The cybersecurity landscape currently resembles a scene from the gold rush, where enthusiasm mixes with deep uncertainty and promises of instant profits clash with the cold pragmatism of spreadsheets.
The latest data coming out of the consultancy sector, including widely reported analysis from EY, paints a fascinating picture, albeit one that is far from hugely optimistic. Almost every security leader (96%) sees AI as the cornerstone of modern defence, but when the battle dust of deployments settles, it appears that real return on investment remains an elusive mirage for many.
This specific ‘agent paradox’ is becoming a focal point of discussion in Polish and global boardrooms. On the one hand, there is an almost religious faith in technology; on the other, there is a hard landing in the reality that half of organisations are unable to generate a satisfactory return from AI tools. In a business world where every zloty spent on IT must be justified by a measurable increase in efficiency, this situation is becoming increasingly difficult to accept without a deeper revision of existing strategies.
Anatomy of costly optimism
The disappointment resulting from the low ROI is not evidence of a weakness in the technology itself, but rather a testament to the immaturity of its implementation processes. Many organisations have fallen prey to the belief that artificial intelligence is a ‘boxed’ product that, once installed, will automatically patch the holes in the security system. Meanwhile, algorithms in cyber security act more like advanced surgical instruments – their effectiveness is directly correlated to the skills of the operator and the quality of the sterile environment in which they work.
In the Polish business context, where IT budgets are often planned with great caution, investing in expensive licences without adequate analytics leads to dead resources. Companies are happy to buy an ‘engine’, forgetting the need to provide quality fuel in the form of structured data.
As a result, sophisticated agent tools, instead of autonomously detecting APT threats, become mere costly notification generators that have to be verified by overloaded analysts anyway. The situation is complicated by the fact that the aggressors are not lagging behind. Since hackers are also using AI to automate attacks, simply having AI ceases to be a competitive advantage and becomes just a ticket to the game of survival.
Agent = liability
A key misunderstanding that inhibits return on investment is equating ‘task automation’ with ‘agency operations’. The former allows a machine to perform simple, repetitive tasks, freeing up precious minutes of human labour. However, the real potential lies in the latter – in autonomous agents capable of making split-second decisions. The problem is that moving to this level requires a huge amount of trust in the algorithm, which most organisations are not yet ready for.
The lack of this trust manifests itself in a phenomenon known as the ‘black box’. Security leaders are afraid to hand over the reins to the machine because they do not understand the logic behind its operation, and the possible hallucinations of AI at critical moments in an attack could have catastrophic consequences. This leads to decision paralysis, where technology that is supposed to speed up the response, paradoxically slows it down by requiring multi-step human verification.
Additionally, the labour market in Poland drastically verifies ambitious implementation plans. Staff shortages among specialists able not only to operate, but also train AI models, mean that even the best software remains untapped potential.
The foundation for a new management culture
Getting out of the low ROI quagmire requires a paradigm shift: from technology to management. Only a handful of companies (20%) have so far managed to integrate an AI management culture into day-to-day operations. The others treat these issues as an unpleasant regulatory obligation, rather than seeing them as an opportunity for optimisation. A robust governance framework is not just a set of prohibitions and prescriptions, it is first and foremost a mechanism to ensure the reliability of the data and the predictability of the algorithm’s actions.
Without a precise definition of where machine autonomy ends and human responsibility begins, investment in AI will continue to generate more questions than answers in quarterly reports.
From expenditure to capital
In order for AI investments to begin to realistically earn their keep, organisations must abandon the vision of AI as a ‘silver bullet’ solving all cyber security problems at the click of a button. A successful strategy requires patience and focus in three key areas.
The first is internal education to enable teams to work seamlessly with AI agents.
The second is the standardisation of processes, without which even the most intelligent tool will get lost in organisational chaos.
The third is a bold but controlled transition from the automation of single activities to complex agency operations.
Instead of asking how much money can be saved with AI, business leaders should start asking how much a company’s resilience to incidents can be increased with the same human resources. After all, the value of AI in cyber security does not manifest itself in reduced licence costs, but in avoiding astronomical losses due to production downtime or reputational damage.
In the Polish business ecosystem, the winners will be those who understand that the agent paradox is solved not by buying a newer version of software, but by managing wisely and rigorously what they already have.
Investing in AI is a marathon in which the fastest start does not guarantee success. Only by combining technological finesse with corporate discipline will it be possible to surpass the magic million-dollar profit barrier and make algorithms truly viable allies in the digital war.
