Anadolu Ajansı © 2026
Today, cybersecurity has evolved into a multidimensional field encompassing the continuity of public services, the resilience of critical infrastructure, data security, the quality of institutional decision-making, public trust, and strategic autonomy. This is precisely the starting point of the report titled "Cybersecurity in the Age of Artificial Intelligence and Türkiye's Strategic Priorities," published by the Turkish National Intelligence Academy [1]. The report treats artificial intelligence (AI) not merely as a new technological category, but as a strategic force multiplier that simultaneously reshapes the scale of attacks, the speed of defense, decision-making processes, supply chains, and regulatory frameworks.
The most significant impact of AI on the cyber domain is that it transforms the nature and scale of threats at once. Traditional cybersecurity focused primarily on protecting devices, applications, and databases. In AI-powered systems, however, datasets, models, training processes, prompts, plugins, agent-based applications, cloud infrastructures, and decision-support mechanisms all become attack surfaces requiring protection. This expands security well beyond the remit of technical teams, bringing it into direct contact with law, governance, oversight, procurement, human resources, and strategic planning.
One of the most visible dimensions of AI-powered cyber threats is that attacks are becoming faster, cheaper, and more convincing. Intelligent phishing, deepfake audio and video, synthetic identities, fraudulent executive communications, and automated reconnaissance are all expanding the capabilities of threat actors. As a result, individuals' and societies' sense of reality – and their trust in states, institutions, and even one another – can erode in deeply destabilizing ways, amplifying vulnerabilities at the individual, social, and institutional levels. These threats also cast a wide net: targets range from individual users and financial systems to public institutions, defense supply chains, and energy and communications infrastructure. In the age of AI, cybersecurity has thus become inseparable from questions of social trust and institutional legitimacy.
Large language models and agent-based AI systems represent another emerging risk domain. These systems can drive efficiency across public services, institutional workflows, and private sector operations. However, if it remains unclear which data enters the model, which outputs inform institutional decisions, which systems connect to external cloud services, and which operations run without human oversight, efficiency gains can quickly become governance gaps. Risks such as prompt injection, sensitive information disclosure, data poisoning, model inference attacks, excessive permissions, and over-reliance on model outputs must therefore be treated not merely as technical vulnerabilities, but as governance failures with direct consequences for accountability and decision quality. Beyond this, the ethical foundations of these models – and the values and assumptions embedded in them – remain contested, making it difficult to fully anticipate the risks they may pose, particularly in sensitive contexts.
For Türkiye, the main priority is consolidating fragmented practices across AI and cybersecurity under a common risk language, shared standards, and robust coordination mechanisms. The case for central coordination rests not on any impulse toward sweeping oversight, but on the practical need to clarify responsibilities, incident-sharing protocols, audit expectations, and response procedures in an increasingly complex threat environment.
This distinction deserves particular emphasis. When strong coordination in cybersecurity is designed in keeping with the rule of law, it produces a durable and legitimate security capacity — one grounded in proportionality, accountability, clearly defined authorities, and effective oversight. The success of security policy should therefore be measured not only by its capacity to neutralize threats, but by its ability to reinforce legal predictability and public trust. Cybersecurity debates should not, for this reason, be confined to a narrow frame that sets liberty against security. That framing risks either obstructing effective action or eroding the alignment between policy and the public it is meant to serve.
What Türkiye needs is a balanced cybersecurity architecture – one that protects critical infrastructure, ensures the continuity of public services, and safeguards citizen data, while supporting private sector innovation and upholding fundamental rights. Strengthening state capacity in the age of AI does not mean governing the digital domain by discretion. On the contrary, a well-designed cybersecurity architecture demands a framework that clarifies mandates, strengthens oversight, sets boundaries on data processing, and anchors intervention authorities in law.
In this context, a foundation of trust-based collaboration must be built across public institutions, private sector, academia, and civil society. Critical infrastructure operators, technical providers, financial institutions, and public digital services all exist within the same threat ecosystem. Resilience in cybersecurity is only achievable when that ecosystem operates on shared standards, aligned procedures, and coordinated response capacity.
Türkiye's objectives can be mapped across three time horizons. In the short term, an AI inventory should be conducted across public institutions and critical sectors to establish visibility into which systems operate on which data, what external dependencies they carry, and which decision-making processes they affect. Minimum security requirements should be set for large language models and agent-based systems. Data classification, access controls, logging, and human oversight mechanisms should all rank among the near-term priorities.
In the medium term, public procurement standards, incident reporting requirements, supply chain security, model auditing, third-party dependency management, and sector-wide resilience testing should all be institutionalized. Cyber incident response capacity should be strengthened, and threat-sharing made faster, more secure, and more measurable. For critical infrastructure, the prevailing focus on attack prevention should give way to a resilience approach centered on service continuity.
In the long term, Türkiye should build a strategic capacity capable of managing external technological dependencies, developing domestic testing and certification capabilities, and deepening its cybersecurity ecosystem through public-private-academic collaboration. In the age of AI, digital sovereignty cannot be reduced to domestic software development. It also encompasses control over data, the ability to audit model reliability, ensuring continuity in critical services, and managing the risks that external dependencies may generate in a crisis.
A strategy that lacks public ownership and support has little chance of success. Türkiye's goal should not be an approach that overstates threats or restricts technology use, but the construction of a cybersecurity ecosystem that anticipates risks, strengthens institutional capacity, places human oversight at its core, and rests on solid legal foundations and public trust. In the age of AI, strong state capacity only realizes its full meaning when underpinned by clearly defined legal authorities, institutional coordination, accountability, and strategic autonomy.
[1] National Intelligence Academy, "Yapay Zeka Caginda Siber Guvenlik ve Türkiye’nin Stratejik Oncelikleri," Access via: https://mia.edu.tr/uploads/f/yapay-zeka-aginda-siber-gvenlik-ve-trkiyenin-stratejik-ncelikleri_1.pdf, 2026.
* Opinions expressed in this article are the authors' own and do not necessarily reflect Anadolu's editorial policy.
news_share_descriptionsubscription_contact
