This year's RSA was about agentic AI. Every keynote, every booth, every hallway conversation. AI agents that detect threats. AI agents that respond to incidents. AI agents that write policies, triage alerts, and investigate anomalies.
Let's talk about something uncomfortable.
If AI agents are going to handle the work that entry-level security professionals do today, where will the next generation of security leaders come from?
The Training Ground Is Disappearing
Think about how most of us learned security. Some of us sat in a SOC triaging alerts, investigating incidents that turned out to be nothing hundreds of times until we developed the instinct to recognize the one that wasn't. Some of us started in GRC, manually reviewing controls and writing policy documents until we understood what compliance actually meant in practice. Some of us ran vulnerability scans and chased remediation tickets until we could look at an environment and know where the real risk lived. Some of us broke into systems as junior pentesters, learning the craft by running the same tools against the same test environments until we could think like an attacker without a script to follow. Some of us wrote security requirements for product teams, learning through repetition what "secure by design" actually meant in code.
Across every discipline, the pattern was the same. We did tedious, repetitive, unglamorous work that built the pattern recognition, judgment, and operational intuition we now rely on every day.
That work is exactly what AI is about to automate. All of it. Across the board.
I'm not arguing against automation. I've seen firsthand how removing manual, repetitive tasks frees security professionals to focus on strategic thinking and complex problem-solving. That shift is real and it's positive.
But we need to be honest about what we're losing in the process. Those repetitive tasks weren't just work to be done. They were how people learned. The junior SOC analyst. The associate pentester. The GRC coordinator. The first-year security engineer. The entry-level product security reviewer. Every security discipline had its version of the grunt work that burns people out but also builds them up. That has been the apprenticeship model for our entire industry. And we're automating it away without building anything to replace it.
The 10-Year Crisis We're Building Right Now
Here's the math that should worry every security leader.
The industry loves to talk about the "workforce shortage," but let's be precise about what's actually happening. We don't have a shortage of people who want to work in security. There are more people trying to break into this profession than we have starting roles for. What we have is an experienced workforce shortage. We can't find enough people with the judgment, operational intuition, and strategic thinking that come from years of doing the work.
Now think about what AI is doing to the pipeline that produces those experienced professionals.
At the same time, AI is compressing the entry points into the profession. The roles where people traditionally started, learned the fundamentals, made their mistakes safely, and built their careers are being absorbed by automation. Alert triage and log analysis. Vulnerability scanning and remediation tracking. Compliance evidence collection. Baseline penetration testing. Security code review. Policy drafting. These are the first jobs that AI will handle better and faster than humans, and they exist in every corner of the security organization.
So we have a growing need for experienced security professionals who can provide oversight, strategy, and judgment. And a shrinking pipeline of pathways for new professionals to develop that experience and judgment in the first place.
If we don't act now, in 10 years we'll face a workforce crisis that makes today's shortage look manageable. Not because people aren't interested in security. They are. But because we've eliminated the entry points and gatekept an entire generation of passionate, capable people out of the profession.
This Is a Leadership Problem, Not a Market Problem
The market won't solve this on its own. If anything, the market incentives are moving in the wrong direction. AI automation reduces headcount for entry-level roles. Companies save money. Security leaders get more efficient operations. In the short term, everyone wins.
But the long-term cost is enormous. We're optimizing for today's efficiency at the expense of tomorrow's capability. We're building security organizations that depend on experienced professionals while dismantling the pipeline that produces them.
This is where security leaders, as an industry, need to do something we haven't done well before: come together and build deliberate career progression pathways for people entering the profession.
Not certification programs. Not bootcamps that promise a CISO title in 12 weeks. Real, structured paths that account for a world where the traditional first job in security looks very different than it did five years ago.
What This Actually Looks Like
I don't have all the answers. Things are moving so fast that anything I write today might not stand the test of time even six months from now. But standing still isn't an option either, so here's my take on the directions we need to explore right now.
Apprenticeship models. Pair early-career professionals with experienced practitioners in structured, long-term relationships. Not mentorship in the loose "grab coffee once a month" sense. Real apprenticeships where people learn by working alongside someone who can explain not just what to do, but why. Where they develop the judgment that no certification exam can test for.
Internship programs with depth. Not the kind where interns shadow people for a summer and leave with a line on their resume. Programs that give people real responsibility on real problems, with enough support and oversight that they can fail safely and learn from it.
Structured learning paths that bridge the AI gap. If AI is handling first-line work across every security discipline, what does a redesigned entry-level security role look like? Maybe it's focused on AI oversight: understanding what the automated systems are doing and why, developing the critical thinking to know when the AI is wrong. Whether that's questioning an AI-generated risk assessment, validating automated pentest findings, or reviewing AI-drafted security architecture recommendations, the skill set is judgment, context, and critical thinking. That's different from what we've traditionally trained for, and we need to build the infrastructure to teach it.
Rotation programs across security domains. Give early-career people exposure to incident response, application security, governance, risk, and architecture. Build the breadth of experience that develops strategic thinking earlier in careers. The principle I've always believed in, that experiences matter more than scope, applies here too. Diverse experiences build better leaders faster.
New definitions of "entry-level." If the traditional entry point is being automated, we need to create new ones. Security engineering, AI governance, trust and safety, privacy operations, security product management. The field is expanding even as some traditional roles contract. We need to make those new entry points visible and accessible.
Industry and education collaboration. Universities are training the next generation of security professionals, but too often the curriculum reflects the industry of five years ago, not the industry of five years from now. Security leaders need to be in the room with educators, helping shape programs that prepare students for a world where AI handles the baseline work and humans provide the oversight, strategy, and judgment. That means advisory boards with teeth, not just logos. It means practitioners guest-teaching and co-designing coursework. It means being honest with universities about what we actually need from graduates instead of complaining after the fact that new hires aren't ready.
The Real Risk Is Gatekeeping
There are people out there right now who are passionate about protecting their organizations, their peers, and the world from cyber threats. They want into this profession. Many of them are being told they need five years of experience for an entry-level job, three certifications before anyone will look at their resume, and a computer science degree even though the work increasingly requires different skills entirely.
We've always had a gatekeeping problem in security. AI threatens to make it worse. If we automate the entry-level work without creating new pathways in, we're telling the next generation that this profession doesn't have room for them. And then we'll wonder why we can't find anyone to fill the senior roles a decade from now.
The irony is painful. We're an industry that exists to protect people, and we're failing to protect the career paths of the people who want to join us in that mission.
A Call to Action for Security Leaders
This isn't a problem any single company can solve. It requires industry-wide coordination, the kind of collective action that we're not historically great at.
But it starts with individual leaders making deliberate choices. Create an apprenticeship slot on your team. Build a real internship program. Partner with universities, but also with non-traditional pipelines: community colleges, career changers, veterans programs. Design roles that are explicitly about learning and development, not just production output.
And have the honest conversation with your leadership team: the headcount we save by automating entry-level work needs to be partially reinvested in developing the next generation of security professionals. Because the alternative is a future where we have brilliant AI systems and nobody with the experience and judgment to oversee them.
I talked at RSA this week with security leaders who share this concern. The energy is there. What's missing is the structure, the commitment, and the urgency.
We have a window to get this right. It won't stay open forever.
Assaf Keren is a security executive with experience as Chief Security Officer at Qualtrics and CISO at PayPal. He writes about the intersection of security strategy, organizational dynamics, and emerging technology.