AI Won't Help You Here
Ian Amit
BSidesSF 2025 — Here Be Dragons · Day 1 · Main
The security industry's obsession with generative AI is producing expensive, unreliable outcomes in domains that require precision — including vulnerability remediation — while well-understood, deterministic AI systems quietly keep planes out of each other's flight paths. Ian Amit argued that choosing the right AI model for the right problem domain is the competency that separates real security improvement from boardroom theater, and that fixing open S3 buckets remains more urgent than defending against quantum computing threats. ---
AI review
Amit is correct that GenAI is the wrong tool for deterministic security problems, and the TCAS contrast is effective. But 'use the right AI for the right problem' is a point that should take ten minutes, not forty. The Slack chatbot and Git prompt engineering horror stories are entertaining. The RAG-for-remediation proposal needs more rigor.