The Tech Debt Crisis Is Coming

Like the American middle class living paycheck to paycheck, organizations near or below the security poverty line are one big incident away from catastrophic bankruptcy. They got here through years of underinvesting in core capabilities and unified architecture, not stupidity, but a long series of decisions that prioritized shipping over sustainability. And now every smaller incident consumes the cycles that could have gone toward paying down that debt, making the hole deeper every time.

Tech debt isn’t just a code quality problem. It’s an operational survival problem. The environment is too complex to reason about, too brittle to refactor, and too interconnected to safely improve. Every incident response leaves the org a little more exhausted and a little further behind.

We’re rapidly approaching a security crisis that looks like the financial crisis of 2008. Thousands, maybe millions, of companies with business models that cannot afford proper security are about to get breached and go out of business. Like the families with mortgages they couldn’t afford, many of these companies were on borrowed time to begin with. The unsympathetic response will be “they shouldn’t have been in business at all,” but people will still be out of work, investors will still be out of money, and the ripple effects will be real.

And AI is only going to make this worse.

AI Is Like Tax Cuts

Here’s an analogy that’s going to make half of you mad: AI investment right now is like tax cuts. It feels great, it might genuinely juice productivity in the short term, and it absolutely makes the underlying structural debt worse.

The cost of writing code is now nearly zero. That sounds incredible until you realize there’s no longer a natural economic brake on deploying new stuff. Every feature request can be shipped. Every half-baked idea becomes a pull request. Consider the monstrosity that is Microsoft Office, thirty years of features added to satisfy the demands of some enterprise customer, perpetuated across the ages, accreted into a product so bloated and bug-ridden that a single email parsing vulnerability can take down a hospital. Nobody planned that. 

AI removes that forcing function entirely.

The big FAANG companies that are all in on AI are doing quarterly five-figure layoffs. Smaller companies trying to keep up, and desperate to be hip, are going to follow them to their doom. If you can’t reason about your current complexity, you cannot safely have an AI enhance or rewrite large swaths of your codebase. Re-architecture is already off the table because fear of breaking production still reigns supreme. With a fragile architecture, even small changes have big risks. AI doesn’t solve that. AI amplifies it.

That’s the trajectory for organizations that don’t address tech debt before going all-in on AI. More code, more attack surface, more complexity, and the same overwhelmed team trying to hold it together.

The Iron Bank Will Have Its Due.

Tech debt isn’t just a resiliency problem. It’s a security problem, and adversarial AI use is about to make it a catastrophic one.

Rich Mogull’s Core Collapse plays out the scenario with uncomfortable clarity. Attackers operate in bounded problem spaces: find a path to an objective, exploit it, move on. AI makes them dramatically more effective at searching that space, with faster exploit development, automated attack graph traversal, and continuous iteration at machine speed. Defenders face the opposite problem. They have to protect everything, all the time, against every possible attacker. That’s a combinatorial complexity problem that AI doesn’t solve. It compounds.

The defender’s model that has carried us through the last decade, find bad thing, patch it, stop attacker, starts to collapse when exploit development cycles drop below defensive response cycles. When an attacker’s AI can discover a vulnerability, develop an exploit, and start traversing your environment faster than your team can build, test, and deploy a patch, your detection-and-response playbook becomes a liability. Rich frames this as every day is day zero.

Now layer tech debt on top of that picture. If you can’t reason about your own environment, if your dependency graph is a mystery, your authorization model is “we think only admins can do that,” and your data classification is “somewhere in S3,” your ability to use the same technologies to defend are nil.

“Couldn’t defend themselves against AI-powered threat actors” wasn’t in the Citrini Research 2028 outlook but it should have been. This is the security catastrophe hiding among the AI hype cycle.

Rich’s prescription for organizations below the security poverty line is to outsource:

Under-resourced organizations can choose between being repeatedly breached or outsource their security to someone better-resourced. And they won’t really be able to just outsource the security function, they’ll need to outsource their applications and hosting to companies that can defend at scale.

I respect Rich enormously, but I think he’s wrong here, and tech debt is exactly why.

You cannot outsource technical debt reduction. MSSPs are like credit counselors, useful, well-meaning, and ultimately limited to telling you what you already know deep down but don’t want to face. They can tell you how to stop the bleeding. They cannot unwind a decade of architectural decisions, normalize a fragmented identity model, or create security boundaries where none were designed to exist. The more an organization has underinvested in secure architecture, operational excellence, and data governance, the harder it becomes to even hand it to someone else in a state they can actually defend.

At the end of the day, a household drowning in debt has three options: make more, spend less, or declare bankruptcy. Organizations have roughly the same menu. Outsourcing is not any of those three things.

And Rich’s supernova metaphor? He’s right that a star collapses and something new forms. But let’s be honest about the timeline. When a star collapses into a supernova, it obliterates everything in that solar system first. Something does eventually form from the wreckage, but we’re talking billions of years and nothing you care about survives the experience.

Build Your Technology Troika

So what do you actually do about this?

The answer isn’t another AI tool. It’s organizational alignment. I’m calling it the Technology Troika: three teams that have to move together before AI investment will pay dividends instead of exploding in your face.

Your Troika is your Finance/FinOps team, your Security team, and your Platform team. These three groups need to come together and build a sustainable foundation before the agents start shipping code. FinOps brings the cost visibility to know what you’re actually running and what it’s worth maintaining. Security brings the risk context to know what’s one breach away from catastrophe. Platform brings the architectural judgment to know what can be saved and what needs to go.

None of these teams can do it alone. FinOps without security context will optimize cost while leaving gaping holes. Security without platform context will mandate controls nobody can actually implement. Platform without financial discipline will rebuild the same mess on shinier infrastructure. This is Modern Cloud Governance across your entire tech stack. The catch is now you must build something that is easy to understand and deploy for both humans and machines. And it cannot fall into the typical platform trap of “lets make everything a container so we can run kubernetes” while ignoring the architectural and business requirements of the applications they need to support. 

Only once you have that sustainable platform can you start to eat the elephant, and you do that one bite at a time. Organizations that want to compete in an AI-accelerated world need to tackle tech debt before they open the AI firehose. That means:

• Investing in the unsexy foundation work: IAM hygiene, data classification, dependency mapping
• Ruthlessly prioritizing what gets maintained versus what gets retired
• Accepting that some of what you’ve built needs to be abandoned, not refactored

Marko Helenius has a provocative take: You Need to Abandon Your AWS Account After 2 Years. The idea is that entropy accumulates faster than most organizations can manage it, and the only real fix is a clean greenfield migration. That’s a radical position, but it’s not wrong as a diagnosis, even if the cure isn’t practical for most.

One thing I’m confident about: you cannot buy your way out of this with more AI tooling. The vendors will tell you otherwise. They’re selling something. The math doesn’t work if your foundation is rotten.