Ross Haleliuk delivers a sobering reality check to an industry intoxicated by the promise of artificial intelligence, arguing that the most sophisticated new tools cannot compensate for the most basic operational failures. The piece's most striking claim is that the "Mythos" of AI-driven security is a distraction, and that the same fundamental discipline required to stop ransomware a decade ago is the only thing that will stop AI-augmented attacks today.
The Illusion of New Threats
Haleliuk begins by dismantling the narrative that AI creates entirely new security paradigms. "Mythos completely changed the game, except, in most ways, it didn't," he writes. Instead of inventing novel vulnerabilities, he argues, AI simply acts as a force multiplier for existing inefficiencies, making attacks faster and cheaper to execute at scale. This framing is crucial because it shifts the burden of defense from purchasing the latest "AI-enabled" tool to fixing the rotting foundation of IT operations.
The author's core thesis rests on a statistic that should terrify every CISO: "Over 90% of security problems are due to lack of operational discipline." Haleliuk attributes this concept to Yaron Levi, CISO at Dolby, noting that the root causes of breaches—misconfigurations, unpatched systems, and identity mismanagement—remain stubbornly consistent regardless of the attacker's technology. This argument holds significant weight because it aligns with historical data; just as the evolution from malware to ransomware did not change the fact that unpatched servers were the primary entry point, the shift to AI will not alter the reality that security is an operational outcome, not a product feature.
The hardest security problems are not security problems; they are operational problems that security teams are forced to solve.
Critics might argue that AI introduces unique risks, such as prompt injection or model poisoning, that traditional operational hygiene cannot address. While true, Haleliuk's point remains that without a baseline of discipline, organizations will be too distracted by basic failures to even notice these new vectors.
The Complexity Trap
The commentary then pivots to why this discipline is so elusive. Haleliuk suggests that the issue is not negligence, but the sheer, overwhelming complexity of modern enterprise environments. He points out that "nearly every organization... have untracked servers running in forgotten AWS accounts, orphaned SaaS apps, or old test environments still connected to production data." This is a direct echo of the "Security through Obscurity" fallacy; when teams cannot see their own assets, they are effectively blind.
The author draws a sharp distinction between the tools security teams buy and the work they actually need to do. "Posture management, in the end, is security's way of coping with the operational gaps it doesn't control," Haleliuk writes. He explains that tools like Cloud Security Posture Management (CSPM) can flag an exposed storage bucket, but they cannot prevent the engineer from creating it. This is a vital distinction often missed in vendor marketing. It mirrors the history of Common Vulnerabilities and Exposures (CVEs), where the existence of a database of flaws did not stop breaches; only the actual application of patches did.
The difficulty lies in the scale of identity and access management. Haleliuk describes how "every new hire, role change, contractor onboarding... creates new permissions, groups, exceptions, and dependencies." Over time, this leads to a state where "nobody is fully confident about what can be safely removed without disrupting the business." This is not a failure of will, but a failure of process. The author notes that "achieving operational excellence at scale is incredibly hard," and that the industry has largely accepted a state of "fragile systems held together by scattered knowledge."
The Cultural Shift Required
Haleliuk's most prescriptive argument is that the solution lies in culture, not code. He advocates for treating "operational hygiene as a first-class engineering responsibility, not a security tax." He illustrates this with a powerful example of a company where the CTO mandated weekly dependency updates, normalizing the idea that "keeping things clean is part of the job."
This approach requires a fundamental shift in how leadership views risk. "When leaders explicitly value reliability, clarity, and maintainability, and reward teams for reducing complexity instead of adding to it, behavior changes," Haleliuk observes. This is a direct challenge to the "move fast and break things" mentality that often plagues tech organizations. The author warns that "there are tools that help, AI helps a lot, but no solution will remove the need to do the work."
Trends are temporary. Stick to fundamentals.
A counterargument worth considering is that the pace of AI development might outstrip the ability of organizations to cultivate this kind of slow, deliberate culture. If the threat landscape shifts monthly, can a culture of "boring, repeatable processes" keep up? Haleliuk would likely argue that the opposite is true: only a stable, disciplined foundation allows an organization to adapt quickly without collapsing under its own weight.
Bottom Line
Haleliuk's strongest contribution is reframing AI not as a savior or a monster, but as a stress test for existing operational maturity. The piece's greatest vulnerability is its reliance on cultural change in an industry that historically prioritizes feature velocity over stability. However, the verdict is clear: organizations that continue to chase the "Mythos" of AI while ignoring the basics of asset inventory and patching will find themselves uniquely vulnerable, regardless of how advanced their tools become.