The Growing Debate Over Restricting Cyber-Capable AI
Artificial intelligence has fundamentally reshaped the cybersecurity landscape. Threat actors are leveraging AI-assisted tools to accelerate reconnaissance, automate phishing campaigns, and discover software vulnerabilities faster than ever before. In response, policymakers and technology companies are asking a pressing question: should access to cyber-capable AI models be gated, restricted, or tightly controlled? On the surface, the answer seems obvious. But according to Jaya Baloo, COO and CISO at Aisle, the reality is far more complicated — and the unintended consequences of restricting these tools could fall hardest on the very people trying to defend us.
Understanding What "Gating" Cyber-Capable AI Actually Means
When we talk about gating AI models, we mean placing restrictions on who can access, download, or deploy AI systems that have meaningful capabilities in cybersecurity contexts. This might include models that can write functional exploit code, identify vulnerabilities in software, conduct automated penetration testing, or assist in the discovery of network weaknesses.
Proponents of gating argue that keeping these capabilities out of the wrong hands reduces the attack surface at a societal level. If a would-be attacker cannot easily access a model that dramatically lowers the skill floor for launching a cyberattack, the argument goes, then overall cyber risk decreases. It is a precautionary logic rooted in the idea that access control equals harm reduction.
The strongest version of this argument points to a real asymmetry: sophisticated cyberattacks historically required deep technical knowledge, time, and resources. AI threatens to collapse that barrier entirely, making advanced offensive capabilities available to nearly anyone. From a policy standpoint, that prospect is alarming enough to justify restrictions.
Where the Gating Argument Breaks Down
Baloo acknowledges the surface-level appeal of this reasoning but identifies precisely where it falls apart: policymakers are misreading how attackers and defenders actually operate in practice.
Attackers, particularly well-resourced nation-state actors and organized cybercriminal groups, do not depend on publicly available commercial AI models the way defenders do. They have the funding, the personnel, and the infrastructure to develop or procure their own tools independently of any access restrictions placed on the open market. Gating a model on a commercial platform does not disarm a sophisticated adversary. It simply removes a tool from the common pool.
Defenders, on the other hand, are often working with constrained budgets, understaffed teams, and the constant pressure of protecting sprawling digital infrastructures. Security operations centers, penetration testers, threat intelligence analysts, and incident responders rely on the same AI capabilities that policymakers want to restrict. When those tools are locked away behind approval gates, bureaucratic review processes, or outright prohibitions, it is the defensive side of the equation that suffers most.
The Open-Weight Model Problem: A Double-Edged Sword
The debate grows even more complex when open-weight AI models enter the picture. Unlike proprietary, API-gated systems, open-weight models are released publicly and can be downloaded, fine-tuned, and deployed locally by anyone with the technical means to do so. Gating a commercial product does nothing to limit access to these models.
This creates a paradox at the heart of AI gating policy. Restrictive measures applied to closed commercial systems penalize legitimate users — the security researchers, the red team professionals, the enterprise defenders — while leaving the most determined bad actors entirely unaffected. They will simply pivot to open-weight alternatives, many of which are increasingly capable and freely available.
Baloo's position is that this dynamic fundamentally undermines the case for access restriction as a primary policy lever. The threat model assumed by gating advocates does not match the reality of how AI proliferates or how adversaries actually source their capabilities.
Widening the Gap Between Attackers and Defenders
Perhaps the most significant risk Baloo highlights is that overly restrictive AI policies could actively widen the capability gap between attackers and defenders. If offensive actors continue to develop and deploy AI-powered tools unconstrained, while defenders face bureaucratic hurdles to accessing equivalent technology, the asymmetry that already plagues cybersecurity gets worse, not better.
This is not a hypothetical concern. Security teams already face significant disadvantages: they must defend every possible vector while attackers need only find one weakness; they operate under legal and ethical constraints that attackers ignore; and they are perpetually behind the threat curve. Adding unnecessary friction to how defenders access AI tools compounds all of these disadvantages simultaneously.
What Smarter AI Security Policy Could Look Like
Rather than blanket restrictions, a more effective approach might involve several targeted strategies:
- Risk-tiered access frameworks that distinguish between AI capabilities based on their specific harm potential, rather than treating all cyber-capable models as equivalent risks.
- Transparency and auditing requirements that hold model developers accountable for how their systems are used, without restricting legitimate defensive applications.
- Investment in defensive AI infrastructure that ensures security teams have rapid, low-friction access to the tools they need to stay competitive with adversaries.
- International coordination on AI proliferation, since unilateral restrictions by one country or jurisdiction can simply shift activity elsewhere without reducing global risk.
The Real Cost of Getting This Wrong
The question posed in the title — who pays when you gate cyber-capable AI models? — has a clear answer in Baloo's framing: the defenders pay. Organizations trying to protect critical infrastructure, sensitive data, and essential services pay. Security professionals already stretched thin across an ever-expanding attack surface pay. And ultimately, the individuals and institutions that depend on robust cybersecurity pay as well.
Getting AI policy right in cybersecurity requires moving beyond intuitive but flawed assumptions about access control. The tools that make attackers more capable are the same tools that make defenders more capable. Policy that fails to account for this symmetry does not reduce harm — it simply redistributes it in ways that favor the adversary.
As Baloo's insights make clear, the path forward demands nuance, domain expertise, and a willingness to challenge the instinct that restriction automatically equals safety. In cybersecurity, it rarely does.