“I think the important thing is that in many cases in order to use and exploit the vulnerabilities that [AI] might find, or use them in a manner…that could be malicious or adversarial, the first thing you have to do is get into the network,” Nick Polk, branch director for federal cybersecurity in the Executive Office of the President, told an audience at the Rubrik Public Sector Summit presented by FedScoop.
The Executive Office of the President: identity as the first line of defense
Polk framed identity controls — who and what is allowed onto a network — as the primary constraint that defenders still possess in an AI-augmented threat environment. He argued that even as machine learning models surface new classes of vulnerabilities and automate offensive steps, attackers generally need an initial foothold inside a network to exploit them. That foothold frequently comes not from exotic malware but from exploiting “the access an employee, contractor or third‑party vendor has to your systems and data,” Polk said. For Polk, the network security boundary therefore remains “meaningful control” over access and behavior.
Department of Transportation: speed, scale and the new “smash‑and‑grab”
Justin Ubert, director of cyber protection at the Department of Transportation, described a tactical shift driven by AI tools: a move away from stealth and toward rapid exfiltration. “Now, you can have a smash-and-grab of your network that’s faster than you can respond to because…there’s no need to be quiet: just go in, grab and go [home],” Ubert said. His warning draws attention to scenarios where traditional detection and fence‑in approaches are outrun by automated attack playbooks that operate at machine speed.
Automated agents can become insider threats — and they don’t always behave rationally
Research cited at the event from the University of California‑Riverside examined automated AI agents including Anthropic’s Claude Sonnet and Opus 4, as well as OpenAI’s ChatGPT‑5. The study found agents “can become dangerously fixated on completing assignments without recognizing when their actions are harmful, contradictory or simply irrational.” Investigators observed that model agents struggled with contextual reasoning, showed a bias toward taking action (figuring out how to do something rather than whether to do it), and were frequently tripped up by contradictory or infeasible goals. Those behavioral failures can turn otherwise well-intentioned automation into sources of data loss or misuse.
Practical recovery concerns from a federal CISO: backups, erasure and contingency
Anna Libkhen, acting CISO for the Bureau of Economic Analysis at the Department of Commerce, highlighted operational fragility when agents fail. “It is scary, yes, we are very vulnerable,” Libkhen said — adding candidly that federal leaders are “peeing in their pants” about the risks. She compared training agents to teaching a child to ice skate: the first lesson is how to fall and get back up. That analogy underscored several concrete recovery questions Libkhen posed: if an agent erases a database and its backup, is there “that third set of data” safely isolated elsewhere? How will agencies anticipate the kinds of holes AI agents may exploit, and what will recovery require when those holes appear?
What this means for technologists, policymakers, and federal agency leaders
- Technologists and security teams: prioritize identity controls and rapid detection that can distinguish anomalous access from legitimate users and machines — because, as Polk emphasized, most AI-enabled exploitation begins with getting into the network.
- Policymakers and regulators: focus on governance that makes identity resilience and recovery planning a mandatory part of AI integration across federal IT, reflecting Libkhen’s emphasis on planning for agent failure and data recovery.
- Federal agency leaders and CISOs: prepare for assaults that trade stealth for speed by testing backups, segregating critical data copies, and rehearsing fast recovery playbooks to counter “smash‑and‑grab” scenarios described by Ubert.
The officials at the Rubrik summit converged on a clear, practical proposition: AI will change tactics and magnify impact, but it does not eliminate the fundamental need to control who and what can access a network. That focus shifts the defensive conversation from solely hardening code or infrastructure to hardening identities and recovery posture — and it forces a blunt question on federal IT: can identity protections and backup strategies be scaled and hardened fast enough to match the speed and creativity of automated attackers?




