The Path of Least Resistance: Why Active Inertia is the Real AI Threat
The Path of Least Resistance: Why Active Inertia is the Real AI Threat
https://www.infosecurity-magazine.com/opinions/active-inertia-real-ai-threat/
Publish Date: 2026-03-18 06:00:00
Source Domain: www.infosecurity-magazine.com
If you’ve been in the cyber industry for a while, you start to notice cybersecurity has a “Groundhog Day” quality.
We change acronyms and leverage hot new phrases, but the headlines remain the same: passwords still get stolen, people still get phished, S3 buckets still get left open and confidential data still gets leaked.
We often lie to ourselves to explain this. We say the C-suite doesn’t care. We complain about “executive apathy,” picturing a board of suits shrugging their shoulders at our heat maps.
In my experience, this is rarely true. Most boards care deeply and are terrified of being the next headline. They are approving cyber spend, reading reports and hiring talent to try and solve the problem. They aren’t apathetic – they are suffering from Active Inertia.
Let’s Break the Mold
Active Inertia is a concept from management theory that explains why successful companies fail. Faced with a changing world, they don’t sit still; they accelerate the activities that worked for them in the past, getting busier, but not changing.
In cybersecurity, Active Inertia looks like a team drowning in spreadsheets, working 80-hour weeks to patch “critical” vulnerabilities that represent zero risk, simply because the policy demands. It is the sensation of running faster just to stay in same place, or flooring the accelerator while stuck in mud, hoping you’ll move forward instead of deepening the rut.
To break this inertia, cyber teams must stop looking at our environment as a list of compliance requirements. The traditional approaches give us lists of building blocks, like individual CVEs, identities, assets and misconfigurations. These aren’t exposures or security-related issues, they are just a pile of parts that match a compliance framework written 10 years ago.
To attempt to address this, the industry has thrown new acronyms at the problem. We have Attack Path Analysis, Blast Radius capabilities and graphs with edges. These are useful, but often…
