COMMENTARY: How AI will revolutionize cybersecurity in 2025

Federal cybersecurity is a complex landscape shaped by evolving regulations, funding constraints, and the increasing adoption of artificial intelligence.

As agencies navigate CISA’s Secure by Design pledge, the transition to zero trust architectures, and the emphasis on secure software development, they must balance these priorities with limited resources. AI offers a promising solution to automate certain tasks, improve efficiency, and enhance security.

In 2025, AI will revolutionize software development as a proactive tool for refactoring legacy code and automating compliance. Alongside Software Bill of Materials (SBOM), AI will empower federal agencies to modernize their technology stack and strengthen the nation’s cybersecurity posture.

Here are four changes we can expect to see in federal cybersecurity in 2025:

A shift from reactive to proactive AI in software development

As cyber threats evolve, AI is no longer a luxury but a necessity for federal agencies. The Department of Homeland Security’s use of AI to sift through cybersecurity data is a prime example of this trend.

AI adoption will accelerate in the coming year, particularly autonomous AI that can revolutionize threat detection and response, potentially reducing response times from days to minutes.  AI can identify new vulnerabilities and anomalies far more efficiently than human analysts, especially for resource-constrained agencies.

However, it’s crucial to remember that AI requires human oversight and expertise to fully realize its potential, such as optimizing prompts, validating outputs, and driving strategic innovation.

AI will play a critical role in code modernization initiatives

Another way to mitigate vulnerabilities with AI is by using it to assist in modernizing legacy code. The federal government has prioritized memory-safe programming languages to help avoid common software vulnerabilities.

By automating tasks like code refactoring and analysis, AI can help organizations transition from memory-unsafe languages like C to more secure alternatives such as Rust or Go. This is particularly important given that legacy code is responsible for 70% of identified vulnerabilities and continues to be a significant security risk.

AI-powered code assistance tools can analyze existing code, identify potential issues, and suggest improvements. By leveraging AI, organizations can accelerate the modernization process and reduce the risk from emergent security threats.

Compliance will be more than just a checkbox

Government leaders are increasingly grappling with the complexities of compliance. While there is no “easy button” to improve auditing, AI offers a promising solution to streamline compliance processes. It can automate monitoring, flag issues, and enforce best practices in real-time, significantly reducing the burden on compliance teams.

As technology advances, compliance will become integral to the development lifecycle, seamlessly integrating with DevSecOps practices. AI-powered tools will proactively scan code, identify vulnerabilities, and enforce security policies, ensuring that compliance is built into every stage of the process. As these functions are automated, they will also become commoditized. AI won’t fully automate compliance in the near-term, but the shift to intelligent automation will help improve security and efficiency.

SBOM will become a requirement, not just a best practice

AI requires testing, guardrails, and management by humans and other tools, especially regarding security. A dynamic SBOM can give agencies full visibility into the license and security risks associated with their software, including any open source software inclusion.

At a basic level, SBOMs are inventories of software components. With the advent of continuous scanning, these have become more dynamic, providing real-time insights into an agency’s software supply chain and suggesting actions to address vulnerabilities.

As we move into 2025, SBOMs will become a cornerstone of federal cybersecurity efforts. Defense agencies will widely adopt SBOMs to secure critical systems and development processes - setting a precedent for civilian agencies as well.

The increased adoption of SBOMs will help defense and civilian agencies align to the recent Secure by Demand guidance issued by CISA, promoting transparency and accountability within the federal government.

Many federal agencies will likely develop stringent SBOM requirements and potentially refuse to work with vendors that cannot meet them. This shift underscores the growing importance of SBOMs in ensuring the security and integrity of federal systems and software.

From risk to resilience

As cyber threats evolve and AI reshapes the technological landscape, a robust security posture is imperative for federal agencies. The federal government recognizes this need and has issued several publications that standardize best practices to ensure a fortified defense against cyberattacks.

Federal agencies should consider creative ways to use AI to advance some of these initiatives. By automating tasks, accelerating vulnerability mitigation, and modernizing legacy systems, AI can significantly enhance the resilience of federal infrastructure. These strategic investments in AI will position federal agencies to stay ahead of evolving threats and safeguard critical assets.

Joel Krooswyk is the federal CTO for GitLab Inc.