Skip to main content
TechnologyJun 26, 2026· 5 min read

AI Changes All the Rules of Security Between Vulnerabilities and Surveillance: An Interview with the CEO of Proofpoint

Artificial intelligence is bringing a multitude of changes, and perhaps the most obvious ones are in the field of cybersecurity, where AI is used to identify vulnerabilities and bugs at an unprecedented speed. Understanding which direction to take and how to respond to these changes is not easy and will require a joint effort from all stakeholders involved. It will be increasingly important to rely on trusted partners, as well as to protect AI from attacks, according to Sumit Dhawan, CEO of Proofpoint, in an exclusive interview.

Protection from, for, and with AIs

"At Proofpoint, we had to adopt language models because criminals can use ChatGPT to rewrite the text of phishing emails, and traditional tools become useless." This is what Dhawan tells us, summarizing the challenges that companies face in defending us from cybercriminal attacks: the evolution brought by AIs is such that we must reinvent our approach to defense.

It’s not necessarily a negative point: "There are many activities that remain people-centered, like red teaming [simulations where security experts simulate an attack to test employee preparedness and system defenses, Ed.], but others can be performed by AI agents: checking alarms, verifying system status, categorizing alerts that come into the system... These are all tasks that will be handled by teams of agents who will provide protection against various threats. This way, security professionals can have more time to dedicate to the governance of data protection, the agents themselves, and software development."

Dhawan almost anticipates our spontaneous question: since it will be agents protecting the systems, who will protect these agents from attacks? Or, to quote Juvenal: qui custodes ipsos custodiet?

"This is a problem that already exists today with SaaS systems, but it becomes even bigger with AI," says Dhawan. "In my opinion, this is where relying on a few strategic partners becomes essential. For example, network security will be handled by Palo Alto [Networks], while email security will be managed by Proofpoint; these companies will be responsible for providing the correct information to demonstrate that their software is secure."

However, there is a parallel and almost invisible risk in having AI agents surveilling everything at all times, which is that of excessive surveillance. This is particularly true when AIs are used to monitor employee communications, for example, to prevent insider attacks or intellectual property theft. Finding the right balance is complex, and according to Dhawan, it doesn’t necessarily have to end in a 1984 scenario.

"It’s about finding signals that could potentially indicate malicious activity. We create profiles of workers and categorize individuals based on risk levels. At that point, controls or training activities are activated. But surveillance is not the only thing to consider to reduce internal risk: for example, if you see a new hire browsing source code they shouldn’t be looking at, you can intervene in many ways that don’t necessarily involve surveilling that person."

According to Dhawan, the key is to gather signals from the environment and have risk profiles, intervening based on these. "Think of it as risk control rather than mere surveillance," Dhawan tells us. However, this doesn’t change the fact that gathering such signals and creating such profiles can be particularly intrusive – and, in fact, may be considered detrimental to privacy in certain cases. This is why laws regulating these aspects are important.

In general, Dhawan states that "we need to move to a model of governance, both for people and for AIs. We first need to know which AI tools are used in the company, after which we can manage them and not be blind to what happens. The same goes for people; access to information can be managed and restricted. The reality is that controls are used to verify that people do not act without moral integrity, but the problem with AI is that it has no morals or virtues, so we must enforce controls."

The Problem of Vulnerabilities

Claude Mythos has changed the game when it comes to uncovering vulnerabilities in code, and other leading models are not far behind. The problem is that more and more vulnerabilities are being found at an increasingly faster rate, and this is not only happening from security researchers and developers but also from criminals. As a result, they can carry out increasingly more attacks for which there are no defenses. How can we respond to this complete paradigm shift?

"AI has made it possible to create attacks faster than patches can be developed. In other words, we need to forget about patches. What can we do? Controls and limitations can be implemented, but the number of vulnerabilities continues to grow and will not stop anytime soon," Dhawan states.

Thus, there are two things to do: the first is to be the fastest to apply patches, which means changing how systems are managed. "This will reduce this gap [between attacks and the availability of patches], but it won’t eliminate it."

In the meantime, the second thing to do is to protect people: according to Dhawan, attacks are effective because they exploit people as a weak point through which to breach corporate defenses. "There are only two ways criminals can enter: through people or through AI. If you send an email, it can be read by a person or Copilot, thus compromising the system. Therefore, security solutions must extend protection to AI as well," Dhawan tells us.

"You can have the best knowledge of ongoing attacks, you can know the vulnerabilities in your software, you can protect endpoints, but at that point, it’s people who can be compromised. That’s why there is a need to protect email."

There will still be a need for a systemic change: "there will be less to do at the enterprise level and more at the cloud and software vendor level, because it’s impossible to keep up [as software users]. There’s also a need for better governance: few companies truly have a good one. In a sense, [this change] challenges every aspect of how security is managed. That’s why I don’t think this is a trivial problem, and it will take time to solve."

But in the meantime, we need to continue to protect ourselves. "Protection comes from prevention, and prevention has always come from intelligence information about attacks. We need to change all the rules – identity verification, code development, software lifecycle, cloud vs on-premise, and so on."

A storm is brewing. Buckle up.

Adobe Acquires Topaz Labs: AI Upscaling and Restoration Enter Photoshop and PremiereAll the TVs on sale for Prime Day: starting at €219 but keep an eye on discounts for beautiful LG OLEDs