Federal Cyber Leaders Urge Faster AI Adoption to Counter Evolving Threats

Artificial intelligence is rapidly reshaping the cyber threat landscape — expanding defensive capabilities while lowering the barrier to entry for attacks that once required nation-state backing, officials said Thursday during GovCIO Media & Research’s CyberScape: The Federal Cybersecurity Summit.

“We are inherently behind the curve. We need to pick up the pace,” said Keith Busby, acting CISO, at the Centers for Medicare and Medicaid Services.

To close that gap, agencies must rapidly integrate AI into internal processes while keeping humans at the center of decision-making. At CMS, that means embedding AI into operations in a way that accelerates response times without removing human oversight.

At the same time, the pace of AI development is compressing traditional timelines. Anil Chaudhry, senior advisor for AI at the Department of Transportation, said software development cycles that once averaged 18 months are now closer to seven. That acceleration raises new governance challenges.

“How do you adapt quickly so that your governance doesn’t become a risk factor in itself?” Chaudhry said.

Leveraging AI to Counter Threats

Panelists said agencies can also use AI to gain better visibility into their environments.

Chris Saunders, worldwide director of public sector solutions engineering at Wiz, said organizations have historically relied on time-consuming manual processes to inventory assets. Cloud environments have only increased that complexity by distributing resources across systems.

“You should be able to see everything that’s out there. … We should be able to provide inventory of any technology, including AI, the models, the orchestration, the agents – all those things,” Saunders said.

Busby said CMS is integrating AI into its security operations center to improve how it evaluates and acts on data. That includes correlating and normalizing data streams to support faster, more informed decisions across both assessment and governance functions.

Security assessments remain largely manual, but Busby said AI could help automate reporting and planning by analyzing data and generating next steps. He added agencies should use AI to help prioritize vulnerabilities, noting that CMS is approaching this from a penetration testing standpoint. The goal is to automate the process while reducing junior cybersecurity assessors’ workloads, he said.

“I think recent changes in the AI industry are going to rapidly throw vulnerabilities at every technical entity,” Busby said.