Does GenAI Destroy Critical Thinking?

AI Spotlight
AI’s Impact on Critical Thinking

I have a confession to make. My nephew is learning long multiplication, and as he showed me his homework, I realized I had no idea how to do that anymore. Thank you, Excel and calculators.

After quickly refreshing my memory and restoring my confidence so I wouldn’t lose to a 4th grader, I started reading a new research paper titled "The Impact of Generative AI on Critical Thinking."

At the start, I was convinced it would destroy critical thinking. But I was wrong and found that I shifted my thinking. Let me take you on my journey, starting with the paper’s two key conclusions:

Higher confidence in GenAI led to less critical thinking. More people trusted GenAI when it involved trivial or insignificant tasks, when they didn’t have confidence in the subject matter, when they felt pressed for time, and when they didn’t care about the task. Ironically, the more people relied on GenAI, the more they trusted it. A vicious cycle begins.

This all makes sense. And when you aren’t forced to think critically about anything, that skill wanes. Then you find you’re on auto-pilot like a clumsy panda.

Contrarily, higher self-confidence in the subject matter of the prompt led to increased critical thinking. This was mainly because the users wanted to ensure everything was right. Said differently, when they were more likely to know the correct output, they were more likely to double-check the work.

That’s great and all, but I said I was wrong. I went into this thinking that the use of GenAI was going to obliterate critical thinking. And if you based that on just the above findings, I could argue I was right. There’s more to this story, though.

The researchers found that critical thinking skills shifted, just as my thinking did after seeing this. They found a shift in three key areas:

• Recall / Comprehension: Information gathering → information verification

• Application: Problem-Solving → AI response integration

• Analysis/Synthesis: Task execution → task stewardship

It’s all about being an AI shepherd. Sure, you will always have people who will take the panda route. They will just prompt and paste, not thinking about anything they’re doing. And people will notice.

For those who engage, their workflow will shift from collecting data to shepherding the AI tools through validating the output, iterative prompting, and thinking through how to best integrate the AI outputs into their work. With that, the future doesn’t look so bahhhhd (I’m not sorry for this joke).

The paper perfectly defined AI shepherding as “translating intentions into queries, steering AI responses, and assessing if the AI response meets their quality standards for work, while retaining accountability for their work.”

For the Type A’s, this is your chance to go from a 10xer to a 100xer. The new world order will look like this:

• Below-average performers will become average.

• Average performers will become high performers.

• High performers will become exceptional workers.

Security Deep Dive
A Passwordless Future is Closer Than We Thought

I dug into HYPR’s annual “The State of Passwordless Identity Assurance 2025” report. First, I’m all in on their use of the Mona Lisa in their marketing, especially as a pirate. These are the things that GenAI was made for. Absolutely flawless.

More importantly, they dropped some interesting findings from their survey of over 750 global IT security decision-makers.

Here are some of the most interesting stats and my thoughts on them.

49% of firms surveyed reported a breach in the last year. For the remaining 51%, consider yourself lucky or blind. Especially given how much third-party breaches are impacting downstream customers.

Digging further into this, they found that 87% of the breaches were due to an identity issue. Stats like these can be a bit meh (it’s a technical term…) because most cyber-attacks involve a compromised identity. Even if an attack starts with a zero-day vulnerability, it will lead to the attacker compromising some existing identity (like an administrator account) to facilitate their objectives.

Passwordless authentication will finally surpass traditional authentication. Survey respondents indicated that phishing-resistant authenticators will be the most widely deployed method within the next two years, huzzah!

This is huge because deploying phishing-resistant MFA becomes a category killer for account takeovers. The typical MFA bypass techniques are eliminated faster than chocolate cake on a diet cheat day (or any day if we’re honest with ourselves).

The most shocking and sad finding was what “phishing-resistant” meant. 45% of respondents called one-time passwords phishing-resistant, and 36% cited push notifications. I will need a minute to recover from the sadness it brings me. Why does security have to be so confusing!?

To level-set here, phishing resistant means using public-key cryptography-based certificates or public-private keys. To de-nerd that, it’s things like passkeys, hardware tokens, and smart cards. Here’s a primer on passkeys, which will give you the basics.

Security & AI News
What Else is Happening?

◀️ After much denial, hemming, and hawing, Oracle finally confirmed privately to its customers that they were hacked. This comes after a mouthy attacker took to Twitter, security researchers, and news outlets to claim responsibility for an attack against Oracle. It turns out that it was just an old environment, last used in 2017, that was never fully decommissioned. And a lil’ old authentication server sat idly waiting for someone to show it a bit of love...only it was the hacker who sent it an exploit instead of a love letter…and then stole all its data.

💸 Hackers are targeting Australians’ retirement accounts. The financial institution AustralianSuper reported that up to 600 members’ accounts were compromised thanks to stolen passwords. Interestingly, they tell users to use a unique password but don’t mention implementing MFA…so it’s either really bad advice or they don’t offer MFA. Not cool.

🤕 There’s a general rule for Russian hackers. Don’t hack your own. If you’re curious as to why, Russia just sentenced a Russian citizen to two years in a penal colony. His crime? Launching a DDoS attack against a Russian tech company. Meanwhile, other Russian attackers continue to make millions in ransomware attacks against international targets.

✈️ North Korean IT workers are now expanding their “remote work” to Europe. This follows a series of law enforcement activities that shut down laptop farms that helped IT workers in North Korea gain lawful employment through unlawful means at US companies.

🤔 Some Internet rando is reaching out to security researchers, asking them to hack Chinese websites and drop web shells, which are web pages that provide backdoor access to the system. No one seems to know if it’s real or just a troll, especially considering they’re offering a “monthly salary of up to $100,000.”