← all writing
May 10, 2026

When the AI Bubble Deflates, What Survives.

Every hype cycle leaves a wreckage and a residue. The wreckage is the companies that never had a real use case. The residue is the practitioners who used the cycle to build durable skill. AI will be no different, and the gap between adoption speed and governance maturity is where security and audit professionals get to plant a flag.

#ai #governance #audit #security #career

A coworker told me last week that the AI bubble is going to pop. He did not say it as a provocation. He said it with the calm of someone who has already seen how this movie ends.

I feel it too. The market is going to correct. The question that stayed with me is not whether it happens. It is what I do in the meantime.

The answer that keeps making more sense to me: train hard enough to be one of the few who survives the correction.

Every major technology wave produces two things in parallel: real capability and irrational exuberance.

The internet was not fake, but most dot-com companies were. Blockchain introduced genuinely interesting ideas, but the market filled with projects that had no viable use case. AI is following the same pattern, just faster and louder.

The honest question is not whether AI is overhyped. It clearly is, in parts. The more useful question is: if the hype deflates, what skills will still matter?

The bubble destroys weak companies. It does not destroy useful skills.

When the dot-com crash hit, the people who had spent that period learning to build scalable infrastructure, secure networks, and design digital products came out stronger. The blockchain cycle followed the same logic. Tokens became worthless. Startups disappeared. But practitioners who built real knowledge in cryptography, smart contract security, and compliance found that expertise durable and transferable.

AI will work the same way.

The noise is not evenly distributed. Vendors are adding “AI-powered” to products that barely use AI. Certifications are multiplying faster than the field is maturing. Startups are promising productivity gains they cannot demonstrate at scale. And professionals are learning to use AI tools without understanding how they fail or what risks they introduce.

When the market corrects, organizations will stop rewarding demos and start asking harder questions. Does this system actually reduce cost? Can it be audited? Who is accountable when it produces a wrong answer that drives a business decision? Does it protect sensitive data?

Those questions require people who can answer them with authority.

Prompt engineering will become a baseline workplace skill, roughly equivalent to knowing how to use a spreadsheet. Useful. Expected. Not a differentiator.

The professionals who will be genuinely hard to replace are those who combine AI fluency with a serious adjacent discipline:

  • AI with cybersecurity: securing AI systems, threat modeling, defending against prompt injection and data exfiltration
  • AI with IT audit and governance: assessing implementations against control frameworks, evaluating vendor risk, reviewing data handling practices
  • AI with privacy and compliance: understanding how AI processes personal data, where liability sits, and how regulatory requirements apply

The value proposition is not “I use AI.” It is “I can implement it securely, evaluate it critically, govern it appropriately, and audit it when something goes wrong.”

Most organizations adopting AI are moving faster than their governance structures can handle. Employees are uploading sensitive data into public AI tools without understanding retention policies. AI agents are being granted access to internal systems with permissions no one has reviewed. Models are producing outputs that inform business decisions without any audit trail.

These are not theoretical risks. They are already appearing in incident reviews and audit findings.

The gap between AI adoption speed and AI governance maturity is wide, and it is not closing quickly. For security and audit professionals, that gap is the opportunity.

Build depth in a discipline that will outlast any single tool or platform. Learn how AI systems actually work well enough to evaluate them, not just use them. Position yourself as someone who can help an organization adopt AI responsibly, not just someone who adopted it early.

The bubble, if it comes, will clear out the noise. What remains will belong to people who built something durable while everyone else was chasing the hype.

That is the bet I am making. Not that AI will disappear. Not that the hype is wrong. That when the market sorts the demos from the discipline, I want to be on the side that can answer the hard questions. That is the work I am putting in now, so that whatever comes next finds me ready.