Simon Willison just showed us something remarkable: GPT-5.5 built a working CSP security tool. This isn't another AI demo, it's proof that we've crossed a line.
For context, Content Security Policy (CSP) is web security that's notoriously fiddly to get right. Willison's experiment lets apps run in protected sandboxes, intercept security errors, and dynamically update allow-lists with user permission. It's proper security engineering, not a toy.
Here's what matters: an AI just built a functioning security tool that most developers would struggle with. We're not talking about generating boilerplate code or fixing syntax errors. This is sophisticated problem-solving in one of the trickiest areas of web development.
For small businesses, this is huge. You've always been stuck between expensive security consultants and hoping your developer knows what they're doing. CSP implementation alone has kept many SMEs running insecure setups because getting it right costs more than they can justify.
But now? Your developer can sit down with GPT-5.5 and build security features that used to require specialists. Not just implement existing solutions, but create custom tools that fit your specific needs.
We've seen this pattern before with other technical barriers. Remember when SSL certificates required expensive consultants? Now they're automated and free. When database optimization meant hiring DBAs? Now decent tools exist for everyone.
The same shift is happening with security tooling, but faster. AI isn't just making security more accessible, it's making custom security solutions possible for businesses that could never afford them.
This doesn't mean fire your security people or ignore best practices. It means the barrier between "we can't afford proper security" and "we have tools that actually work" is dissolving rapidly.
Small businesses have always been told they need enterprise-grade security but can't afford enterprise-grade help. That contradiction is ending. When AI can build working security tools in minutes, the excuses for running vulnerable systems disappear.
The practical takeaway? Stop putting off that security audit or CSP implementation because it seems too complex or expensive. Sit down with your developer and current AI tools, and actually tackle the security improvements you've been avoiding. What used to be specialist work is becoming accessible to anyone willing to learn.