The “luxury of time” in cybersecurity just evaporated.
Recent reports indicate that U.S. officials at CISA are considering a radical policy shift: cutting the remediation window for exploited flaws from the typical two weeks down to just three days. The catalyst? The arrival of “frontier” models like Anthropic’s Mythos and OpenAI’s GPT-5.4-Cyber.
We aren’t just talking about faster scanning. In recent tests, Mythos autonomously identified 271 vulnerabilities in a version of Firefox—finding flaws in hours that had evaded human eyes and traditional “fuzzing” tools for years. Even more concerning is the ability of these models to “chain” multiple low-severity weaknesses into a single, critical exploit without human guidance.
Whether the 72-hour rule becomes a global standard or not, the message is clear: The gap between discovery and exploitation has shrunk from weeks to hours. For leadership, this isn’t just an IT issue—it’s a massive governance and risk management challenge.
Why This Matters
The real concern is not just that AI can find vulnerabilities faster. It is that remediation remains fundamentally human-paced.
Security teams may soon face situations where hundreds of high-risk vulnerabilities are identified almost simultaneously, overwhelming traditional triage, patching, and governance processes.
A few key themes stand out:
• Discovery vs Remediation Gap
AI accelerates vulnerability discovery dramatically, but organisations still rely on human decision-making, testing cycles, change management, and operational constraints to remediate issues. The risk is that discovery begins to outpace an organisation’s ability to respond.
• Compressed Exploitation Timelines
Historically, organisations often had days or weeks between disclosure and widespread exploitation. That buffer is disappearing. In some cases, exploitation could occur within hours of a flaw being identified.
• Offence–Defence Asymmetry
Defenders must secure everything continuously; attackers only need one successful entry point. AI significantly amplifies this imbalance by automating reconnaissance, exploit development, and vulnerability chaining at scale.
• Governance and Accountability Gaps
Most organisations do not yet have mature governance frameworks for AI systems capable of offensive cyber activity. Questions around oversight, accountability, access controls, and acceptable use are still evolving.
• Risk of Over-Reliance on AI
Even highly capable models cannot determine business context, operational criticality, or remediation risk on their own. There remains a danger that organisations place excessive confidence in AI-generated findings without sufficient human validation and prioritisation.
What Organisations Should Be Thinking About Now
Modernise Vulnerability Management
Traditional patching cycles may no longer be sufficient. Organisations should reassess prioritisation models, automation capabilities, emergency patching procedures, and response timelines.
Treat Advanced AI as a High-Privilege Asset
AI systems capable of autonomous security testing should be governed with the same caution as privileged administrative access. Strong access controls, monitoring, sandboxing, and human oversight are essential.
Keep Humans in the Loop
AI can accelerate detection and analysis, but judgement remains critical. Business impact assessment, remediation prioritisation, and risk acceptance decisions still require experienced human oversight.
Strengthen AI Governance Early
Clear policies, accountability structures, and escalation mechanisms are needed before widespread adoption of offensive-capable AI tooling. Waiting for regulation alone will leave gaps.
Leverage Internal Audit and Risk Functions
Internal audit has an increasingly important role to play in independently assessing whether governance, controls, patching processes, and AI oversight mechanisms are keeping pace with emerging threats. This is not about slowing innovation — it is about ensuring resilience and accountability as capabilities evolve. A Final Thought: The Consulting Reality
A Final Thought: The Consulting Reality
The prospect of a mandatory 3-day patch window serves as a powerful “stress-test” for modern governance. In my consulting work, I’ve worked with many organizations to map out their remediation workflows, and the reality is that you cannot compress remediation timelines if you haven’t first compressed your visibility of the risk.
For most enterprises—especially those managing critical infrastructure or complex financial systems—patching isn’t a single action. It is a high-stakes chain of dependencies: asset discovery, regression testing, change management, and the logistical coordination of downtime. If a vendor patch doesn’t exist yet, or hasn’t been properly vetted, an arbitrary 72-hour deadline doesn’t just “fix” a bug—it risks breaking the business.
The future of cybersecurity will be waged at machine speed, but it will be won through human strategy and automated resilience. Let’s make sure we’re building the “seatbelts” fast enough to keep up with the engine.
Sources & References
- Anthropic Red Team Report: Assessing Claude Mythos Preview’s cybersecurity capabilities (April/May 2026).
- SecurityWeek: Claude Mythos Finds 271 Firefox Vulnerabilities (April 22, 2026).
- The Register: Mythos found 271 Firefox flaws – but none a human couldn’t spot (April 22, 2026).
- The Hacker News: OpenAI Launches GPT-5.4-Cyber with Expanded Access for Security Teams (April 15, 2026).
- CSO Online: CISA mulls new three-day remediation deadline for critical flaws (May 5, 2026).
- The Hindu / Reuters: U.S. officials weigh cutting deadlines to fix digital flaws amid worries over AI-powered hacking (May 4, 2026).
- NIST: Artificial Intelligence Risk Management Framework (AI RMF) 2025/2026 Guidelines.