Harsh Singhal leads AI and Data Security at Glean, applying machine learning and agentic systems to endpoint defense and data governance.gettyFor two decades, I have watched the security industry repeat the same pattern. Every five to seven years, a new class of threat arrives, the field treats it as unprecedented and the practitioners who recognize the shape from prior waves are the ones who solve it first. AI security is the latest cycle, and the pattern is more visible than ever once you know where to look.I have had this conversation now with dozens of product leaders: They are convinced that indirect prompt injection, agentic exfiltration and model supply chain compromise are categorically new. They are not. The shape is familiar to anyone who lived through the antivirus, anti-spam and web application security wars, and the lessons from those wars tell us almost exactly what to do.The Pattern That Keeps RepeatingThe first time I watched a defensive industry transition from deterministic to probabilistic detection was in the mid-2000s, as antivirus moved from signature matching to behavioral heuristics in response to polymorphic malware. I have seen the same arc twice since: anti-spam, from blocklists to ML classifiers that today block 99.9% of unwanted email at scale, and web application security, from manual code review to layered runtime protections. In every case, the pattern was identical: When the threat got fuzzy, the defense had to become probabilistic. The teams that resisted the transition are the teams I later read about in breach disclosures.AI security is now mid-arc on the same curve. What I see in the field is a familiar division: The teams that recognize the shape are already rebuilding their detection stacks around probabilistic primitives. The teams that are waiting for "AI-shaped CVEs" are the ones that will likely be caught flat-footed.​What Carries Over From The Old WarsThree lessons from prior cycles transfer directly, and I have watched them in my own work at Glean. Defense in depth still wins. No single guardrail model catches every prompt injection. I have yet to see one that did, despite vendor claims. The most effective implementations I have seen combine input classifiers, output filters, behavioral anomaly detection and access controls. The vendors promising a one-shot solution sound exactly like the AV vendors from two decades ago who claimed 100% detection.​Fast feedback loops still win. ​One of the strongest predictors I have seen of success against emerging threat classes is the speed of the telemetry-to-detection-to-deployment cycle. Teams that can observe new behaviors, adapt controls and deploy updates quickly tend to reduce exposure faster than those operating on longer change cycles. By contrast, organizations with slower governance and deployment processes often struggle to keep pace with rapidly evolving threats, even when the underlying technical controls are sound.​Audit as a product still wins. Many of the enduring market leaders from prior security eras succeeded not only because of their detection capabilities, but because they generated evidence that regulators, auditors and enterprise buyers could trust and act upon. In my own work, I have repeatedly watched organizations discover after an incident that the larger challenge was not identifying a problem, but reconstructing and explaining what an AI system did, why it did it and who was affected. Detection is a technical challenge. Auditability is an organizational one, and often the more difficult capability to build at scale.​​​What Is Actually New​The priors carry, but the AI substrate has properties that previous threat classes did not, and practitioners need to internalize them.The attack surface is now natural language. Unlike SQL, there is no true equivalent of parameterized queries. Instructions and data share the same channel and are interpreted by the same system that makes decisions. Many of the defensive instincts that worked for traditional input validation need to be rethought from first principles.The attacker uses the same capabilities you do. I have watched red teams generate per-target injection payloads at the speed of inference using the same frontier models deployed by defenders. The economics of attack and defense have shifted, and security teams that have not absorbed this are often planning for a fight that no longer exists.Agent authority composes dynamically. Permissions are increasingly derived at runtime from natural-language intent in ways that OAuth scopes were never designed to govern. The 1988 confused-deputy problem is already appearing in production systems at scale, and many enterprises have yet to recognize it.​​Where The Curve Appears To Be Heading​The historical pattern suggests that defending against AI-native threats will increasingly require defensive systems that themselves rely on AI and machine learning. Antivirus, anti-spam and web application security all followed a similar trajectory: As threats became more adaptive and less deterministic, detection and response capabilities evolved in the same direction. What I am observing in AI security today looks less like a departure from that pattern than its latest iteration.The specific implementations will vary by organization, but three areas stand out as high-leverage investments for the next 12 months: guardrail models embedded in the inference path, behavioral telemetry that treats agent actions as first-class security events and stronger delegation mechanisms such as short-lived signed capability tokens between agents and tools. None of these concepts are fundamentally new. They echo the investments made during earlier transitions in antivirus, anti-spam and application security. The difference is that AI systems are evolving quickly enough that organizations may have less time to adapt than they did in prior cycles.​What Practitioners Should Do This QuarterPick one part of your security stack and make it probabilistic. Replace a static rule with a model. Add behavioral telemetry to one agent surface. Pilot a capability-token issuer for one internal automation. Then measure, iterate and expand.I have written this from a place of pattern recognition, not prediction. The pattern is the same one I have watched play out three times before. The teams that recognized it early were more likely to define their decades. We are now mid-cycle on the fourth iteration of this pattern, and the teams that move with discipline today are the ones I believe will be cited in the retrospectives written 10 years from now.​​Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?