Proactive security has always been based on three principles: visibility, prioritization, and remediation. But in the age of AI, each principle will continue to experience challenges. In our latest research, The Future Of Proactive Security, we found that the future of proactive security hinges on how well teams answer six foundational questions across each principle: what, when, where, why, how, and who. Since AI accelerates our ability to answer questions, we’ve reached our biggest opportunity to modernize our proactive security program, but first we need to align it with the various subjective perspectives from different stakeholders across our business.

The Six Questions Every Proactive Security Program Must Answer

To trust AI — and to scale proactive security — teams must map the six foundational questions to the three principles:

  • Visibility: What do we have? When does it matter?
  • Prioritization: Where could an attacker move? Why should this exposure be fixed?
  • Remediation: How do we fix it? Who fixes it?

None of that works without accurately documented context, which will be the primary cause for the failure of proactive security programs. While modern prioritization methods, such as attack path assessments and continuous security testing, improve the prioritization of the likelihood of an event, the impact of an exposure is still subjective: It changes depending on which person — or AI — you ask. AI needs machine-readable context solicited from the human beings in the business to analyze the impact of an exploit. This is required to improve prioritization (impact for if the exploit is executed by an adversary) and remediation efforts (impact of a change or automation gone wrong). Many organizations still don’t have this consistently documented or even known. But this context is required to answer:

  • What and when for visibility. Visibility is shifting from a static list of assets to signals that make up environments — endpoints, cloud platforms, identities, configurations, detections, and open-source intelligence. Threat intelligence feeds such as known exploited vulnerabilities shape urgency, while continuous AI-led vulnerability discovery runs the risk of accelerating noise. But faster discovery only heightens the need for better prioritization.
  • Where and why for prioritization. Proactive security platforms now blend attack surface management, threat intelligence, risk scoring, and attack path analysis to show where an exposure is and why it matters. Continuous security testing validates whether exposures are truly reachable and exploitable. But business context — which vendors still rely on from tags, spreadsheets, and tribal knowledge — must become machine-readable for AI to model realistic consequences.
  • How and who for remediation. Proactive security platforms must evolve from providing lists of what’s wrong to providing lists of what to do. Granular steps are a prerequisite to help answer one of the most difficult questions in proactive security: Who needs to fix it? Most remediation action items are owned by different team members across engineering, developers, DevOps, or cloud teams — which is why relying on tagged owners in a configuration management database has proven ineffective. Even as organizations drive toward automating the remediation process, this “who” is still required — because someone needs to approve and monitor the automation!

AI won’t fix proactive security on its own. It will amplify the good and bad foundations you already have. To modernize securely, teams must strengthen how they answer the six questions across visibility, prioritization, and remediation and ensure that context is documented and readable for AI agents.

Forrester clients can view our full report, The Future Of Proactive Security, and schedule a guidance session with me to discuss these trends and your program further.