Simon Glairy stands at the forefront of a digital revolution that is fundamentally altering the landscape of risk. As an expert in insurance and AI-driven risk assessment, he has spent years analyzing how emerging technologies create both unprecedented security challenges and innovative solutions for the insurance sector. Today, he joins us to discuss a pivotal moment in cybersecurity: the arrival of frontier models like Anthropic’s Mythos, which are capable of identifying vulnerabilities at a scale and speed previously thought impossible.
This discussion navigates the complex shift from traditional vulnerability patching to a holistic exposure management strategy. We explore how the “AI versus AI” dynamic is forcing insurers to abandon static assessments in favor of real-time, verifiable security data. Furthermore, Glairy sheds light on the growing threat of cyber catastrophes—systemic events where a single exploit can ripple through thousands of organizations—and how the insurance industry is responding with tighter policy language and specialized sub-limits.
Frontier models are now capable of identifying thousands of vulnerabilities across major operating systems and browsers at an unprecedented scale. How does this shift the balance between offensive and defensive capabilities, and what specific steps should infrastructure firms take to secure their internal environments against unauthorized access?
The shift we are seeing with models like Mythos is nothing short of a paradigm shift because we have moved past simple reconnaissance into the realm of active, automated exploitation. Under the tightly controlled Project Glasswing initiative, we’ve already seen these models uncover thousands of vulnerabilities across major operating systems and browsers, which essentially hands a master key to anyone capable of wielding that intelligence. For infrastructure firms, the defensive strategy can no longer rely on perimeter fences alone; they must implement rigorous, zero-trust architectures within their internal environments to prevent unauthorized access to these powerful preview environments. It is a chilling realization that the very tools we build to secure our digital world can, with a single lapse in oversight, be used to dismantle it from the inside out. Firms need to prioritize hardware-level security and granular access logs that are monitored by defensive AI in real time to catch these sophisticated, action-oriented attacks before they manifest as breaches. This “AI vs. AI” reality means that if your defense isn’t moving at the same speed as the offensive models, you are effectively standing still.
Organizations are moving away from traditional “pothole” patching toward a more comprehensive exposure management strategy. How do you determine which systems are most critical when new vulnerabilities appear faster than they can be fixed, and what metrics best measure the success of this transition?
The old “pothole” analogy is becoming obsolete because, in the modern landscape, the entire road is shifting and warping beneath our feet faster than any manual crew could ever hope to repair it. When thousands of new vulnerabilities appear almost overnight, determining criticality requires a deep, data-driven understanding of system interdependencies and the actual flow of high-value traffic through an organization’s network. We are seeing companies move beyond simple detection to a more holistic view that encompasses the potential impact of disruption on data flow and core workflows. To measure success, we look at how well an organization can prioritize its efforts based on exposure—focusing on where traffic is highest rather than just where the newest hole has appeared. It is an emotional race against time for IT teams who feel the weight of these potential “sinkholes” appearing in their infrastructure daily. By focusing on exposure management, we aren’t just fixing holes; we are re-engineering the road to ensure that even if a hole appears, the most critical traffic—the essential data and services—can still reach its destination safely.
The timeline between the discovery of a software flaw and a resulting financial loss is shrinking rapidly. How are underwriting models evolving to require real-time evidence of security controls, and what specific frameworks help resolve liability disputes involving automated system outages or cascading failures?
The compression of the timeline between a flaw’s discovery and a massive financial loss is putting immense pressure on legacy underwriting models that were designed for a much slower-moving threat landscape. We are moving away from static, yearly self-reported questionnaires toward a requirement for real-time, verifiable evidence of active security controls. This is similar to how insurers view high convective storms; we expect a significant increase in claims frequency as these AI-driven entry points are exploited more often and more efficiently. When it comes to liability disputes, especially regarding cascading failures or automated system outages, we are looking toward new policy language that addresses the “grey areas” of non-malicious incidents. These disputes can become incredibly complex and emotionally charged because, in an automated environment, the line between a simple system error and a sophisticated AI intervention is increasingly blurred. Insurers are now looking for frameworks that can attribute liability more clearly in cases where an automated system’s self-correction actually triggers a broader failure across a client’s environment.
A single vulnerability exploited by advanced AI can now trigger a “cyber catastrophe” affecting thousands of organizations simultaneously. What methods should insurers use to model these aggregation risks, and how will sub-limits for AI-related threats change the way businesses approach their coverage needs?
The concept of a “cyber catastrophe” is no longer a theoretical exercise for academic papers; it is a systemic risk that insurers are now actively modeling using advanced aggregation simulations that account for shared infrastructure. When a model can scale an attack uniformly across thousands of organizations that share a common cloud provider, the potential for a single event to wipe out an entire sector’s capital is a red flag that no one can ignore. We are seeing a shift toward specialized sub-limits and the introduction of “LLM-jacking” exclusions to manage this concentration of risk and prevent market-wide shocks. Some carriers are tightening their terms significantly, while others are attempting to offer affirmative AI cover as a premium standard, which creates a very fragmented and confusing market for policyholders. For a business, this means their coverage needs are becoming much more granular, forcing them to decide which specific AI-driven threats are worth the extra premium and which risks they must shoulder themselves as part of their internal risk management.
What is your forecast for the AI versus AI cyber risk landscape?
My forecast for the AI versus AI landscape is that we will witness an aggressive arms race where defensive AI becomes the only viable way to counter the sheer volume of automated offensive strikes. In the next few years, I expect that human-led cybersecurity centers will transition into oversight roles, managing “defensive swarms” of AI that patch, monitor, and counter-attack in milliseconds. We will see a rise in “AI-native” insurance policies that are priced dynamically, with rates fluctuating based on the real-time health and resilience of a company’s autonomous defenses. This will likely lead to a period of high market volatility as insurers struggle to find a balance between supporting innovation and protecting themselves from catastrophic, aggregated exposure. Ultimately, the winners will be those who embrace the “AI versus AI” reality early, investing in resilient, self-healing infrastructure that treats every software flaw as a high-stakes battleground where speed and automation are the only true currencies.
