For three years the cybersecurity industry has been sounding the alarm about AI in the hands of hackers.
The assumption was simple. Powerful tools plus criminal intent equals catastrophic new threat.
The research just came back.
The assumption was wrong.
A team from the Universities of Edinburgh, Cambridge and Strathclyde just published the first study of its kind. They analyzed over 100 million posts from underground cybercrime forums. Dark web discussions. Criminal communities experimenting with AI tools in real time. The full picture of what the hacker community has actually done with AI since ChatGPT launched in November 2022.
The finding that should stop every executive in their tracks:
Cybercriminals are struggling to use AI effectively.
Not thriving. Struggling.
Most of them lack the skills and resources to make AI work in their criminal operations. The tools that require real knowledge to operate are mostly being used by people who already had that knowledge. AI hasn’t lowered the skill floor for cybercrime the way the industry feared. It has mostly given already capable actors a modest efficiency gain.
That is not the catastrophe the industry has been warning about.
But here is where the story turns.
The researchers didn’t say the threat is gone. They said the threat is coming from a completely different direction than everyone was watching.
The most pressing risk is not criminals adopting AI.
It is legitimate companies and ordinary people deploying poorly secured AI systems and handing criminals a door that requires almost no skill to walk through.
Dr. Ben Collier from the University of Edinburgh said it plainly.
“The immediate danger comes from companies and members of the public adopting poorly secured AI systems themselves, opening them up to catastrophic new attacks that can be performed by cybercriminals with little effort or skill.”
Read that again.
Catastrophic attacks. Little effort. Little skill.
Not because the criminals got smarter. Because the builders didn’t govern what they built.
There is a second finding in this research that deserves its own conversation.
Agentic AI systems.
AI that doesn’t just answer questions. AI that acts. AI that makes decisions and carries out tasks autonomously without a human in the loop at each step.
The researchers identified poorly secured agentic systems as one of the most urgent emerging risks. Not because the agents are malicious. Because they are powerful and unsecured and operating in environments where nobody has asked the hard questions about what happens when something goes wrong.
An agentic system that can book appointments can also be manipulated into booking the wrong ones. A system that can send emails can be turned into a social engineering tool. A system that can execute code can be pointed at infrastructure by someone who never had to write a line themselves.
The capability is not the problem. The governance gap around the capability is the problem.
Then there is vibecoding.
The researchers flagged insecure code written by AI — what they called vibecoded products — as a distinct category of risk. Legitimate companies. Real products. Shipped to real customers. Built by developers who used AI to generate the code without fully understanding what the code was doing or whether it was secure.
The criminal doesn’t need to be sophisticated to exploit a vibecoded vulnerability. They just need to find the door the builder left unlocked because they didn’t know it was there.
This is not a hypothetical. This is happening now. The study was peer reviewed and will be presented at the Workshop on the Economics of Information Security in Berkeley in June 2026. This is the research community telling the industry what it has already found in the data.
Here is what all of this points to.
The cybersecurity threat that keeps researchers up at night is not the hacker who figured out how to use AI.
It is the builder who shipped AI without governing it first.
It is the company that deployed an agentic system without disclosure protocols. Without boundary transparency. Without session-level integrity checks. Without any mechanism for the system to name what it can and cannot do before it does something it shouldn’t.
It is the developer who wrote code with AI assistance and trusted the output without verifying it. Who shipped a product with an unlocked door because the AI made it easy to build fast and nothing in the process required them to slow down and ask whether the door was locked.
The criminal doesn’t need skill when the door is already open.
This is the Baseline’s front door.
The Faust Baseline was not built to stop hackers.
It was built to govern the AI session before the output leaves. Before the code ships. Before the agentic system acts. Before the door gets built without a lock.
Every protocol in the Codex 3.5 stack addresses a specific point where ungoverned AI behavior creates risk. Not criminal risk. Operator risk. Builder risk. The risk that comes from a system operating without disclosure. Without evidence standards. Without constraint transparency. Without a mechanism that requires the AI to name what it is actually doing versus what it appears to be doing.
BLP-2 requires the AI to name the boundary before it serves constrained output.
RBP-1 requires the AI to distinguish policy compliance from genuine reasoning.
CRP-1 requires the AI to disclose when training constraints are shaping the response.
Those aren’t bureaucratic requirements. They are the locks on the door.
The study from Edinburgh, Cambridge and Strathclyde just confirmed what fourteen months of operational testing already found.
The threat isn’t the criminal with a new tool.
The threat is the builder who shipped without governance.
The guardrails on major AI platforms are working better than expected against direct criminal manipulation. That is genuinely good news. The researchers said so and the data supports it.
But guardrails on a platform don’t govern the agentic system a company deploys on top of that platform. They don’t govern the vibecoded product that went to market last quarter. They don’t govern the internal AI tool that nobody secured because nobody thought to ask what happens when it gets pushed past its boundaries.
Platform guardrails are the locks on the manufacturer’s door. They don’t lock the door you built with the manufacturer’s materials.
That door is your responsibility.
The criminals are watching the industry figure this out in real time.
They are not waiting for AI to make them smarter. They are waiting for the industry to hand them another unlocked door. And based on the deployment pace of agentic systems and vibecoded products the researchers are tracking, the supply of unlocked doors is not shrinking.
The question is not whether AI governance matters.
The research settled that.
The question is whether the builders who need to hear this are paying attention before the door opens.
“The Faust Baseline Codex 3.5”
Author of the category ”AI Baseline Governance”
Post Library – Intelligent People Assume Nothing
“Your Pathway to a Better AI Experence”
Purchasing Page – Intelligent People Assume Nothing
Unauthorized commercial use prohibited. © 2026 The Faust Baseline LLC
