AI Is Making Rich Organisations Even Safer. What Happens to Everyone Else?
A growing body of security leaders says artificial intelligence is deepening a divide that has existed for years between well-resourced organisations and those just trying to keep the lights on.

Key points
- Amazon Web Services says AI has cut the time to build defences after security testing from up to ten months down to roughly 15 minutes, according to its chief security officer.
- The Trump administration directed federal agencies in 2025 to expand AI-enabled cybersecurity access to rural hospitals, community banks, and local utilities.
- Security researcher Wendy Nather introduced the concept of the "security poverty line" in 2011 to describe organisations that simply cannot afford effective security, and experts say AI adds a new dimension to that old problem.
- Organisations that cannot pay for enterprise AI licences may be forced to share sensitive data with providers to access cheaper tools, trading privacy for affordability.
- Several security leaders believe the gap in access to advanced AI models may close within a few years as cheaper, open-source alternatives improve.
At Amazon Web Services, the largest cloud computing company in the world, artificial intelligence is already collapsing timelines that used to stretch across months. Steve Schmidt, chief security officer at AWS, told CSO Online that the gap between finding a security weakness and building a defence for it once ran "two, four, six, eight, ten months." Now, he says, that same process takes about 15 minutes, with an outside limit of four hours.
That is an extraordinary shift. It is also available, for now, mainly to organisations with the money and engineering talent to build it.
Could this widen the gap between safe and unsafe organisations?
Yes, and several security leaders say it already is. The concern is straightforward: large, well-funded organisations use AI to find and fix their own weaknesses faster than ever. Smaller organisations, still struggling with basics like patching software and monitoring for intrusions, cannot keep up.
Matt Warner, co-founder and chief technology officer at security firm Blumira, is direct about it. "I would go even a step further and say that there has been a class divide for the last 10 to 15 years," he told CSO Online. AI does not create the problem, he argues. It makes the gap more visible and more severe.
His illustration is concrete. A county in Michigan with 2,000 employees and two IT staff members does not have spare time to experiment with AI tools. Those staff are already putting out fires.
Anton Chuvakin, a security advisor at Google Cloud, points back to Nather's 2011 "security poverty line" concept. That framework described organisations that lack the money, expertise, or influence to protect themselves properly. Chuvakin's view is that AI adds a new layer to that model rather than breaking it. And he flags a nuance worth noting: the real scarcity may be skilled people, not model costs. "Prices for people won't drop, but prices for LLMs," meaning large language models, the AI systems behind tools like ChatGPT, "may drop," he says.
Wendy Nather herself, now at password-management company 1Password, identifies a sharp new twist on the financial problem. Organisations that cannot afford an enterprise AI licence may turn to cheaper consumer versions that process their data on the provider's servers. They get the tool, but they give up privacy in the bargain. Token-based pricing, where organisations pay per unit of AI processing they consume, adds a second problem: nobody knows in advance what the bill will be.
Not everyone thinks the divide is permanent. Dave Baggett, a senior vice president at IT-management firm Kaseya, argues that open-source AI models and falling hardware costs are closing the gap faster than most people expect. His read is that within a few years, smaller organisations and independent security researchers will be able to run capable models locally, putting defenders and attackers on roughly equal footing again.
For now, if you work for a smaller organisation, a local government, a community hospital, or a regional business, the practical takeaway is simple. Understand what basic security your organisation actually has in place. Patch software regularly. Train staff to spot phishing emails, which are fake messages designed to trick people into handing over passwords or clicking harmful links. Those fundamentals remain the baseline, regardless of where AI eventually lands.



