← Back to Blog

Every Tech Wave Follows the Same Playbook

· Aaron Shierlaw
cybersecurityaileadership

In 20 years of IT and security leadership, I’ve watched three technological revolutions unfold. Each one followed the same playbook.

The Cloud (Early 2010s)

Dropbox changed everything overnight. Data that had lived on on-prem file servers was suddenly floating out on the internet. A rush of CASB vendors emerged to solve the problem. Capital flooded in. Tools were bought. Boxes were checked.

IaaS and PaaS (Late 2010s / Early 2020s)

AWS promised agility and cost savings. Everyone moved fast. I watched teams literally mirror their on-prem environments in the cloud: virtual Palo Alto firewalls, internal network segments, all of it, because that’s what they knew. The tool changed. The thinking didn’t.

AI (Mid 2020s)

Here we are again. Another wave. Another flood of capital. A new crop of AI-specific security startups promising to solve your AI security problem.

The pattern is the same every time: vendors rush to market, budgets shift, tools get purchased, leaders feel better, and the fundamentals stay broken.

The Questions Nobody Wants to Answer

Before you look at a single AI security vendor, I’d ask you to answer these honestly.

Identity and Access Management. Is your IAM program well-governed and well-executed? Do you have strong controls? Do you understand your non-human identities? Are lifecycle workflows automated, monitored, and managed?

Data Governance. Can you identify your data? Is it labeled and classified? Do you have a functioning DLP program?

Asset and Device Management. Do you have full visibility into what your users are running? Are strong security controls in place across those endpoints?

If the answer to any of those is “not really,” AI security tooling isn’t your problem yet.

Why We Keep Skipping the Hard Part

Nobody wants to talk about asset management. You won’t see it keynoted at RSA. No vendor is going to sell you “Endpoint Asset Management 2.0, Now AI-Powered.”

But here’s what I know to be true after 20 years.

The basics are hard. That’s exactly why people avoid them. Doing IAM well — continuously, at scale, across hybrid environments — is genuinely difficult work. These aren’t one-time projects; they’re operational disciplines that require ongoing attention and investment.

Tools are a shortcut for strategy. It’s much easier to buy something that promises to solve your AI security problem. You get a demo, a contract, a dashboard, and a sense of progress. But if the foundation is shaky, the tool doesn’t matter.

Build the Foundation First

I’m not saying don’t invest in AI security tooling. You absolutely should, as your AI usage matures and the risk surface becomes real. But the organizations that will navigate this wave successfully are the ones who resist the urge to skip ahead.

The ones who slow down, ask hard questions about what they actually have in place, and close the gaps that have been easy to ignore because there’s always a shinier problem to solve.

Do the hard thing. Build the foundation. The rest gets a lot easier from there.