TL;DR
OpenAI just warned that its next-gen AI models could reach “high” cybersecurity capability, strong enough to help find vulnerabilities and assist complex cyberattacks if misused. Attackers are already using AI to write better phishing emails and speed up operations, and more powerful models are coming.
For SMBs in Milwaukee and SE Wisconsin, this isn’t sci-fi, it’s a 2026 problem: tighten email and identity security, patch exposed systems, assume breach and plan backwards, upgrade visibility/response, and put AI into your security policies - not just your marketing.
You’ve probably seen a headline like this in your feed:
“OpenAI admits criminals might use its AI to conduct cyberattacks.”
That’s not clickbait. It’s a blunt way of summarizing something OpenAI just said out loud:
their next-generation AI models could pose a “high” cybersecurity risk if misused.
In a recent update, OpenAI warned that upcoming models could be strong enough to find serious vulnerabilities, help develop zero-day exploits, and assist with complex intrusions against real-world systems.
That sounds like sci-fi… but for Milwaukee businesses, it’s really a 2026 problem, not a 2035 one.
Let’s break down what this actually means and what you should do now so AI-powered attackers don’t catch you flat-footed.
1. What did OpenAI actually say?
OpenAI didn’t say “our AI is out hacking companies.” They said:
- Their future “frontier” models are on track to reach “high” cybersecurity capability.
- At that level, an AI system could:
- Help find and exploit serious vulnerabilities in software
- Assist complex, multi-step intrusions into enterprise networks
- Run longer, more autonomous operations, like scripted brute-force attacks or wide phishing campaigns
They’ve seen big jumps in performance on internal “capture the flag” style security tests and are treating this as a frontier risk area, similar to how they’ve talked about biosecurity in the past.
So the translation is:
“We can see that future models will be good enough at cyber tasks that criminals will want to use them. We’re trying to get guardrails in place before that happens.”
2. Attackers are already using AI (just not at ‘sci-fi’ levels)
This warning about the future sits on top of something that’s already real:
- OpenAI has published multiple threat intelligence reports showing that state-linked and criminal groups have tried to use ChatGPT and other models for malicious cyber activity; things like phishing content, basic malware, and scripting help.
- In those reports, they say they’ve disrupted 40+ networks abusing AI for cyberattacks, scams, and influence operations.
- Other vendors and security researchers are seeing the same trend: AI is being used to polish phishing, scale social engineering, and speed up operations, even if it’s not inventing brand-new super malware yet.
Put simply:
Attackers are still mostly using AI as a helper; to write better emails, debug code, and automate boring steps.
Future models might become a force multiplier for more serious intrusions.
3. Meanwhile, OpenAI is hardening the defensive side
To their credit, OpenAI isn’t just shrugging this off. In the same breath as the warning, they announced steps to keep their own tools from becoming a hacker’s dream kit:
- Stronger technical controls
Access controls, infrastructure hardening, egress controls, and deeper monitoring to detect and block obvious abuse. - Defender-first cyber features
They’re building tools to help security teams scan codebases, find vulnerabilities, and propose patches (one internal tool, Aardvark, is in private beta for this). - Trusted access & outside oversight
A tiered “trusted access” program for advanced cyber capabilities and a new Frontier Risk Council made up of experienced defenders to advise where the line is between helpful and dangerous.
In other words: the people building these tools know they’re dual-use. They’re trying to tilt the playing field toward defenders.
That’s good news, but none of it replaces the basics inside your environment.
4. What this means for Milwaukee & SE Wisconsin businesses
If you’re running a 25-250 person company in Southeastern Wisconsin, here’s the reality:
- AI is lowering the skill bar for attackers.
You no longer need a perfect English-speaking scammer to write convincing phishing emails. You don’t need a senior developer to clean up a malware script. - State actors and big crime groups are experimenting with AI right now.
Microsoft’s latest digital threat reporting shows nation-states using AI to generate deepfake content, refine phishing, and scale attacks. - SMBs are still running 2018 defenses in a 2026 threat landscape.
Legacy antivirus, unpatched VPNs, weak MFA, and “we’ll restore from backup if it goes bad” aren’t enough when attacks are faster, more automated, and more targeted.
The takeaway isn’t “panic about killer robots.” It’s:
Assume attackers will have better tools this year than they did last year.
Your job is to make sure they still run into a brick wall when they aim at you.
5. An “AI-aware” security checklist for SMBs
Here’s how we’re talking about this with Stamm Tech clients in Milwaukee and SE Wisconsin.
Think of it as a 5-point sanity check for 2026:
1) Email & identity first
AI makes phishing better written and more believable, not less.
- Enforce MFA on email, VPN, critical apps.
- Use modern email security (phishing/impersonation protection, not just spam filtering).
- Run regular phishing training with realistic templates. Assume AI-level quality, not “foreign prince” stuff.
- Teach people to check the email address, not just the display name.
2) Patch and harden what actually matters
If AI can help attackers find vulnerabilities faster, the systems you’ve been procrastinating on patching move up the risk list.
- Prioritize patching on:
- Anything exposed to the internet (VPN, RDP, remote tools, portals).
- Domain controllers and key infrastructure.
- Remove or restrict legacy remote access tools that don’t support modern security.
- Audit vendor and third-party access. Who has always-on access to your environment?
3) Assume breach, plan backwards
If an AI-assisted attacker does get in, can you limit the blast radius?
- Backups:
- Are they offsite/immutable?
- Have you actually tested restoring a server or key application recently?
- Incident response plan:
- Who do you call at 2 a.m.?
- Who can authorize shutting down systems?
- Tabletop exercises:
- Run at least one “what if” scenario a year (ransomware, vendor compromise, email account takeover).
4) Upgrade visibility & response
AI helps attackers move fast. You can’t respond with once-a-month log reviews.
- Deploy EDR (endpoint detection & response) instead of old-school antivirus.
- Centralize logs where your IT team or MSP can actually see and correlate activity.
- Make sure someone is on the hook to investigate alerts, not just get emailed and ignored.
At Stamm Tech, we’re already using AI-driven tools on the defense side to speed up investigations, sift through logs, and surface the signals that matter. The goal is simple: you shouldn’t be the slowest one in an AI arms race.
5) Put AI in your policies, not just your marketing
Most organizations are experimenting with AI for drafting emails, documents, and code. That’s fine, if you set guardrails.
- Document what staff can and can’t paste into AI tools (no client secrets, credentials, or sensitive internal docs).
- Decide how you’ll review AI-generated code/content before it hits production or goes to customers.
- Treat AI as a tool in your security program, not a toy off to the side.
6. So… should I be worried?
Worried? Not really.
Seriously paying attention? Absolutely.
OpenAI’s message isn’t “we’ve lost control.” It’s:
“These systems are getting strong enough to matter for cybersecurity.
We’re putting in guardrails, but defenders and businesses need to catch up too.”
For Milwaukee businesses, that means making sure your foundations are solid and that your security partners are thinking about AI on both sides of the equation: how attackers might use it, and how you can, too.
Want an AI-aware security sanity check?
If you’re a Milwaukee or SE Wisconsin business and you’re wondering,
“Are we actually ready for AI-powered attacks?” - we can help.
We’ll walk through the five areas above, map them to your environment, and leave you with a short, prioritized action list you can tackle over the next 6-12 months.
FAQ
Q1: Is AI going to hack my business by itself?
Not today. Right now, AI is more of a power tool for human attackers than an autonomous hacker. It helps them write better phishing, debug code, and automate steps, but people are still driving. Future models may be able to contribute more directly to finding and exploiting vulnerabilities, which is why OpenAI is calling this a “high” cyber risk area.
Q2: Are criminals already using ChatGPT and similar tools for cyberattacks?
Yes. OpenAI and others have documented state-linked and criminal groups using AI to help with phishing, malware, scams, and influence operations, and OpenAI says it has disrupted dozens of such networks. The good news: tools like this also help defenders triage alerts, analyze code, and investigate incidents faster.
Q3: What’s the single most important thing my SMB can do right now?
If we had to pick one: lock down email and identity. Most successful breaches still start with stolen credentials or a phished user. Strong MFA, modern email security, and phishing-aware employees go a long way, even against AI-polished attacks.
Q4: Can we safely use AI tools inside our business?
Yes, with guardrails. Treat AI like any other powerful tool:
- Don’t paste credentials, customer secrets, or highly sensitive internal docs into public models.
- Set a policy for how AI-generated content or code is reviewed.
- Work with your IT/security team or MSP to make sure AI usage fits your compliance requirements.