Cyber Intelligence Quarterly Brief – June 2026

Cyber Intelligence Quarterly Brief - June 2026

We are pleased to introduce TECHNATION's Cyber Intelligence Quarterly Brief, a newsletter on AI and cybersecurity threats for Canadian business and government. For this inaugural edition, we've asked members of TECHNATION's Cybersecurity Task Force (CTF) pressing questions facing the industry.

A note from the Chair of TECHNATION Cybersecurity Task Force
Kevin Dawson
President and CEO, ISA Cybersecurity and Chair, TECHNATION Cybersecurity Task Force

As CTF Chair, I often reflect on the gap between where Canadian organizations are on cybersecurity, and where they think they are. AI is widening that gap faster than most leaders realize, or security teams can respond. Amid the uncertainty around the implications of Frontier AI, I posed the three questions below to hear directly from the task force about what they are seeing on the ground.

What came back was consistent, credible, and important: less about new threats than about familiar foundations under accelerating pressure. The fundamentals have never mattered more; the threat clock is running faster than traditional governance cycles were built to handle. The organizations that understand this are the ones that will still be standing, and thriving, when this plays out.

QUESTION 1: IMPACT AND URGENCY

How has the AI-enabled threat landscape, particularly in the context of emerging frontier models and related exploits, changed the pace and nature of cyber risk for Canadian organizations? Where are the most critical gaps in preparedness and what does that mean for the sector if those gaps go unaddressed?

Across all perspectives, a consistent picture emerges: AI is not introducing entirely new categories of cyber risk, but dramatically accelerating the speed, scale, and complexity of existing threats while expanding the attack surface. This acceleration is exposing long-standing gaps in visibility, governance, and organizational readiness - from technical controls to leadership awareness - faster than many organizations can adapt. As a result, cyber risk is increasingly shifting from a technical concern to a broader business resilience and strategic risk issue if these gaps remain unaddressed.

Expert Perspectives

Ben Lyons
Senior Director of Policy & Public Affairs, Darktrace

AI has changed cyber risk in two ways at once. It is giving attackers new ways to scale social engineering, impersonation, and reconnaissance, while also expanding the attack surface inside organizations that are adopting AI faster than they can properly govern it. For many Canadian organizations, AI is becoming embedded in everyday workflows, supplier services, and autonomous processes without enough visibility into what it is accessing, doing, or where data is moving.

The most serious gaps include visibility, control, and accountability. Many organizations in Canada cannot yet say with confidence where AI is in use, which agents or tools have meaningful privileges, whether sensitive data is being exposed through prompts or workflows, or whether unsanctioned shadow AI is already in the environment. They are practical weaknesses that can compound quietly until they become a security, regulatory, or operational problem.

If those gaps are left unaddressed, the sector will face a risk environment that is faster moving and harder to contain. Addressing this challenge will require organizations to understand how AI is behaving inside the business and intervene when that behaviour starts to drift.

Denis Villeneuve
Cyber Resilience & Connectivity Practice Leader, Kyndryl Canada

What I'm seeing is not a change in the core principles of cybersecurity, but a real change in pace. The issue is that AI is compressing the time between vulnerability discovery and exploitation. That puts pressure on organizations that were built to respond on more traditional patching and governance cycles. For many Canadian organizations, the biggest gaps are still the basics: incomplete asset visibility, limited understanding of end-of-life exposure, weak insight into third-party and open-source dependencies, and remediation processes that are too slow for the environment we're moving into.

We recently brought together a group of Canada's leading CISOs to discuss exactly this shift, and the consistent takeaway was that AI isn't creating entirely new risks - it's exposing long standing weaknesses faster. Organizations that cannot move from detection to remediation quickly enough are the ones feeling the pressure first.

If those gaps are not addressed, what used to sit in the background as technical debt quickly becomes an active business resilience issue.

Andrew Buckles
Executive Vice President, ISA Cybersecurity

The pace has fundamentally changed and many Canadian businesses across all sectors are still catching up on what that means for planning and response.

A year ago, DeepMind's Big Sleep found its first vulnerability. Now Google's AI-enhanced OSS-Fuzz is reporting up to a 7000% increase in vulnerability identification, and OpenAI has launched Aardvark to do the same agentically.

Bad actors are always first to adopt and AI is asymmetrically advantageous to attackers. That gap is not closing on its own and the gap will get bigger as model capabilities increase. The most critical gap I see across Canadian organizations isn't tooling - it's leadership awareness and process maturity. Many business leaders are approaching AI as another technology cycle - much like cloud or mobile - but the trajectory here is fundamentally different. The METR benchmark used to show AI capability roughly doubling every 7 months; now it's 4 months.

AI is commoditizing intelligence. Businesses that don't understand the curve aren't just at higher cyber risk, they face existential business risk.

QUESTION 2: FOUNDATIONAL READINESS AS A PREREQUISITE

Strong cybersecurity fundamentals, including risk management, identity and access management, data governance, and vulnerability management, have always mattered. As AI adoption accelerates, how critical are those basics as a prerequisite for resilience, and what is the most consequential area where Canadian organizations continue to fall short?

Across the responses, a clear consensus emerges: AI does not introduce fundamentally new cybersecurity challenges as much as it accelerates and amplifies existing ones, making foundational capabilities more critical than ever. Weaknesses in identity, visibility, data governance, and vulnerability management are no longer contained risks - they scale rapidly in an AI-driven environment, shrinking the margin for error. Ultimately, resilience will depend less on the sophistication of AI itself and more on the discipline and maturity of the underlying security foundations.

Expert Perspectives
Jatinder Mann
CEO & Founder, Cetark Corp

Here's the uncomfortable truth - most of what we're calling "AI risk" isn't new. It's old risk, running faster.

The organizations asking us how to secure their copilots and agents are often the same ones who still can't tell us, with confidence, who has access to what. Risk management, IAM, data governance, vulnerability management - these fundamentals haven't become less important because AI showed up. They've become the only thing standing between a pilot project and a headline.

If I had to name the one area where Canadian organizations consistently fall short, it's identity. Not the human kind - we've made real progress there. I'm talking about non-human identities: service accounts, API keys, machine tokens, and the permissions we're quietly handing to AI agents. That estate is expanding every week, and almost no one is governing it the way they govern employee access.

An agentic workflow with over-privileged credentials isn't an AI problem; it's a 2015 problem with a 2026 blast radius. The attacker doesn't care how your model was trained - they care that a service account with admin rights just got wired into a workflow nobody reviews.

The sector's real risk right now isn't frontier models behaving badly. It's mature organizations deploying AI on top of an identity foundation they wouldn't have approved for a human employee. If we don't close that gap quickly, the breach headlines of the next two years will read a lot like the last ten - just more expensive.

Denis Villeneuve
Cyber Resilience & Connectivity Practice Leader, Kyndryl Canada

Cybersecurity fundamentals matter more now, not less. As AI adoption accelerates, the organizations that will hold up best are the ones with strong risk management, identity and access management, data governance, vulnerability management, segmentation, and clear operating discipline. Those are not legacy concerns - they are the foundation for resilience in a faster-moving threat environment. The area where I still see many organizations falling short is visibility. If you do not know what you have, what is exposed, what is unsupported, and what is dependent on what, you cannot prioritize effectively. In an AI-driven threat environment, that lack of visibility becomes a real weakness very quickly.

Andrew Buckles
Executive Vice President, ISA Cybersecurity

The basics matter more, not less. AI doesn't replace fundamentals, it amplifies the consequences of getting them wrong. If your IAM infrastructure is fragmented, an AI-enabled attacker reaches the crown jewels faster. If your data is poorly governed, AI defense tools are flying blind. If vulnerability patching cadence is inconsistent, AI-discovered vulnerabilities will wreak havoc.

The most consequential area where many Canadian organizations continue to fall short is managing their vulnerabilities and containment controls to slow down rapid AI attacks. Not because it's the hardest problem, but because like many foundational investments, it has often been deprioritized in favour of more visible business initiatives. AI is removing the runway. The board wants to hear about an AI growth strategy, meanwhile, the foundational work of cleaning up identity, data, and vulnerability management is what actually determines whether Canadian businesses are positioned to weather the next 24 months with confidence.

Mike Carzim, MGB, CISA
Senior Manager, Governance, Global Information Security and Privacy, OpenText

As organizations accelerate AI adoption, strong risk management, identity and access management, data governance, and vulnerability management are not optional, they are the foundation for resilience.

In my view, this is best articulated in Enterprise Artificial Intelligence: Building Trusted AI in the Sovereign Cloud (OpenText), which makes a simple but critical point: you cannot layer AI on top of weak foundations and expect a resilient outcome. AI systems do not just process data, they absorb and amplify it. That means any gaps in access control, classification, or data quality are carried forward at scale.

I see this play out consistently in practice. The biggest gap is data governance. Many organizations still lack clear visibility into what data they hold, how it is classified, and who has access to it. In an AI context, that is not just a governance issue; it becomes a structural risk, because once data is embedded into a model, it cannot be easily undone without significant cost and disruption.

Ultimately, AI resilience is not about the model. It is about the discipline of the underlying foundations. Organizations that invest in governing their data and tightening identity controls will be able to scale AI safely. Those that do not will find that AI accelerates their exposure rather than their advantage.

QUESTION 3: AI AS A DEFENSE CAPABILITY

There is significant conversation, and significant misunderstanding, about what it actually means to use AI for cyber defense. What does genuinely operationalizing AI for defense look like in practice, and what organizational maturity is required before that becomes an advantage rather than an additional liability?

Across the responses, a consistent message emerges: operationalizing AI in cyber defense is not about deploying new tools, but about embedding intelligence into a disciplined, well-functioning security operating model. AI delivers value only when built on strong foundations - quality data, mature processes, and effective human oversight - and acts as a force multiplier of both strengths and weaknesses. Without that maturity, it risks amplifying noise, accelerating poor decisions, and introducing new vulnerabilities rather than improving defense.

Expert Perspectives
Ben Lyons
Senior Director of Policy & Public Affairs, Darktrace

Effective use of AI in cyber defense should be judged by operational outcomes. The question is whether it helps a security team detect meaningful deviations earlier, understand them faster, and respond with greater precision across a complex environment.

In practice, it means using AI to understand what is normal across the business, detect subtle deviations in real time, and help security teams act on high-quality signals rather than drown in noise. That matters because modern threats, especially those involving AI systems, often do not look obviously malicious at first glance. They unfold through small anomalies in behaviour, access, prompts, data movement, or agent activity that static rules will miss.

For that to become an advantage, organizations need a certain level of maturity first. They need strong telemetry, clear governance, disciplined identity and access controls, and teams that know how to investigate and respond. Without that foundation, AI can become another layer of noise. Used well, it can transform defenders' ability to detect quickly, and remediate at pace, with enhanced understanding.

Denis Villeneuve
Cyber Resilience & Connectivity Practice Leader, Kyndryl Canada

There is a lot of conversation right now about using AI for cyber defense, but in practice, operationalizing it is less about the tool and more about the operating model around it. Used well, AI can help improve triage, correlate signals, prioritize exposures, and support analysts and operators in making faster decisions. But it only becomes an advantage if the organization already has the basics in place: good telemetry, sound data governance, clear decision rights, tested playbooks, and strong human oversight. Without that maturity, AI can just as easily create more noise, speed up poor decisions, or introduce additional risk. AI in cyber defense works best when it is built into a disciplined security and IT operating model, not layered on top of a weak one.

Andrew Buckles
Executive Vice President, ISA Cybersecurity

There is a lot of noise in the market right now about AI for cyber defense, and it can be difficult to determine where genuine capability lays. A SIEM vendor adds a chatbot and calls it AI defense. That's not what we're talking about. Genuinely operationalizing AI for defense means it's woven into how the SOC actually works. Triage, threat hunting, vulnerability prioritization, IR playbook execution. It requires clean telemetry, solid data governance, and a security operations baseline that already functions without AI. You can't bolt intelligence onto chaos.

The maturity required is something many organizations are struggling to achieve. If your detection engineering is weak, AI makes you faster at being wrong. If your data is dirty, AI hallucinates with confidence. AI defense is a force multiplier, including of your gaps. The broader question that must be explored together is what cybersecurity looks like when AI commoditizes both attack and defense simultaneously? Canadian businesses can position themselves to navigate that shift with the right partners and the right foundations in place.

Closing Reflections from the Chair

Kevin Dawson
President and CEO, ISA Cybersecurity and Chair, TECHNATION Cybersecurity Task Force

Every respondent landed on the same themes - and when task force members across different organizations and specializations independently arrive at the same conclusions, that tells you something. Visibility, identity, data governance, and vulnerability management are not prerequisites to the interesting AI security work. They are the work.

The finding that concerns me most is identity - specifically, the governance of non-human identities. Service accounts, API keys, agent credentials, and machine tokens are just part of an inventory that's growing across environments faster than most organizations are tracking them, let alone governing them. Over-privilege has always been a problem: with agentic AI, the difference is the speed and autonomy of exploiting those permissions.

AI is not introducing new categories of risk: it is accelerating the exposure of weaknesses organizations already have and cannot afford to ignore. AI is a force multiplier, amplifying both organizational strengths and existing security gaps. Deploying AI defense tools on top of weak foundations just means making poor decisions faster.

The leadership awareness gap is underappreciated. Frontier AI introduces autonomous decision-making, scalable exploitation capability, and a dramatically accelerated attack surface. Organizations that treat AI as just another technology cycle like cloud, mobile, or SaaS are misreading the trajectory, and a breach will be an expensive way to learn the truth.

The collective message from the task force carries real urgency. The next 24 months will separate organizations that built the right foundations from those that chased visible AI initiatives while technical debt compounded quietly in the background. Canadian organizations that understand this are well positioned to act. The window is open - for now.