By Brad Medairy

This paper underscores the urgent need to modernize America’s cyber strategy to close the growing speed gap created by AI-driven threats. It outlines Booz Allen’s perspective on harnessing industry scale, updating policy and authorities, and reforming acquisition to restore the nation’s decision advantage in a rapidly evolving cyber battlespace.

Cybersecurity is undergoing a structural shift. Artificial intelligence has collapsed the time required to execute cyber operations—from weeks to minutes—and that trajectory is only accelerating as AI capabilities continue to advance. What began as AI-assisted activity has rapidly evolved into AI-enabled operations and is now moving toward early forms of autonomous exploitation.

Adversaries are now operating at AI speed, while defenders—and the policies that govern them—remain constrained by human timelines. This mismatch has created a speed gap. As AI capabilities advance, they will further compress the time required to discover, exploit, and move, accelerating the very dynamics driving the speed gap.

At scale, this shift makes compromise increasingly inevitable. “Assume breach” is no longer a philosophy—it is math. If this gap is not closed, the United States will face persistent, large-scale compromise across government and critical infrastructure systems. The United States is now in a sustained competition in cyberspace, where advantage will be determined by the ability to innovate and operate at AI speed.

At Booz Allen, we see this shift firsthand. For more than 30 years, we have supported the nation’s most critical cyber missions—securing a significant portion of the .gov domain, leading large-scale zero trust implementations, and operating across all 16 U.S. critical infrastructure sectors. From this vantage point, the speed gap is unmistakable—and increasingly urgent. However, existing legal and policy frameworks were not built for AI-speed cyber operations. Most assume a human decision-maker in the loop and response timelines measured in hours or days—not seconds.

In this environment, the United States must be able to impose costs on adversaries at comparable speed and scale. Deterrence depends on matching the tempo at which adversaries already act. However, at AI speed, capability without scale is insufficient—and scale without industry is unattainable.

America’s greatest asymmetric advantage lies in its commercial technology ecosystem. Industry is driving rapid advancements in AI-enabled cyber capabilities and operating at a pace unmatched by traditional government processes. Integrating these capabilities is essential not only for innovation, but for scaling national cyber operations to meet the demands of an AI-speed threat environment. Policymakers must ensure that, as legal frameworks evolve, industry will be the foundry for new capabilities.  

The Administration’s Cyber Strategy for America correctly recognizes AI-enabled attacks are scaling rapidly and signals a more assertive posture against malicious actors. However, to realize this vision, authorities for time-sensitive operations require clearer definition, and policy frameworks must continue to evolve to support faster, more coordinated responses. This approach should integrate AI-enabled defensive and cost-imposition capabilities, allowing the United States to operate at speed while maintaining accountability and control.

Congress and the Administration must work together to establish a modern, rules-based framework for imposing costs on adversaries. This framework should: 

• Establish standards for attribution, proportionality, and response thresholds.

• Clarify decision-making authorities for time-sensitive cyber operations. 

• Enable persistent, operational integration of industry as an extension of national cyber capability.

In an AI-speed threat environment, defense must operate at the same pace as the threat. When adversaries move at AI speed, defense that operates at human speed will consistently fall behind. Restoring advantage requires a shift from reactive security to continuous, AI-enabled operations.

Three priorities are critical:

• Accelerate Defense. Defensive operations must reduce decision time and enable response at AI speed. Congress and the executive branch should establish policy frameworks that support real-time detection and response in mission-critical systems, with clear standards for attribution, oversight, response thresholds, and accountability. 

• Advance Zero Trust. When compromise is inevitable, containment determines impact. At AI speed, limiting adversary movement is the difference between isolated intrusion and systemic compromise. Advanced zero trust architectures restrict access and contain how far adversaries can move within a system. Government and industry must scale zero trust implementation with clear, risk-based maturity targets.

• Secure AI in Mission Critical Systems. Security is becoming more urgent as AI models and agents emerge as a new attack surface. Adoption is accelerating faster than the security frameworks designed to govern them, introducing both vulnerable models and autonomous behavior into environments that organizations do not fully control. To counter this, policy must require that AI models and agent-based systems supporting mission-critical operations must be hardened according to zero trust principles and rigorously tested prior to deployment.

In an AI-speed threat environment, the pace of acquisition determines the speed of defense.  If capabilities cannot be fielded and adapted more quickly, they cannot effectively counter threats that are constantly and rapidly evolving. Maintaining advantage requires acquisition models that move at operational tempo—not traditional timelines.

Normalizing the use of non-traditional acquisition authorities—such as Other Transaction Authority (OTA)—is a critical step. OTAs allow government to more effectively harness private sector innovation through flexible acquisition approaches designed for speed, iteration, and scale. These mechanisms enable agencies to move from requirement to capability in weeks instead of months, while allowing solutions to be tested in live or semi-live environments, refined rapidly, and adapted as threats evolve.

Equally important is accelerating the shift to outcome-based contracting. Rather than procuring predefined technical specifications, agencies must prioritize mission impact—enabling industry to deliver the most effective solutions and scale them dynamically. This approach aligns incentives around results, not requirements, and ensures that innovation can be continuously integrated into operational environments.

In this environment, advantage will be determined by speed. Policymakers play a decisive role in enabling the authorities, frameworks, and capabilities required to operate at that speed—and to ensure the United States maintains a decisive edge in cyber conflict. Booz Allen is standing by to assist in evolving policies to this new reality. 

Brad Medairy is the President of Booz Allen’s National Cyber business. 

This Booz Allen Policy Position is designed to provide stakeholders with clear analysis and perspective on priority policy issues across government and industry. The information reflects our assessment and the best available data as of the publication date, May 6, 2026.

CONTACT: [email protected]