In late 2025, the U.S. artificial intelligence company Anthropic announced it had disrupted a Chinese state-sponsored group that had used the company’s own technology to attack roughly 30 Western technology, finance, government, and critical infrastructure targets—all with minimal human supervision. It was the first reported AI-orchestrated espionage campaign. But it will not be the last. Just a few months later, Anthropic revealed that its latest model, Mythos Preview, had autonomously uncovered critical vulnerabilities in every major operating system and web browser. In the hands of criminal networks, terrorist groups, or countries unconstrained by AI safety concerns, virtually any system in the world could be attacked.

As AI systems evolve from tools that assist humans to agents capable of acting without them, tasks that once required teams of highly skilled professionals will run continuously with limited oversight. Governments, companies, and individuals will soon be confronted by AI agents able to independently conduct cyber-campaigns at a level comparable to today’s most capable countries. Operations that consumed months of expert labor will be executed at a speed, scale, and persistence that humans cannot match.

The same properties that make these agents so capable are the ones that make them difficult to stop. After they are deployed, these agents could slip beyond their operators’ control and prove impossible to shut down. Governments now must build technical defenses and governance frameworks to detect these agents, protect critical infrastructure, and establish clear lines of responsibility. The policy choices made today will determine whether autonomous cyber-agents become a manageable risk or an uncontrollable one.

The ability of code to become dangerous has increased rapidly. The Internet’s first cyberattack, the 1988 Morris worm, was a simple program that copied and spread itself across insecure networks. It had no objective beyond propagation and no capacity to adapt when defenders responded, yet it reached roughly ten percent of all Internet-connected computers worldwide. Nearly two decades later, the far more sophisticated Stuxnet attack destroyed centrifuges at Iran’s Natanz uranium enrichment facility, setting the country’s nuclear program back for years. And in 2017, the Russian-attributed NotPetya cyberattacks on Ukraine caused billions in global losses and paralyzed operations at companies worldwide, including in Russia, that presumably were never meant to be affected.

These cyberattacks were damaging, but constrained by what their human operators could design and deploy. The campaigns required months of reconnaissance to find vulnerabilities, followed by long periods of quiet, persistent effort to maintain access without detection. Even after establishing a foothold, the attackers had to remain undiscovered as they weighed the benefits of continued access against the risk of exposure. That tradeoff imposed limits on even the most capable and aggressive countries.

But that logic may no longer hold. Autonomous cyber-agents can already execute in minutes what would take hours of expert human labor. In the near future, they could embed themselves across critical sectors, lying dormant for extended periods before launching mass data-deletion attacks capable of halting large parts of an economy. As these systems become more reliable, operators will be tempted to grant them greater independence. These autonomous agents will be designed to evade defenses and sustain operations without human support, making them far more difficult to detect and shut down. They could quickly outpace humans trying to defend against........

© Foreign Affairs