by Lisa Ventura MBE FCIIS, Chief Executive and Founder, AI and Cyber Security Association
When I was diagnosed as autistic and ADHD at the age of 48, a lot of things in my career suddenly made more sense. The interfaces I had quietly fought with for years. The training modules that asked me to behave in ways my brain simply does not. The video calls that felt like they were grading me on a set of social cues I had never agreed to be assessed on. None of that disappeared after the diagnosis. What changed is that I stopped assuming the problem was me.
I am thinking about all this again as AI tools work their way into almost every part of the cyber security profession. We are now building, buying and depending on systems that make assumptions about how human beings think, communicate and behave. Those assumptions are being baked in at scale, in many cases without a single neurodivergent person in the room. The consequences are quietly serious, and the cyber security community needs to be part of the conversation.
A Design Problem That Becomes a Security Problem
Most of the AI tools entering the workplace right now have been designed around a fairly narrow picture of the average user. They assume a particular kind of attention pattern, a particular communication style, a particular tolerance for noise, density and interruption. They reward people who interact with them in a neurotypical way and produce friction for everyone who does not.
For neurodivergent professionals, that friction shows up in dozens of small ways every day. AI assistants that bury the answer under three paragraphs of conversational filler. Summarisation tools that strip out the structural cues an autistic reader relies on to follow an argument. Voice interfaces that misread an ADHD speech pattern as confused or off-topic. Productivity dashboards that score sustained focus as the only kind of useful work. Meeting transcription tools that flatten the way many neurodivergent people actually communicate, then feed that flattened version back to managers as evidence of performance.
That is a design problem, and in the cyber security context it quickly becomes a security and governance problem too. When the people protecting our systems are working with tools that fight them, attention is split, errors creep in and trust in the technology erodes. When neurodivergent talent is excluded from designing those tools, the workforce we so badly need in this profession becomes harder to attract and harder to retain.
Where the Accessibility Gaps Bite Hardest
A few areas deserve a closer look, because they sit squarely inside the AICSA’s remit.
Security awareness and training is one of them. A great many awareness programmes have started using AI to personalise content, simulate phishing and score employee behaviour. Done well, that is a genuine improvement. Done without neuroinclusive design, it punishes the very people who often see threats earlier than their colleagues. Autistic staff who scrutinise a phishing email word by word may be flagged as slow. ADHD staff who click and then immediately question what they have just clicked may be marked as careless. The metrics flatter a particular cognitive style and quietly write off the rest.
Behavioural analytics and insider threat tooling is another. These systems are trained to spot anomalies in user behaviour. Neurodivergent staff are anomalous by definition compared to a synthetic average. Working at unusual hours, hyperfocusing for long stretches, switching context frequently or communicating in a direct style can all be misread as risk indicators. The result is a steady drip of false positives that wastes investigator time and, more seriously, can shape how managers see individual employees.
Recruitment is a third. AI-assisted hiring tools are already screening cyber security candidates for tone of voice, eye contact, facial expression and word choice during video interviews. There is good evidence that those signals correlate with neurotype rather than capability. We are filtering out the people the profession most needs, at a moment when the skills gap is widening, and we are doing it with systems that present themselves as objective.
Then there is the user-facing layer of AI itself. Many large language model interfaces still default to dense paragraphs, hidden options and conversational warmth that some users find supportive and others find overwhelming. Customisation, where it exists, is buried. The principle that accessibility should be a starting assumption rather than a setting on a menu has not yet reached most of the AI products we now rely on.
What Good Neuroinclusive AI Actually Looks Like
Good neuroinclusive AI is not a feature set bolted on at the end of a development cycle. It begins with who is in the room when the product is conceived.
That means neurodivergent researchers, designers, testers and reviewers involved from the earliest stages, with their input weighted as seriously as anyone else’s. It means user research that includes people who think, read and communicate in different ways, and it means paying those people properly for the expertise they bring.
It also means certain design principles being treated as table stakes rather than nice to haves. Multiple modes of interaction so users can choose between text, voice and visual input depending on what their brain needs that day. Adjustable density so the same answer can be returned as a short summary, a structured breakdown or a fuller narrative. Clear signposting so users always know what the system is doing and why. Predictable behaviour, so the tool does not change its tone or its layout without warning. Honest acknowledgement of uncertainty, because vague confidence is exhausting to interpret and dangerous to act on.
In the cyber security context, neuroinclusive AI also means awareness and training tools that measure understanding rather than conformity, behavioural analytics that account for cognitive diversity in their baselines, recruitment systems that are audited for disparate impact on neurodivergent candidates and user interfaces that do not assume one kind of attention.
None of this is rocket science, and most of it is good design.
The Cyber Security Skills Argument
Cyber security has a long-standing relationship with neurodivergent talent. A significant proportion of the people who are very good at this work think in ways that the rest of the world calls unusual. Pattern recognition, hyperfocus, lateral thinking, an instinct for systems and a refusal to take official explanations at face value are not incidental to the profession. They are some of its most valuable raw material.
If the AI systems we are building around our security teams quietly exclude those same minds, we are weakening the workforce we depend on while telling ourselves we are modernising it. That should worry every CISO, every head of awareness and every board that takes its cyber risk register seriously.
This is one of the reasons I founded Neuro Unity. The conversation about neuroinclusion needs places to happen that are run by neurodivergent people, for organisations that genuinely want to do better. The AICSA’s interest here is narrower and more specific. We want neuroinclusion treated as part of the AI security and governance conversation, not as a wellbeing add-on that lives in a different policy document.
Where the AICSA Stands
The AICSA’s position is straightforward. AI systems that affect how people are recruited, trained, monitored and protected at work must be designed and assessed with neurodivergent users in mind from the outset. Procurement teams should be asking vendors what neuroinclusive testing they have done and what the results showed. Security awareness leads need to review their AI-enhanced programmes for the kind of unintended bias outlined above. CISOs need to know whether their behavioural analytics tooling has been audited for disparate impact. Boards should be treating cognitive diversity as part of their AI risk picture, rather than parking it in a separate diversity workstream.
We will continue to make this case in the policy work we do and in the standards conversations we contribute to. We would also like to hear from neurodivergent professionals working in AI and cyber security about what you are seeing in your own organisations, and from leaders who are trying to do this well and want to share what is working. You can reach us at hello@aisec.org.uk, the conversation is overdue, and it is one that the AICSA is glad to host.





