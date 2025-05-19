That’s how Stephanie Carruthers, IBM’s Global Lead of Cyber Range and Chief People Hacker, recalls feeling back in 2022. ChatGPT had recently brought generative artificial intelligence into the public consciousness. Its combination of eerily human language skills and deep knowledge base had many wondering how it might change the world.

And how it might change their jobs.

“When it was first introduced, people kept asking me: ‘Are you scared AI is going to take your job?’” Carruthers says. “I thought it couldn’t. We would have to get to the point where AI could really understand a person and build a custom campaign against them before that happened.”

As part of IBM® X-Force®, Carruthers runs mock social engineering schemes and cyberattacks to help companies strengthen their defenses against the real thing. Early generative AI models could cook up some fairly generic phishing scams, but they couldn’t do the sophisticated attacks that cause serious damage. Those schemes require deep research, careful planning and highly targeted pretexts.

But a lot can happen in two and a half years. Today, many large language models (LLMs) can search the web in real time. AI agents, capable of autonomously designing workflows and performing tasks, can take it a step further by using the information they uncover to inform their actions.

It no longer seems like hyperbole to imagine an AI-based bot that can perfectly tailor social engineering attacks to specific individuals. All it needs is a threat actor to set it in motion.

“We’ve reached the point where I am concerned,” Carruthers says. “With very few prompts, an AI model can write a phishing message meant just for me. That’s terrifying.”