The Security Cost of Intelligence: AI Capability, Cyber Risk, and Deployment Paradox

TL;DR

The paper models how organizational governance gaps influence AI deployment and cybersecurity investment, revealing a paradox where better AI can lead to less deployment in high-risk environments.

Contribution

It introduces an analytical model linking AI capability, governance, and cybersecurity, highlighting the deployment paradox and the importance of governance maturity.

Findings

Better AI can lead to reduced deployment in high-loss environments.

Optimal deployment often falls below the no-risk benchmark.

Governance investment reduces the deployment paradox region.

Abstract

Firms are deploying more capable AI systems, but organizational controls often have not kept pace. These systems can generate greater productivity gains, but high-value uses require broader authority exposure -- data access, workflow integration, and delegated authority -- when governance controls have not yet decoupled capability from authority exposure. We develop an analytical model in which a firm jointly chooses AI deployment and cybersecurity investment under this governance-capability gap. The central result shows a deployment paradox: in high-loss environments, better AI can lead a firm to deploy less when capability is deployed through broader authority exposure under weak governance. Optimal deployment also falls below the no-risk benchmark, and this shortfall widens with breach-loss magnitude and with the authority exposure attached to more capable systems. Governance investment that reduces breach-loss magnitude shrinks the paradox region itself, while breach externalities expand the range of environments in which deployment is socially constrained. Governance maturity is therefore not merely a constraint on AI adoption. It is a condition that shapes whether capability improvements translate into productive deployment.