Small towns, school districts, and utilities across the United States lack the staffing and basic cyberdefenses needed to fend off a new generation of AI-enabled hacking threats even as larger institutions scramble to shore up their systems, experts told Axios.

The warning comes as cybersecurity leaders say many state and local governments are already struggling with fundamental security practices. including asset inventories, identity management, and multifactor authentication, according to the report. In some rural municipalities and school districts, there are no dedicated cybersecurity personnel at all.

In some cases, the IT lead may also be the school nurse or a town clerk’s family member, Randy Rose, vice president of security operations and intelligence at the Center for Internet Security, told Axios.

The gap is widening as AI tools accelerate the pace at which hackers can find and exploit vulnerabilities. 

“The timeline between when a vulnerability gets exposed and how you respond has shrunk,” Rose told the outlet. “That’s something a lot of organizations aren’t prepared for.”

Survey data underscores the concern. Nearly two-thirds of state chief information security officers said they lacked confidence in their ability to secure government agency and university data, and 47 percent said they were not confident they could defend against AI-enabled attacks, according to an April survey by the National Association of State Chief Information Officers and Deloitte cited by Axios.

The issue has drawn attention on Capitol Hill. Senate Minority Leader Chuck Schumer wrote to Homeland Security Secretary Markwayne Mullin this month expressing concern about the absence of an effective plan to coordinate with state, local, tribal, and territorial governments on AI cyber threats, Axios said. Senior security officials from more than a dozen states also sent a letter to OpenAI, Anthropic, Microsoft, and Google urgently requesting inclusion in projects testing new frontier AI models’ cyber capabilities. 

Experts cautioned that access to advanced AI security tools would not by itself solve the problem. 

“If you have crappy cybersecurity and then you throw AI on top of it, you’re going to have a whole lot of crappy cybersecurity problems to solve,” Chris Grove, director of cybersecurity strategy at Nozomi Networks, told the news outlet. 

Some national governments and large institutions have already been privy to details on the growing threat. Anthropic, the creator of the new Claude Mythos Preview AI, has agreed to brief members of the Financial Stability Board on the cyberthreats its model has identified and the threats it could pose to the public and private sectors, according to a report by the Financial Times. 

Separately, Anthropic has agreed to let Mythos users share cybersecurity threats with others who face such vulnerabilities, The Wall Street Journal said.