Document limitations and failure modes 
  • Establish clear use case boundaries (where AI works/doesn’t work) 
• Embed ethics and compliance by design: 
  • Conduct AI impact assessments for all projects (per EU AI Act requirements) 
  • Implement fairness testing and bias mitigation procedures 
  • Ensure explainability for high-risk AI applications 
  • Document decision-making processes for auditability 
  • Establish AI ethics review boards for sensitive use cases 
• Foster innovation through strategic partnerships: 
  • Collaborate with universities on AI security research (joint papers, PhD supervision) 
  • Pilot emerging technologies with startups (early access, co-development) 
  • Participate in industry working groups (e.g., OWASP AI Security) 
  • Contribute to open-source AI security tools to build thought leadership 
• Develop AI-specific service offerings: 
  • AI risk assessments and audits 
  • AI red teaming and adversarial testing 
  • AI compliance consulting (EU AI Act, NIS2 + AI) 
  • Secure AI architecture design 
  • AI incident response capabilities 
• Address the AI security skills gap: 
  • Upskill existing security teams in ML/AI fundamentals 
  • Hire data scientists with security awareness 
  • Create cross-functional teams (security + data science) 
  • Invest in training programs and certifications 
• Address AI supply chain security: 
  • Vet pre-trained models and datasets 
  • Assess third-party AI vendors 
  • Establish model provenance tracking 

The Business Case for AI in Cybersecurity 

While AI-driven security tools require upfront investment (typically €100k-€500k for mid-sized implementations), ROI is achieved through: 

• Reduced incident response costs (40-60% faster detection/response) 
• Lower false positive rates (freeing analyst time for strategic work) 
• Scalability without proportional headcount growth 
• Improved compliance posture (automated evidence collection) 

Companies expect typical ROI within 12-18 months, with ongoing operational cost reductions of 30-50% compared to purely manual approaches. 

Building Cyber Resilience and Competitive Strength 

AI is both an accelerator and a litmus test for cybersecurity. Companies that address opportunities and risks simultaneously strengthen their resilience and competitiveness. Consultancies that combine deep AI security expertise with strong governance capabilities – and help clients navigate both technical and regulatory complexity – will become indispensable trusted advisors in an increasingly regulated and AI-driven market.