Vanta's Christina Cacioppo on AI security adoption: 4 in 5 security leaders deploying AI agents to fight AI-powered attacks

Vanta CEO Christina Cacioppo surfaced data from a survey of thousands of security leaders worldwide that points to aggressive AI adoption on the defensive side of cybersecurity. 4 in 5 security leaders are already using or plan to use AI agents to counter AI-powered attacks, a figure Cacioppo describes as higher than she anticipated. A separate finding shows 70% of respondents are allowing AI agents to provide direct input on security strategy, a posture she characterises as default trust rather than default scepticism, notably striking given the audience is security professionals.

“Four in five security leaders are using or plan to use AI agents to prevent against those sort of attacks. 70% of folks are letting those agents give input on security strategy. My model of this is centaurs — AI plus person — and we're at that stage. AI won't take your job, but someone using AI might.”

The AI-versus-AI dynamic is shaping how practitioners think about threat detection. Rather than treating AI-driven code scanning as a bounded task, security teams are increasingly running open-ended, token-intensive sweeps across entire codebases, accepting that the agent may return nothing actionable. Cacioppo frames this as a parallelisation benefit: the cost of a null result is low, and the upside of catching a live vulnerability justifies the compute spend.

On the question of when a high-profile, AI-induced security incident will materialise, Cacioppo's view is that it will arrive sooner rather than later, but is unlikely to involve sophisticated attack choreography. Her expectation is that AI will surface a basic misconfiguration, an exposed database or an equivalent of the Equifax breach pattern, rather than some novel exploit. The attack vector will be mundane; the differentiator will be that AI found it first.

Compliance training is flagged as an area ripe for AI-native rebuilding. Cacioppo points to phishing simulations as an early example of personalisation at scale, where models scan a target's actual inbox behaviour to craft lures rather than sending generic fake newsletters. She expects adaptive, context-aware training to displace the static video-and-click format that has dominated the category for decades.

Internally, Vanta is treating AI proficiency as a baseline hiring and performance criterion going forward. Cacioppo's framing to staff is that AI will not replace roles outright, but employees who use AI effectively will displace those who do not. The company is building both training programmes and explicit job expectations around this premise, positioning AI fluency as a core competency rather than an optional skill.

Cacioppo's broader model for the current moment borrows from economist Tyler Cowen: the centaur stage, human-plus-AI working in tandem. She draws the analogy to chess, where a multi-decade human-AI collaboration phase preceded full machine dominance, and expects security and compliance to follow a similar trajectory before autonomous agents take over end-to-end workflows.