Enterprise AI Team

When Humans Are the Attack Surface

April 30, 2026
Share this blog post

Stephen Harrison doesn’t frame AI as a futuristic buzzword. He describes it as a necessary tool in a rapidly accelerating technological and threat landscape. For the Senior Vice President and Chief Information Security Officer at MGM Resorts International, one of the world’s most complex hospitality and entertainment enterprises, artificial intelligence is already reshaping both defensive strategy and the way defenders think about innovation, risk, and human fallibility.

Harrison offered a grounded and candid view of cybersecurity today: the scale and distribution of technology, the challenges of human error, and how AI both empowers defenders and must be embraced responsibly to keep pace with attackers.

Security at Scale

MGM Resorts International isn’t a typical enterprise. It’s a sprawling hospitality and entertainment ecosystem that spans nearly half of the Las Vegas Strip and includes golf courses, sports arenas, restaurants, entertainment venues, sports betting, iGaming, and global operations beyond Vegas.

Harrison described the scale of infrastructure he must secure: “If you think about this, Black Hat, DEF CON, BSides … these conventions all coming to Vegas bring interesting challenges… and it’s not solved just by one resort or one company… we have to have a fantastic logical separation of those event spaces and those networks so that it doesn’t interact or impede core function for the services we provide.”

This illustrates how every property functions almost like its own municipality: Wi-Fi, digital keys, loyalty systems, point-of-sale, ATMs, mobile apps, ticketing platforms — all of which generate a vast and distributed attack surface for both conventional threats and AI-powered attacks.

AI and the Acceleration of Technology Change

Harrison pointed out just how fast AI is moving, both in enterprise adoption and in threats: “It’s hard when we’re at a period of time where there’s never been faster acceleration of technology. And whatever you thought was cutting-edge AI last week… Well, just check Twitter this week. You’re probably wrong.”

That rapid pace is a strategic imperative. Harrison warned against holding the line with outdated policies, noting: “If you’re running enterprise security and… saying ‘No, our company is not going to use AI at a professional knowledge worker level,’ I think you’re doing a disservice.” AI is integral to defending an enterprise where shadow IT, shadow tech, and business innovation are already pushing technology forward.

AI as Both a Tool and an Advantage

Harrison offered a stark reality: every innovation that comes out also empowers threat actors. “Every innovation that comes out is also empowering threat actors… you have ransomware as a service right now… and I would expect by next year… ransomware as a service will evolve and become more like AI as a service for threat actors.”

He pictured a future where AI is embedded into attack toolkits, not just for automation of phishing, but for entire reconnaissance-to-exploit pipelines: “They’re going to subscribe with cryptocurrency and it’s going to be not just the send a phishing email… but help me discover domains and vulnerabilities… pull exploit packages… stand up a C2 instance… and then go to town.” This isn’t science fiction. Harrison emphasized that threat actors are already using AI to automate social engineering, spoofing, and voice/phone scams in real time.

For example, he explained that attackers can already exploit generative capabilities simply by combining known personal information with spoofed channels: “Right now you’re seeing social engineering… where if I know your phone number, I can spoof your phone number… leave a voicemail with your voice… and say ‘Don’t call me back.’ That is a real world threat.”

Human Error

A central theme of the episode was how human error remains the constant in security risk, and why AI must help address it. Harrison made this point through multiple real-world examples:

  • Attackers use AI to craft convincing phishing, vishing, and SMS spam.
  • The hospitality environment, with open Wi-Fi, guest roaming, and diverse digital systems, creates natural loci of error and exploitation.
  • Technology distribution, from SaaS use to distributed endpoints, means defenders face chaos unless AI helps distill signal from noise.

He described email volume and messaging noise as a modern problem where human defenders, unaided, simply can’t scale: “You think about half of emails are like garbage right now… probably very similar internationally.” In such environments, AI is less a luxury and more a force multiplier for analyzing indicators, correlating events, and reducing cognitive load for security teams.

AI in Practice

While Harrison didn’t dive into specific product names, he touched on how AI intersects with broader security architecture:

  • Zero Trust Networking: Logical segmentation and identity-centric access control, a concept enabled and accelerated by modern analytics and AI insights, are essential for environments as distributed as MGM’s.
  • DevSecOps and AI-Secure Development: Integrating AI into development reviews and threat modeling, while also protecting AI pipelines from feedback manipulation or model poisoning.
  • Behavioral and Automated Detection: By leveraging AI to analyze anomalous behaviors across accounts, networks, and endpoints, defenders can respond faster than manual triage alone.

His framing makes clear that AI isn’t a single product, but a capability enhancer integrated into identity strategy, threat detection, and risk prioritization.

Preparing for the Next Decade of AI-Driven Threats

When looking ahead, Harrison embraces the challenges with realism: “Deep fakes… interactive Zoom calls… perfect deep fakes… That’s going to be insane.”

He noted that today’s generative models still struggle with reasoning and grounding, but that limitation will eventually diminish as newer architectures and multimodal systems improve.

The implication is clear: security teams must invest in AI tools now, not just to defend but to understand and anticipate the attack methods of tomorrow.

Practical Leadership Advice for CISOs

In the episode’s lightning round, Harrison offered grounded advice for new and seasoned security leaders alike:

  • Start a bug bounty program. Practical offensive testing exposes real risk faster than theoretical models alone.
  • Stay informed on AI evolution. He suggested subscribing to news and listening to informed voices on the topic.
  • Advice for aspiring leaders: Check ego at the door and focus on practical impact over personal clout.

These responses underscore that leadership in the AI era is about humility, curiosity, and continuous learning.

Balancing Innovation and Risk

Across his conversation, Stephen Harrison shared several strategic lessons for modern security leaders:

  • AI will empower both defenders and attackers. Teams must adopt it to stay competitive.
  • Human behavior remains the focal point of security risk. Eliminating error, or compensating for it, is more important than ever.
  • Zero Trust + Analytics are inseparable. Identity, segmentation, and behavior models are essential in distributed enterprises.
  • Speed of change demands flexibility. Siloed restrictions on AI use slow defenders while attackers adapt quickly.
  • Leadership is about learning. Continuous education and practical experimentation are key.

AI as the Future of Security

Stephen Harrison’s perspective anchors AI not as a buzzword but as a core capability for security teams facing unprecedented scale, human error, and distributed systems. In an environment where attack innovation outpaces defensive complacency, Harrison emphasizes that risk transformation, not fear, must guide security strategy.

For defenders willing to adopt AI responsibly, align it with identity and zero trust principles, and prepare for both present-day threats and future deep fakes, the next decade could bring greater resilience and deeper understanding of adversary behavior.