AI Made Every Organization a Target. Governance Is What You Build Next.

How Fifty Years of Falling Skill Floors Changed What Your Company Needs to Build

In 1971, a guy named John Draper figured out that the toy whistle packed into boxes of Cap'n Crunch cereal blew a perfect 2600-hertz tone, the exact frequency AT&T's long-distance network used to signal that a line was idle. Blow the whistle into a payphone and the phone company's own switches handed you free calls to anywhere on Earth.

To pull that off, Draper had to understand the phone system better than most of the people who built it. He spent years reverse-engineering infrastructure that a major corporation had designed, deployed, and maintained. That kind of knowledge was rare, genuinely hard to acquire, and that rarity mattered: if attacking a system required years of specialized expertise, most people simply couldn't do it. The distance between what an attacker needed to know and what most people could realistically learn was one of the most effective security controls in existence, even if nobody thought to call it that. Simply put, it kept the population of capable attackers relatively small.

But over the last fifty years, the tools and knowledge required to launch an attack have become progressively cheaper, faster, and easier to acquire, and understanding how that happened is the most important thing any organization can understand about the threat environment they're operating in today.

The Skill Floor Has Been Falling for Fifty Years

If you walk through generations of attackers you’re able to see the required knowledge level drop in real time.

The phone phreakers of the 1970s, a loose community of hobbyists and early hackers who, like John Draper, exploited the telephone network for free calls and later more serious intrusions, had to reverse-engineer a continental infrastructure with homemade tools and hard-won knowledge shared through underground newsletters. Breaking into something meant understanding it first, deeply, which kept the number of people capable of doing it very small.

The hackers of the 1980s and 1990s, the generation that produced figures like Kevin Mitnick, operated through early online bulletin board systems where technical knowledge was currency. There was no Google, no YouTube tutorial, no Stack Overflow. Learning to break into a system meant months of reading, experimentation, and social engineering your way into conversations with people who knew more than you did. The barrier was time and dedication as much as raw intelligence.

The 2000s introduced the script kiddie, a term for someone who couldn't write an exploit from scratch but could download one someone else had built. Tools like Metasploit turned years of specialized research into prepackaged exploits that anyone willing to follow basic instructions could run. The skill floor dropped from 'understand the system deeply' to “follow the readme.”

The 2010s dropped it further still. Ransomware-as-a-service turned cybercrime into something closer to a franchise model, where criminal organizations built and maintained the malware and rented access to it for a cut of the proceeds. Affiliates, the people actually deploying the attacks, didn't need to understand encryption or network intrusion. They needed to fill out an application and follow operational guidelines. The skill floor fell from "follow the readme" to "meet the minimum requirements."

Each generation of attackers didn't get more sophisticated. Instead, the tools got good enough that sophistication became less necessary. And every time the floor dropped, the population of people standing on it grew.

The Next Generation Won't Learn to Hack. They'll Ask.

Generation Beta, the children being born from 2025 onward, are the first humans who will grow up never knowing a world in which you couldn't describe what you wanted to a machine in plain English and have it attempt to make that happen.

Imagine what that may mean for a curious, technically unsophisticated teenager in 2040. Rather than spending months learning networking concepts, programming languages, or the mechanics of authentication systems, they can describe an outcome they want in conversational language and work iteratively with an AI model until they get there. The model supplies the technical knowledge they never learned. The gap between wanting to do something and being able to do it collapses to the time it takes to have a conversation.

The evidence is already here. Jailbroken and purpose-built criminal AI models like WormGPT and FraudGPT were being marketed on underground forums years ago, explicitly positioned for people who wanted to write phishing emails or malware but didn't know how. Voice cloning tools that require only seconds of sample audio, enough to grab from a public LinkedIn video or a company podcast, are widely available today.

The infrastructure for AI-assisted attacks already exists. Generation Beta is simply the first group that will grow up treating all of it as unremarkable background technology, the same way earlier generations treated Google or smartphones.

Why the Old Defenses Are No Longer Enough

For the last two decades, a meaningful share of what kept small and mid-sized businesses safe had less to do with their security stack and more to do with the economics of attacking them. Phishing emails were easier to catch because the people writing them often wrote badly, with grammatical errors and awkward phrasing that trained users learned to spot. Social engineering calls failed because callers didn't know the organization's internal structure, its terminology, or what the CFO's voice sounded like. And many smaller organizations simply got skipped over because the manual labor required to attack them wasn't worth the return.

AI changes the economics of all three simultaneously. Phishing emails are now fluent, personalized, and contextually accurate. Voice cloning means the call can sound exactly like whoever the attacker needs it to. And the marginal cost of targeting a twelve-person accounting firm versus a mid-sized healthcare organization rounds to approximately zero, which means the protection that came from being small and not worth the effort is gone.

This is the shift that organizations need to internalize. The old model allowed for security that scaled down based on size, because the logic held that smaller organizations faced lower threat exposure. That logic was always partly dependent on attacker economics rather than the strength of the security program.

When those economics change, the logic must change with them.

What You Need to Do Differently

The oldest member of Generation Beta is currently a toddler. That's the head start. The question is what you build with it, and the answer requires revisiting assumptions that have been baked into normal business processes for years.

Kill voice as a verification channel. Write it into your runbook and make sure every department has the same policy: no payment change, wire transfer, gift card purchase, or MFA reset gets approved based on an inbound phone call, regardless of how familiar the voice sounds. One sentence covers it: hang up and call the number already on file. This is the specific control that addresses the precise risk AI voice cloning creates, and it costs nothing to implement.

Rebuild phishing training around fluency rather than errors. Teaching users to spot typos and broken English is now counterproductive because the phishing emails coming at them are well-written, personalized, and contextually plausible. The signals that survive AI assistance are behavioral: unexpected urgency, requests to move money or credentials, and changes to payment or account details. Run your next simulated phish with a polished, personalized lure and find out who's still operating on the assumption that bad emails look bad.

Stop scaling security programs down based on size. If you’re still thinking that your employee count or revenue numbers allow for lighter security coverage on the basis that you face lower risk, revisit that model. The economic protection that came from being a small, manual-labor-intensive target has been removed. A 12-seat law firm is now as viable a target for an automated attacker as a 500-seat enterprise, and your security controls should reflect that.

The Whistle Is Now a Sentence

John Draper needed years of deep, specialized knowledge to do what he did with a cereal toy whistle. The generations that followed needed progressively less. The generation being born right now will need almost none at all, because the tools will supply whatever knowledge they lack.

The skill floor protected you for fifty years without anyone naming it as a security control. The work of replacing what it did falls to the people whose job it is to keep your organization secure. That conversation needs to be happening now, before the first generation of attackers who never had to learn anything arrives to demonstrate why it mattered.

If you want to go deeper on building the governance layer that makes that conversation actionable, I'm covering exactly that at our AI security seminar, Beyond Intelligence, on July 22nd. My session goes past acceptable use policies and into the decision architecture that keeps AI adoption from outpacing oversight: who approves new tools, what data they can access, and where accountability sits when something goes wrong.