IronCore Labs Home
Patrick Walsh

7 Predictions for 2024

Why predict the future every year?

It may be a bit of a fool’s game, but it’s also rather important for decision making and planning. Any executive worth their salt is looking ahead at least a year to understand what changes are coming and how that might impact opportunities, threats, and where to spend time and money in the coming months.

How I did last year

Last year, in my 6 Predictions for Cybersecurity in 2023 article, I was about 50/50 on my predictions. I’ve put the detailed scorecard at the bottom of this post. But one thing that became clear is that I made a bunch of predictions about trends, particularly around marketing, but that I had no good way to measure these things. So this year I’ll specify the exact criteria for each prediction to consider it a success.

My 2024 Predictions

1. Interest rates and inflation both ease, but not quickly enough

Despite massive spending on two foreign wars and continued friction in global trade and shipping, inflation excluding energy will dip under 2%. The Fed was so fast and aggressive in its tightening of monetary policy and raising of interest rates though that by waiting until inflation falls to ease up, it will already be too late.

By which I mean we’re likely heading towards recession with the downturn starting in 2024, but not necessarily declared formally until late ‘24 or early ‘25.

We’re likely heading towards recession with the downturn starting in 2024.

  • Prediction criteria:
    1. federal funds rate ends 2024 at or below 5% (it’s currently 5.25-5.5%)
    2. inflation excluding energy dips under 2% in at least one quarter in 2024
    3. we see two consecutive months where spending (seasonally adjusted) declines

2. Tech sector: a tale of the haves and the have nots (either you have the AI gleam or you don’t)

The tech sector has been struggling. The tech job market is chilly. M&A was down significantly in the second half of 2023, and the amount of venture funding and the valuations of companies were down across the wider tech sector. This is likely to continue for at least the first half of 2024 for most of the tech industry.

VC funds are raising less money from their limited partners (LPs) than they were in 2022, probably due to the more attractive investments elsewhere and the greater economic uncertainty. Though it takes a while for this to have an impact on investing (VC funds generally invest over 3-5 years), it will bring additional pressure on VCs to be more conservative with their funds, which means fewer investments and smaller check sizes.

The exception to this story is AI. This year, any startup that is raising capital will have an AI story because the excitement of recent breakthroughs is fueling quite a bit of investment and even frothiness in an otherwise conservative environment. Companies without a good AI story will likely struggle. Valuations and investment in “hot” AI companies will skyrocket, while the rest of the field makes do with minimal or no fresh capital.

  • Prediction criteria:
    1. VC funding in 2024 will be lower across the board versus 2023 levels both by (a) number of investments, and (b) overall invested dollars
    2. M&A excluding AI companies and AI security companies will be down as measured by total dollars spent across disclosed deals
    3. more than 30 AI startups will buck the overall trends and raise seed rounds of over $15m (which is high for a first institutional investment round) as some are able to cash in on the feeding frenzy

3. AI leaps forward: new discoveries will radically change everything

At the start of 2024, the “new AI” landscape, from a developer perspective, is extremely fractured. Developers are chaining together services and libraries for AI workflows that can better process, understand, and generate content. Higher-level developer tools will alleviate this fractiousness.

Today, just a few companies enjoy great control over major portions of the AI tech stack, and particularly over the models. But the moat is going to shrink. I expect breakthroughs that put the open-source models on par with those produced by OpenAI and other big tech companies. This will be driven by breakthroughs that make it more practical for less well-resourced companies and individuals to create and refine their own LLMs.

Beyond incremental improvements in existing tech, we’ll see more significant breakthroughs in AI functionality. In 2023, AI leaped forward in its understanding of language and visuals and also in its ability to generate text and images. This is impressive, but AI has also been plagued with “hallucinations”, where it makes stuff up in extremely plausible ways or where the image generator gives humans extra limbs and so forth. This is because these systems don’t have any critical thinking component that’s able to reason or apply logic to their task. Current models just guess what’s plausible based on what they’ve previously seen.

But in 2024 we’ll likely see breakthroughs that bring other types of processing and understanding to these systems, such as the rumored “Q*” breakthrough at OpenAI allowing a new model to solve math problems that it hasn’t seen before. If the rumors are true, and if they release the breakthrough (their attachment to being “open” seems akin to Google’s attachment to not being evil in 2015, which is to say, strained), this would be hugely impactful. Combining predictive completions with logic and reasoning would take these systems from tools for summarization, classification, and organization to systems that could more completely replace a myriad of human tasks.

Combining predictive completions with logic and reasoning would take these systems from tools for summarization, classification, and organization to systems that could more completely replace a myriad of human tasks.

  • Prediction criteria:
    1. open source LLMs will achieve better performance than GPT-4 currently enjoys with (a) at least one model getting over 86% on the MMLU multiple-choice test, and (b) over 96% on the ARC reasoning challenge
    2. we’ll be able to use models that can evaluate logic questions and math that they haven’t seen before

4. AI adoption: the ill-advised rush to adopt AI Agents

The tech industry is rushing to adopt new AI technologies, releasing new features to existing customers and spinning out tons of startups with ideas for how to make money on these new tools. Use of AI will soar as a result.

But the competition to do new and innovative things is what’s going to get us into trouble as it will tempt tech companies to deploy “AI Agents.” Agents provide an AI system with access to the outside world. For example, an AI Agent might use an LLM to build an SQL query, execute that query against a database, and then map the spreadsheet-like results into an understandable summarization. Note: the “AI” isn’t doing the thing here; what we’re talking about is an app that leverages the AI and chains inputs and outputs together across systems.

What we see as hallucinations in one context will show up as full-fledged errors in another.

But the LLM’s generation of an SQL query is the part that is ill-advised and downright scary. That’s because what we see as hallucinations in one context will show up as full-fledged errors in another. And there’s an element of randomness to LLM outputs, so you can ask the same question five times and end up with different results. This makes it hard to ensure the system you’ve built is always going to do what you think it’s going to do. Maybe instead of querying data, it deletes it instead. Just once in a hundred tries, perhaps, but that’s enough.

Put another way, empowering these systems to write code or queries (API, data, SQL, whatever) is extremely concerning. In regular coding by a human, any given bug could be a security vulnerability, and it’s no different with machines, but now we’re talking about truly dynamic code without code review or static analysis for vulnerabilities and in many cases, the code will never have been tested before. And if that doesn’t give you nightmares, then you aren’t thinking this through.

If that doesn’t give you nightmares, then you aren’t thinking this through.

  • Prediction criteria:
    1. we’ll see numerous (more than two dozen) startups touting AI Agents (by that name or another) and offerings along these lines from OpenAI (actually, they have a Marketplace coming next week where they’ll host third party AI agents, so scratch this one), and (a) Amazon, (b) Microsoft, and (c) Google who will all rush to put out AI systems that are generating and executing various types of code.
    2. we’ll also see at least one spectacular failure where an AI Agent causes some harm or is the vector of an attack

5. AI security: let the confusion (and consolidation) begin

Begin? That’s ridiculous because the confusion is already here. Security companies are anxious to stake their claims around AI in a new category without well-defined sub-categories. Customers will have a hard time understanding how much of their AI tech stack is protected and how much of it is exposed or even how to weigh the relative risks of these. And security companies will endeavor to make this all much worse.

When we talk about AI and security, it can be confusing. We could be talking about old-school cybersecurity offerings that get “smarter” with new AI tricks like AI-powered anti-virus and firewalls and such.

Or we could be talking about solutions that defend against AI-powered attacks like systems that detect deep fakes and more compelling AI-generated phishing attacks, for example. AI is hungry for data and all of the world’s most sensitive data will be flowing through these AI systems in the near future, if not already.

But where I think we’ll see the most confusion (and are already seeing it) is in the many new vulnerabilities and types of attacks that can be aimed at the AI systems themselves. The new threats and solutions fall into a few categories:

  • Model training phase – most companies adopting LLMs and similar technologies won’t have to worry about this, but the data that you use to train a model might be sensitive, so many security solutions are focused on the training data, understanding what’s in it, redacting it, anonymizing it, and so forth.
  • Model use – watching what flows into a model in use can reveal a lot of information, and carefully crafted inputs might allow the model to be manipulated, so solutions possibly block some inputs, watch for prompt injection attacks, watch for model inversion attacks that extract training data, and watch what flows out of a model for evidence of successful attacks.
  • Model memory – querying data with natural language is done on AI-generated embeddings, which are stored in vector databases and which can be reversed back to the original input with embedding inversion attacks (full disclosure: this is what my company protects against)
  • Governance – classifying, tracking, expiring, and otherwise managing personal data in these systems.
  • Miscellaneous – adaptation of existing tools for AI system purposes including DLP, access control, intrusion prevention, etc.

There aren’t any comprehensive AI protection solutions today, but it’s likely that customers will want and expect more complete packages so they don’t need to cobble together a dozen different solutions. This pressure will lead to consolidation and increased M&A in the cybersecurity realm.

  • Prediction criteria:
    1. at least 10 dedicated AI security startups (pretty much all of whom are just getting started) are acquired this year (as far as I can tell from Crunchbase, zero were acquired in 2023)

6. Regulations: more privacy laws in effect and more AI laws on the books

Some of my worst predictions, historically, have been around regulations and whether they’ll pass and what effect they’ll have on markets. My first instinct is to avoid this area entirely for predictions. But there’s a lot of virtual certainties about 2024 that are worth covering here because they absolutely do matter.

First, in the U.S., states will continue to take the reins in privacy. Four new state privacy laws go into effect in 2024: Texas, Oregon, Florida, and Montana. Utah’s law went into effect on 12/31/23. 13 states have so far passed comprehensive privacy laws and of those 8 will be in effect by the end of 2024. More are wending their way through legislatures.

Second, laws regulating AI will be passed around the globe. The EU Parliament and Council agreed on the text of a bill in December and it now just needs formal adoption.

In the U.S., both parties are keen to be seen as strong on regulating AI and there will certainly be a lot of movement in Congress on this topic, but given that it’s an election year, whether anything is passed is far from a certainty. Frankly, it might be one of the only things that pass, but I wouldn’t bet on it. In fact, I’m going to bet against it. The bi-partisan Federal privacy bill has been frozen for years now.

Independent of Congress, the FTC has signaled that it will be going after companies that deploy AI without appropriate safeguards if it negatively impacts consumers. So even without new laws, we’ll see some enforcement. Just last month the FTC settled with Rite Aid after they used facial recognition for surveillance in their stores and accused innocent customers of being thieves. Rite Aid is now banned from using facial recognition in their stores.

  • Prediction criteria:
    1. no new Federal privacy or AI legislation that is general in nature (not specific to finance or health or another vertical) will be signed into law

7. No major workforce changes following AI deployment

I’ve been pondering the impact of AI bots on specific jobs and industries. Hollywood writers took their stand recently and earned some protection, but not all positions are likely to have collective bargaining. In particular, I wonder about the impact on call centers, graphic artists, marketing, and plenty more. Most first-tier customer support reps are just following instructions and set steps to resolve common and repeating problems (“try rebooting your cable modem, sir”). Companies have spent years trying to automate responses to calls asking common questions around billing or troubleshooting, but customers have little tolerance for the unidirectional voice-based menu trees that are currently used. But if that same voice bot could find relevant documentation and summarize it or have an interactive conversation that would narrow down problems, then it could greatly decrease the number of first level reps required.

On the marketing front, there are many tasks that involve summarizing content, producing and testing different messages based on the summary, splintering it into pieces and pushing it out through multiple channels, and so on. These are time consuming tasks that require judgment and, ideally, experiments and A/B testing. But I’ve seen a number of tools that do pieces of this reasonably well. Not so well that you’d trust the AI to just do the job, but well enough that productivity can be increased massively for marketers. But does this productivity increase mean companies will need fewer marketing folks on the team? Maybe so.

The tools are sophisticated enough to have a massive impact on productivity and a resulting impact on jobs. But will we see that impact in 2024? I don’t think so. It will take awhile for the higher-level apps to fully take advantage of these tools and for the users of those apps to learn them and learn to lean on them. It’s the same for customer support. I expect to see a lot of experiments in 2024 as companies that make customer support software add capabilities and the big companies test and experiment with those capabilities and ask for enhancements and so forth. I am skeptical that this cycle, which has already started, will have a big impact on jobs this year. It’s more likely that changes in the economy (up or down) will have a far greater impact on jobs than AI will at this stage.

So is this a non-prediction? No. I’m predicting that AI will boost productivity over the next several years, and that some job segments will be particularly impacted. But I’m predicting minimal (if any) impact on the labor market this year.

  • Prediction criteria:
    1. job losses and gains for customer support and marketing roles will rise and lower in lock step with the overall labor market (at least on an industry-by-industry basis) without any meaningful gaps opening up in 2024

The prediction I won’t make on the back of events I can’t ignore: the ripples of war in the Middle East and Ukraine

In looking ahead at 2024 and thinking about how events today are likely to develop tomorrow, it’s hard not to think about the Middle East. Simmering issues in the region have erupted back to a boil and it’s likely we’ll have years of fallout. I’m particularly worried about broadening conflict as well as flows of money and new recruits going to extremist groups.

Simmering issues in the region have erupted back to a boil and it’s likely we’ll have years of fallout.

Similarly, it’s worth considering the war that continues on the Eastern borders of Europe in the besieged country of Ukraine. The worry there is that neighboring countries would be pulled in or that Russia, facing losses, embarrassment, and economic pressures, might strike out at other countries. So far, luckily, that hasn’t happened in any major way. At the moment, things seem to be entrenched in an ugly status quo. So I’ll focus for now on the newer and more dynamic conflict rooted in Israel.

My inquiry here is narrow: if the Israel/Hamas war spreads, pulling in more actors and nations, or if retaliatory attacks occur in Europe or farther West, what would that mean for the global economy, for the U.S. tech industry, and for businesses like mine? Rather than predict, let’s just aim to understand how markets have reacted to terrorist events in the past.

September 11th

Let’s start with a worst-case precedent: the 9/11/2001 attacks. On the heels of those attacks, the Dow Jones index immediately dropped 7%, and in total over the subsequent year, about 14%. The Dow Jones didn’t get back to it’s pre-attack level for two years, though the market bottom came one year after the attacks. Of course, specific sectors like airline stocks fared quite a bit worse.

But that wasn’t the only event of the time and far from the only thing moving markets. The dot-com bubble burst began the previous year, and the overall stock market was steadily dropping as companies reported poor earnings and tightened their spending in a nasty feedback loop. So these attacks happened in an already poor economic environment, and the stock market performance over the subsequent year cannot be attributed solely to the attacks. It’s also interesting to note that, at the time, interest rates were close to where they are right now.

July 7th

We’ll only look at one more data point (hardly a comprehensive study) before we leave this uncomfortable subject: the 7/7/05 attacks in London. As with 9/11, this was a coordinated series of strikes, this time with three separate bombings in the London Underground. The impact on the FTSE, an index of British stocks, was easy to miss. The FTSE dropped 1.3% on that day, but stocks globally were little affected (U.S. stocks rose slightly). At the time of the attacks, the FTSE had been trending upward. It started 2005 at around 4,800, was around 5,200 when the attack happened, and ended the year around 5,700, up roughly 20%. In other words, the economic impact, as measured by stocks, was so brief as to be negligible.

Historic terror impacts on the economy: the takeaway

The lesson here is that the general economic trends and stock market direction seems to impact the markets more than specific events such as terror attacks – at least if looked at over the course of months and not days. Unless the attacks somehow influence fundamentals, this is likely to be true in the future as well.

That said, I’m pretty sure specific industries would disagree with this analysis. The defense industry is likely to benefit when threats come closer to home and industries like tourism and travel are likely to suffer.

My conclusion here is that continued escalation is likely, but any short-term impact on the U.S. tech industry is not likely to happen in any sustained way. The tech sector in Israel is an altogether different story, unfortunately, but not one I’ll explore now.

Conclusions for 2024

I’m generally a bull when it comes to the economy and the course of events. And that’s generally born out (the book Factfulness is a good reminder of the truth of this statement). So it feels pretty bad that after really thinking about chains of events and what to expect in 2024, I’m predicting the start of a recession, further drops in VC funding, and further global turmoil. Not to mention the cynical prediction that Congress won’t pass AI or privacy legislation. And I’ve chosen to stay out of the business of talking about elections since whatever happens there won’t really change anything until 2025. But this is where I’m landing.

But it isn’t all doom. I continue to believe that AI in general will be a good bet and will drive innovation, productivity, investment, and acquisitions. The productivity wins will mostly be farther out, but they will matter a lot to the economy.

Even if we do have a downturn, the sky isn’t falling. It’s unlikely to be protracted or deep. For my part, I won’t be shorting the stock market anytime soon.

2023 Prediction Scorecard

  • ✅ Digital attacks on energy supply
    • I said, “Russia wants those sanctions to ease and for that, they need countries to feel pain around energy prices. Watch for attacks against critical infrastructure like grids, pipelines, and shipping companies in 2023 not just in Ukraine, but across Europe and the U.S.”
    • Verdict: Nailed this one. We saw a rash of attacks against critical infrastructure around the world.
  • ✅ Post quantum cryptography progress but no major shift yet
    • I said, “In all likelihood, we’ll see meaningful progress in 2023, but no fire drills in cryptography until 2024”
    • Verdict: spot on; standards made progress but haven’t yet finalized. See below.
  • ✅ Web3 implosion continues
    • I said, “startups building Web3 apps will have a very hard time raising money or getting sufficient income from users to keep their people employed. We’ll see a massive drop in active projects and startups as the monetary incentives evaporate and the other downsides of Web3 (complexity, poor performance, public records, crypto-currency underpinnings) become more apparent”
    • Verdict: this is certainly the case, although the venture capital spigot has closed substantially for much of the tech industry and not just blockchain startups. But on the Web3 side, the number of active users of distributed apps has fallen off a cliff, and the number of searches for Web3 has as well.
      • I spent extra time trying to quantify this one, but it’s a pain to aggregate all the stats. One nice benchmark is the IPFS project, as it’s popular and folks like Cloudflare are bought in and supporting it. Understanding its popularity means tracking the underlying FileCoin that is used to power its protocol. The price is in the gutter, but what has been the volume? At its peak in 2021, 425.7B coins were traded. In 2022 that was down to 112B and in 2023 it was further down to 70.8B (data from coinmarketcap.com). As a bellweather Web3 app meant to replace the likes of Dropbox, I’d say the implosion definitely continues.
  • ◐ Rise of AI powered attacks
    • I said, “brace yourself for more sophisticated and zero-day attacks coming from masses of less sophisticated attackers.”
    • Verdict: we definitely saw an increase in AI attacks, but far more on the social engineering and deep fake side of things than on the zero-day side. AI is not yet helping poor hackers to uncover zero days, but it is absolutely being leveraged to attack organizations, so I’ll take partial credit here.
  • ◐ Data breach penalties take off
    • I said, “we expect big fines for companies suffering breaches in 2023,” and, “then there are the state privacy laws. California’s latest, CPRA, and Virginia’s new privacy law, CDPA, both go into effect on January 1, 2023.”
    • Verdict: Facebook’s $1.2B GDPR fine in May matched all of the fines in 2022, making this prophecy an easy win. If you ignore that fine, though, GDPR fines were flat to slightly down, and there were fewer of them in 2023 than 2022. California’s CCPA resulted in a number of threats but only two fines that we know about: one against Google and one against Kaiser. Overall I probably missed on this, but with Meta’s record fine bailing me out I’ll take half credit.
  • ◐ Year of the Yubikey
    • I said, “companies are going to start rolling out hardware tokens to more of the workforce and particularly those with access to sensitive information.”
    • Verdict: In the first three quarters of 2023, Yubico net sales were up 17%. I’m not sure that quite qualifies as the “year of the yubikey” though they did well, and I personally had a lot of services offer the option of FIDO-based hardware tokens where they previously had SMS or similar. I think this one largely fizzled, partly because Passkeys took off and these are getting integrated into OSes and browsers. But I’ll take partial credit given Yubikey’s 30% jump in earnings for the Jan-Sep period over the same period the year before.
  • ❌ Zero-trust hype tails off
    • I said, “Buyer wariness will lead to a lot less marketing around this concept even though it’s fundamentally a good idea”
    • Verdict: I don’t know a good way to measure the amount of marketing with “zero-trust” in it or how that’s changed over time, but Google Trends again shows that this leveled out but didn’t noticeably drop.
  • ❌ Data sovereignty and multi-cloud
    • I said, “There’s a proposed new privacy shield agreement between the U.S. and EU that seems dead on arrival with no progress since its announcement last summer. But even if it should pass, it will be challenged and found wanting, again, unless the U.S. changes its laws to better protect the privacy of citizens and non-citizens alike, which seems unlikely.” I went on to predict an increase in cloud misconfigurations and adoption of encryption.
    • Verdict: we don’t yet have data on 2023 cloud misconfigurations or really on encryption adoption, but we did not have a landslide of new data sovereignty laws as I expected. There are quite a few pending in countries from France to Italy to India, but if anything, data sovereignty relaxed a bit as the EU this summer adopted the new privacy shield agreement making U.S./EU transfers once again legal – for now. It is likely to fall, but 2023 was not a year rocked by data sovereignty, so this was a miss.
  • ❌ SBOMs Bomb
    • I said, “This has been likened to putting nutrition facts on the side of food packaging, but in practice, it’s nowhere near as useful.”
    • Verdict: In 2022, software supply chain attacks were a major topic of conversation with Software Bills of Material being the most noisily bandied solution with tons of attention and noise behind it. Personally, I barely heard the term SBOM in 2023, I didn’t see any projects get abandoned because of SBOM issues, and I didn’t see any companies take off with new solutions around it. So I want to say that SBOMs bombed, but in looking at the Google Trends for “SBOM”, it looks like it stayed pretty even through the year, and above 2022’s levels. Most of the interest is in the Washington D.C. area or, if you switch to a global view, you’ll see a huge surge with the top searches on SBOM coming from China. So although this didn’t make it to me in 2023, I’m not sure it really fizzled either. Will call this one busted.

My major lesson learned from the poor performance of last year’s predictions is to stop assuming that a wind down in a hype cycle means something actually drops versus just leveling out. I also overly focused on hype, attention, and interest, which are fairly difficult to measure ideas. Maybe there was less advertising on some of these, but I don’t have a way to test that hypothesis. This year, I focused on more definitive predictions that are more measurable.