Chuck Herrin, Field CISO at F5, warns that 2025 will see a ‘perfect storm of risks’, with the growing hype surrounding AI opening us up to attack.
2024 marked the industrialisation of AI-powered attacks, where adversaries moved beyond experimentation to systematic exploitation.
We saw AI not just amplify familiar attacks but democratise advanced techniques like hardware hacking that were previously limited to elite threat actors. In 2025, we’ll likely see this challenge compound as adversaries leverage AI to probe federal systems during tumultuous times across the world.
A world of AI is a world of APIs
Looking towards the whole of 2025, we will continue in a global AI race condition, where everyone from small businesses to nation states are adopting AI at breakneck speed because “if we don’t, ‘they’ will”, and every organization has a ‘they’ to worry about.
However, the AI race condition isn’t just about adoption speed. It’s creating a dangerous feedback loop where the pressure to deploy AI faster makes us more dependent on it to manage the complexity we’re creating. I expect to see a push for government efficiency through rapid AI adoption, which is likely to create significant security vulnerabilities.
In many ways, we’re seeing a dangerous parallel to the rushed cloud adoption of the early 2010s, but with higher stakes. Organisations need to focus on AI architecture and defence in depth, with API security as a critical control point. Every AI interaction happens through APIs, making them both the enabler and the potential Achilles’ heel of this transformation.
Organisations today are woefully unaware of their API ecosystem and attack surface, and I often say, ‘a world of AI is a world of APIs’. APIs are how AI models are trained, used, and attacked, and our estimates are that roughly 50% of APIs are unmonitored and unmanaged.
Supply chain nationalism
Supply chain nationalism isn’t just about reshoring – it’s forcing a fundamental rethinking of digital architecture. As geopolitical tensions rise and new tariffs may take effect, organisations caught between efficiency mandates and supply chain restrictions will likely create new classes of systemic risk as they attempt to do more with less. I anticipate the acceleration of more geofencing and sovereign cloud approaches, and critical supply chains that cannot be quickly onshored will likely result in component and other shortages, delaying some critical projects.
At the same time, the push for efficiency for some governments is likely to reduce the effectiveness of supplier due diligence and governance, increasing third- and fourth-party risks. To manage these risks and reduce the number of vendors and associated due diligence with reduced staffing levels, we’ll see increased focus on AI adoption and platform consolidation to reduce supply chain risk and ensure critical systems are sourced from trusted vendors.
A perfect storm of centralised risk
Right now, we’re seeing a confluence of three dangerous trends: the centralisation of risk in relation to key AI platforms, the proliferation of unmanaged APIs connecting these systems, and a reduction in human oversight precisely when it is needed the most. This creates both technical vulnerability and institutional brittleness.
Budget cuts and efficiency mandates will accelerate the push of agencies toward shadow AI solutions, inadvertently centralising vulnerabilities around a handful of AI vendors. This creates perfect ‘watering hole’ targets – compromise one frontier model, and the impact cascades across multiple agencies. We’re building a monoculture of AI systems connected by unmanaged APIs, while simultaneously reducing oversight and governance.
Overtrust is another concern. Just as early GPS users drove into fields and lakes because \the computer said to turn right’, this combination of overtrust in AI and reduced oversight could impact everything from policy decisions and intelligence analysis, to emergency response. This perfect storm of centralised risk arrives exactly when multiple regional wars ramp up geopolitical tensions and rivals are increasingly brazen in probing for weaknesses.
