There is a widely shared perception in the business environment today: adopting artificial intelligence is, in itself, a leap in digital maturity. This perception is understandable—generative AI tools are visible, accessible, and produce immediate results—but it hides a conceptual distinction that is worth making explicit, especially at this time.
When an executive or collaborator uses an AI assistant to compose an email, summarize a report, or prepare a presentation, they are taking advantage of a high-value personal productivity tool, as is the case with this article, which used AI to improve writing, investigate relevant issues, and discuss how to properly approach the subject. This experience – fluid, intuitive and useful – applied in the work environment tends to generate the impression that the company has taken a significant step in its evolution towards AI. And it is a step, without a doubt, but it is not the only one that matters nor the one with the greatest capacity for transformation.
Two speeds, one risk environment
To better understand the current landscape, it is useful to distinguish between two categories of artificial intelligence adoption in the corporate environment, which are advancing at very different rates.
The first is personal productivity AI: tools such as Copilot, ChatGPT or Gemini, which the individual adopts with relative ease and generate visible benefits in the short term. According to a study by the Humanism and Business Research Center of the Universidad del Istmo (2025), 41% of Guatemalan companies are already in this phase of active exploration.
The second is enterprise robust AI: systems integrated into critical business processes, with access controls, continuous auditing, identity management – including non-human identities, such as the AI agents themselves –, data governance and regulatory compliance. This level requires deliberately designed architectures and explicit governance frameworks. In Guatemala and in the region, this maturity is still incipient.
The gap between both speeds is not an exclusive weakness of Guatemala; It is a global phenomenon, and most organizations in emerging markets find themselves in a similar situation. The relevant thing is to be aware of this, because the threat environment has changed significantly.
When AI also works for the adversary
The context that makes this distinction urgent is that artificial intelligence is not only being adopted by legitimate companies. Its offensive capabilities are also evolving, and the most recent and concrete evidence of this comes from an unexpected source: the AI research sector itself.
On April 7, 2026, Anthropic announced its Claude Mythos Preview model along with an unusual decision: not to make it available to the public. The reason was that, during internal testing, the model demonstrated an unprecedented ability to identify and exploit security vulnerabilities in critical systems completely autonomously, without human intervention after initial training.
In tests on the Linux kernel, Mythos was able to select the most exploitable vulnerabilities from a list of 100 and construct working exploits in more than half of the attempts. Identified decades-old vulnerabilities in widely used operating systems, web browsers, and cryptographic libraries. He did it the same way an expert security researcher would, but at the speed and scale of a machine.
What makes this case relevant for any executive is what Anthropic itself points out in its technical report: these capabilities were not explicitly programmed. They emerged as an indirect consequence of general improvements in reasoning and programming. In other words, the same advancement that makes a model better at writing, analyzing, or programming also makes it more effective at finding and exploiting vulnerabilities. The distinction between productive AI and offensive AI is, at its core, a distinction of intent, not capability.
In response, Anthropic launched Project Glasswing: an initial consortium consisting of Microsoft, Google, Apple, Amazon Web Services, JPMorgan Chase, and Nvidia, aimed at using Mythos defensively to find and fix vulnerabilities before malicious actors do. The purpose is precisely that: to give the defender an advantage in a race that the attacker could otherwise win first.
Guatemala: real digitalization, governance under construction
The CIHE study reveals that 44% of Guatemalan companies still do not use artificial intelligence in any key area and that, among those who are adopting it, cybersecurity and data confidentiality concerns top the list of fears: 63% of those surveyed.
There is, therefore, awareness of the risk. What is still under construction are the frameworks to manage it.
The specific challenge that arises from combining these two elements—increased digital exposure and AI adoption even without consolidated governance frameworks—is that corporate AI agents can become an unmanaged attack surface. An AI agent with access to critical systems, without adequate privilege control and without behavioral monitoring, introduces a risk vector that traditional security models do not contemplate.
Act with information, not urgency
The good news is that organizations that understand this distinction are better positioned to act clearly. This is not about slowing the adoption of AI – that would be counterproductive – but rather about ensuring that the speed of adoption does not exceed the capacity of governance.
This implies, in practical terms, three conversations that every organization should have right now:
Do we know which AI tools operate in our company, with what access and under what controls?
Do our identity and access management frameworks address non-human identities—bots, agents, and automated integrations?
Do we have visibility into the behavior of those systems in real time?
These are not exclusively technical questions; These are corporate governance questions. And, as artificial intelligence becomes integrated into more business processes, the responsibility for responding to them increasingly falls on executive leaders, not just technology teams.
Miguel Caldentey is a partner at Technology Consulting and has more than 30 years of experience in management and technology consulting for the financial services industry in Latin America and the Caribbean. He is recognized for leading large-scale transformation programs, managing multi-country operations, and generating measurable business results for top-tier banks and financial institutions. He currently leads the Agentic Transformation initiative in Central America, Panama and the Dominican Republic.
Miguel Caldentey is a Partner and Technology and Transformation Leader at Deloitte for Central America, Panama and the Caribbean. He is a specialist in technology, AI governance, digital transformation and enterprise cybersecurity with more than 30 years of experience.
This content is produced under the editorial alliance “Don’t let them scam you”, in conjunction with the Banking Association of Guatemala, an agreement that seeks to raise awareness among Guatemalans about the dangers of online scams.