Palo Alto Networks says AI is reshaping cybersecurity policy and threat response

Author:

Using an unordered list, summarize the following article with between 4 and 8 key points.

Palo Alto Networks executives said governments need to adapt cybersecurity policy as AI enters public systems, national security, and economic security.

Governments are reviewing how cybersecurity policy should apply to artificial intelligence as the technology enters public-sector systems, national security, and economic security discussions, according to Palo Alto Networks executives.
Speaking at the Palo Alto Networks Ignite on Tour Kuala Lumpur 2026 Media Roundtable, Nicole Quinn, Vice President for Policy and Government Relations at Palo Alto Networks, said traditional policymaking timelines are under pressure as AI adoption moves faster than legislative processes.
Quinn said policy development usually follows a three-to-five-year cycle involving working groups, consultations, and structured review. AI does not fit comfortably into that model because governments are having to respond while the technology is still changing.
She described the challenge as “building the plane and flying it at the same time,” referring to the difficulty of forming policy while AI is already being deployed across organizations and public systems.
According to Quinn, AI has moved beyond customer service and productivity use cases. It is now entering areas linked to national security, economic security, and government operations.
That creates a policy challenge for governments still working with older technology environments. Security has often been added at the end of technology implementation, rather than built into systems from the start, she added.
Securing AI inside organizations
Secure AI by design should be part of how governments and organizations deploy AI systems, Quinn said. The process involves discovering where AI is being used, assessing what it is doing, governing its use, and protecting the systems around it.
She also pointed to the rise of shadow AI as a concern for enterprises and public-sector organizations. Organizations cannot simply ban AI use, she said, as employees may move the activity outside approved systems, creating data leakage risks.
Malaysia’s approach to cybersecurity and AI governance was also discussed during the roundtable. Quinn said Malaysia has embedded security into its AI policy direction and referred to its use of international standards, including NIST frameworks.
Consistency with international frameworks matters for multinational companies that must comply with different sovereign and legislative requirements, she said. A common approach makes it easier for companies to support local entities and organizations operating across markets.
AI agents raise access concerns
The discussion also covered the role of AI agents in enterprise environments. Quinn said companies need to treat AI agents in a similar way to human users from an identity and access management perspective.
Organizations need to know what an AI agent is doing, where it is operating, and what systems it can access. Without clear identity controls, an agent could reach systems or data that the human user behind it should not access.
Sarene Lee, Country Director for Malaysia at Palo Alto Networks, said AI use in Malaysia remains at an early stage, but the related attack surface can expand if organizations do not address cybersecurity controls. Broader use of AI by end users can expose more people inside large organizations to risk.
Organizations need to consider both internal and external attack paths, Lee said. Internally, browser security and user access remain key areas that companies need to manage.
From the external side, Lee pointed to multi-cloud environments. Organizations that rely only on native security controls within each cloud may lack a unified view across their cloud infrastructure.
Attack response times narrow
The speed of attacks was another focus of the discussion. Lee said attackers can enter an environment and exfiltrate data within about 15 minutes.
Even if an organization detects an attack within that time, manual response processes can be too slow. By the time teams gather people, arrange a call, and decide what to do, the data may already be gone.
Lee later said Palo Alto Networks had discussed attack response times of around 20 minutes at an event three months earlier. The figure had moved to 15 minutes and then to less than 10 minutes for defense, based on the company’s current discussion.
Quinn said the issue is not only whether attackers can be stopped from entering a system. Organizations also need to detect and contain them quickly once they are inside.
Mean time to detect and mean time to defend are becoming central measures, she said. The aim is to stop attackers from moving across systems after initial access.
Using AI against AI-enabled threats
Both speakers said AI is being used by attackers and defenders. Quinn said organizations cannot turn away from AI because adversaries are also using it.
She described the current environment as machine defense against machine attacks. Palo Alto Networks is using AI in its systems because manual response alone cannot keep pace with automated attacks, she said.
Lee said AI has not introduced a new category of cyberattack, based on what the company is seeing. Instead, it has changed the speed and scale at which attacks can be conducted.
AI allows security teams to analyze patterns and connect smaller incidents faster, Lee said. In a siloed environment, separate tools may identify separate events without showing that they are linked to a larger attack.
Quinn said Palo Alto Networks’ Unit 42 research team and global customer base provide data that supports its security models. The company receives telemetry from cloud, on-premises, endpoint, and other environments.
Deepfakes and digital trust
The roundtable also addressed AI-driven impersonation, deepfakes, voice cloning, and social media scams. Quinn said attackers use fear and speed to mislead users.
Deepfakes and AI-generated content make user education important, Quinn said. She compared it with email security awareness, where users are trained to identify messages that do not look legitimate.
Lee said social media risk is no longer limited to human users. AI agents can be used to create communities that appear to be run by people.
Bad actors could use such communities to build trust with users and develop scams around shared interests or online groups, she said.
The discussion also touched on the role of government policy in elections and public trust. Lee said AI-generated content could be used to falsely attribute statements to politicians or mislead voters.
Quinn said public trust in digital government services depends on secure and transparent systems. If citizens do not trust the entities running public systems or the processes behind digital transformation, it becomes harder to address misinformation and abuse.
Lee added that trust works in both directions. Citizens need to trust government systems, while governments need to protect citizens’ data.
Preparing for quantum risks
Quantum security was raised as another area for government and enterprise planning. Quinn said many countries are moving toward quantum-readiness deadlines around 2030, while Malaysia currently has more of a recommendation than a fixed timeframe.
Unit 42 research has seen “harvest now, decrypt later” activity, she said, where nation-states collect encrypted data today with the aim of decrypting it when future quantum capabilities become available.
The targets are not limited to traditional national security or intellectual property assets. Economic planning information, including government spending plans and local development data, can also be valuable to nation-states, Quinn said.
She said governments and companies should start preparing for post-quantum encryption.