Identity Security as a Career On-Ramp: What One CISO Actually Thinks
Silverfort's John Paul Cunningham argues AI is opening doors in cybersecurity rather than closing them — and identity is where new practitioners should focus first.

Key points
- Silverfort CISO John Paul Cunningham stated publicly that AI in cybersecurity workflows creates opportunities rather than eliminating jobs.
- Identity security is named as a practical entry point for practitioners new to the field.
- The comments surfaced in a video segment first published by Dark Reading.
- No CVEs, threat actors, or breach data underpin the claims — this is practitioner opinion.
Career advice from CISOs tends to age poorly. Technology shifts, threat priorities rotate, and the skill that looks essential in January looks table-stakes by Q3. So when Silverfort CISO John Paul Cunningham makes a claim about where newcomers should focus, it's worth stress-testing the reasoning rather than taking it at face value.
His core argument: AI is not compressing headcount in security teams. It is changing what those teams do. That distinction matters. The concern that AI automates analysts out of existence assumes the work is static. It isn't. Detection pipelines, triage workflows, identity governance reviews — these are expanding in scope even as tooling accelerates parts of the process.
Identity is the specific domain Cunningham points to. That tracks with where attacker focus has moved. Credential abuse, session token theft, MFA bypass — the bulk of initial access tradecraft in 2024 and 2025 runs through identity infrastructure rather than perimeter exploits. Microsoft's threat data consistently shows that compromised identity is the dominant entry vector across enterprise intrusions. For someone trying to build relevant skills, understanding how authentication and authorization systems fail is not a niche concern. It is foundational.
Still, a few caveats are worth keeping in mind.
Cunningham works for an identity security vendor. His incentive to frame identity as the essential discipline is not hidden. That doesn't make the argument wrong — but it should be weighted accordingly.
The claim that AI creates more roles than it displaces is also not unique to security. It is the standard technology industry position, and the evidence base is still thin. What is more defensible is the narrower point: AI tools currently augment analyst judgment rather than replace it. Prompt-to-detection pipelines still require someone who understands what they're hunting for.
For defenders considering where to build depth, identity governance and authentication abuse are legitimate focus areas. So are cloud entitlements, non-human identity management, and the intersection of both with AI service accounts — an attack surface that barely existed three years ago.
One CISO's video segment is a data point, not a career plan. But the underlying signal is defensible.



