The adoption of AI-enabled security tools is accelerating automation across cybersecurity, making some tasks easier. However, it is also contributing to a growing challenge: configuration drift.
Previously, Reach Security CTO Colt Blackmore described configuration drift as the “often unnoticed weakening of an organization’s security posture over time due to internal change.” No single change breaks security outright, but a series of small, incremental shifts can accumulate and gradually increase vulnerability.
Garrett Hamilton, CEO and founder of Reach Security, expanded on this concept, describing configuration drift as the creation of “dark spots and blind spots” across environments — an issue shaped by the industry over the past 15 years. He said the problem has been driven by both the expansion of attack surfaces available to adversaries and the growing number of defensive capabilities designed to protect them.
Hamilton said security teams are responsible for finding and configuring defenses, but they may not maintain full ownership or control of the tools, creating these visibility gaps.
Who’s responsible?
Responsibility for configuration is often unclear. As environments evolve, software updates and policy changes introduce drift. According to recent research by Reach Security, 97% of organizations reported incidents linked to misconfigurations in the past 12 months, highlighting the scale of the issue. Without sufficient visibility, many organizations may not realize they are exposed.
“Our research shows there is often confusion over who is responsible for operating a tool versus assuring that it is working effectively,” Hamilton said.
He pointed to the proliferation of tools — often 30 to 40 within a single organization — as a key factor. Beyond these, security controls can exist in multiple layers, creating further complexity and increasing the likelihood of gaps. Ultimately, how security teams perceive and manage this challenge is critical.
“Organizations need a continuous way to validate that the controls they depend on are still working as intended,” he said.
Lacking the capabilities
The issue is compounded by a widening skills gap. While some reports suggest millions of vacancies, recent research indicates that about 60% of organizations lack the necessary skills. This shortage contributes to difficulties in adopting new technologies (42%) and maintaining effective monitoring (42%).
Hamilton argued that this reflects a broader challenge: Organizations are consuming technology faster than they can operationalize it. However, he sees an opportunity for AI-native companies, as AI can help manage configuration drift by continuously identifying and addressing changes. Attackers can already identify vulnerabilities faster than humans, and defenders must match that speed.
The Reach report showed that organizations now operate an average of 35 distinct cybersecurity tools, with even higher numbers in large enterprises and the public sector. Maintaining consistent configurations across such environments is increasingly difficult, significantly raising the risk of drift.
AI, Hamilton suggested, is well suited to addressing this challenge. It can rapidly identify changes with negative security implications, reducing detection times from hours or days to near real time by correlating signals across alerts.
Detection and response
The research also highlighted a broader imbalance in cybersecurity investment. Currently, 72% of budgets are allocated to detection and response, compared with just 28% for proactive configuration management. Hamilton argued that this imbalance is significant because it shapes how organizations approach risk. Configuration management, visibility and assessment at scale should work alongside response capabilities, yet they are often underfunded.
In addition, configuration management practices remain relatively immature. On average, organizations review configurations only 6.5 times per month, and remediation takes more than eight days. These delays create extended exposure windows, leaving systems vulnerable.
Even in sectors where remediation is faster, there is no clear reduction in breaches. This suggests that teams are often driven by alert volumes and performance metrics that prioritize activity over meaningful risk reduction, leading to lower-impact issues being addressed ahead of more critical risks.
The problem is further compounded by a continued reliance on manual processes. Many organizations still depend on periodic audits, manual reviews and penetration testing, with limited adoption of automation. As environments grow more complex, this approach is becoming unsustainable, increasing costs and leading to inconsistent outcomes.
Governance and visibility challenges add to the difficulty. Security teams often struggle to track unauthorized changes, meet compliance requirements and access real-time configuration data across fragmented toolsets. Without change, configuration drift will remain a persistent issue — and one that is likely to worsen over time.
