Gen AI is Redrawing the Cyber Poverty Line

The concept of the “cybersecurity poverty line” has become increasingly relevant as generative AI reshapes the cybersecurity landscape.

Originally introduced by Wendy Nather, now Senior Research Initiatives Director at 1Password, the term describes the divide between organizations that can afford strong cybersecurity programs and those that cannot.

Being below the cybersecurity poverty line is not simply about having a limited budget. It often reflects a combination of insufficient IT investment, limited in-house expertise, difficulty attracting and retaining cybersecurity talent, weak security culture, and limited influence over the security practices of vendors and supply chain partners.

Like economic poverty, cybersecurity poverty creates structural challenges that become difficult to overcome over time.

Former CISA Director Chris Krebs later introduced a related concept: the “cyber 1%,” referring to organizations with the resources and maturity to maintain highly resilient cybersecurity programs. Everyone else falls somewhere between managing and exposed.

Where the Line Used to Be

Historically, the cybersecurity poverty line was measured through relatively familiar indicators. Organizations above the line typically had dedicated security leadership, multi-factor authentication, endpoint detection tools, incident response plans, and the ability to actively monitor and respond to threats.

Even before the rise of AI, many organizations struggled to meet these standards. Small businesses, hospitals, schools, municipalities, and infrastructure operators have often operated below the line because of limited resources and competing priorities.

This also carries regulatory implications. In Canada, laws such as PIPEDA, PHIPA, and Quebec’s Law 25 require organizations to implement “appropriate safeguards” to protect information. In practice, organizations operating below the cybersecurity poverty line may struggle to meet those expectations.

How Agentic AI Is Changing the Landscape

Agentic AI has fundamentally changed both sides of the cybersecurity equation.

Agentic AI refers to autonomous AI systems capable of carrying out multi-step tasks, making decisions, and acting with limited human supervision.

On the offensive side, AI is making cyber attacks easier, faster, and more scalable. Threat actors can now use AI tools to automate reconnaissance, generate highly convincing phishing campaigns, identify vulnerabilities more efficiently, and adapt attacks in real time. The skill level required to launch sophisticated attacks has dropped significantly.

At the same time, AI is also transforming cybersecurity defence. Many modern security platforms now include AI-powered threat detection, monitoring, and automated response capabilities.

For well-resourced organizations, this can act as a force multiplier. For organizations already below the cybersecurity poverty line, however, AI creates an entirely new layer of risk. These organizations are being asked to adopt and manage technologies they may not have the expertise or governance structures to safely control.

Organizations with mature cybersecurity programs are better positioned to manage issues such as runtime monitoring, access controls, AI governance, and non-human identities. Others may find the gap widening even further.

What This Means for Executives and In-House Counsel

The cybersecurity poverty line is no longer only a technology problem. It is a governance and legal risk problem that boards, C-suites, and general counsel must own. A few practical implications:

1. Know where your organization sits.  The first step is an honest assessment. Not a compliance checklist, but a genuine gap analysis against current threat conditions. Organizations should already have policies in place and should be asking whether those policies are operative and whether teams have the capability to execute them against an AI-accelerated adversary.
   

2. Scrutinize AI deployments for security governance. If an organization is adopting agentic AI tools, and most eventually will, those deployments require security controls that many organizations have not yet built. This includes runtime monitoring, least-privilege access for agent identities, human-in-the-loop checkpoints for consequential actions, and incident response playbooks that account for autonomous agent behaviour.

   Deploying AI without governance is not digital transformation. It is liability creation.
   

3. Third-party and supply chain risk has become existential.  The cybersecurity poverty line problem is not confined to a single organization. Vendors, processors, and service providers may be operating well below it, and their exposure becomes shared exposure.

   Canadian privacy law imposes accountability obligations that extend to processors. Vendor agreements should address AI governance, require attestation of security controls, and include appropriate breach notification and audit rights.
   

4. Insurance coverage is evolving, and not in organizations’ favour.  Cyber insurers are paying close attention to AI governance. Policies may increasingly exclude or limit coverage for AI-related incidents where documented governance frameworks are absent.

   Underwriters are also beginning to require representations about AI security controls during application and renewal processes. In-house counsel should review existing policy language carefully and anticipate tightening conditions.
   

5. Regulatory exposure is real.  Canadian privacy regulators and international counterparts are beginning to treat chronic underinvestment in cybersecurity, particularly when organizations adopt technologies they cannot properly secure, as a failure to implement “appropriate safeguards.”

   The organizations that fall furthest below the cybersecurity poverty line are also the most likely to experience the breach that triggers regulatory scrutiny.
   

Conclusion

The cybersecurity poverty line has always described a structural divide between organizations that can protect themselves and those that cannot.

Agentic AI has not erased that line. It has raised it and, in doing so, has pushed more organizations to the wrong side of it.

The organizations that will navigate this moment successfully are those that treat cybersecurity governance not simply as an IT function, but as a core component of legal, fiduciary, and executive accountability.