Security At Machine Speed: Four Shifts Every Enterprise Must Make

1 hour ago 4

Chris Brown is Managing Director of Sngular US, leading the firm’s AI, data, and digital engineering practice for regulated industries.

getty

​In April 2026, Anthropic disclosed an AI model capable of autonomously finding previously unknown software vulnerabilities and writing working exploits for them at a scale and speed no human team can match. The company judged the capability too dangerous to release publicly. Within weeks, comparable capabilities emerged from other labs. ​

For technology leaders, the story isn’t the model. It’s the implication that the offensive side of security now operates at machine speed, and that capability is proliferating. For most enterprises, the defensive side does not. That gap has quietly become a board-level risk and it is not one you can close by buying another tool. ​

The Patch Cycle Is Now A Liability

For decades we measured remediation in weeks: discover, ticket, assign, schedule, document, close. That cadence assumed defenders had time. Across the industry, the window between a vulnerability going public and its first exploitation has collapsed from months to days, and for the most serious flaws, to hours. A growing share of vulnerabilities are now exploited within a day of disclosure, some before a patch even exists. ​

When exploitation is measured in hours, a remediation process measured in weeks is no longer a security strategy, but rather a compliance exercise. And no examiner, framework or audit trail has ever stopped an attack. ​

AI did not break enterprise security. It exposed an operating model built for a slower era and the only durable fix is to change the model, not add to it. In my work with large regulated enterprises, the leaders pulling ahead have made four shifts: ​

1. Treat remediation as an automated capability, not a human queue.

The instinct, when you fall behind, is to add people. But a modern enterprise runs tens of thousands of repositories, containers and frameworks. Past a certain scale, more headcount adds coordination overhead, including handoffs, meetings and approvals, faster than it adds throughput. You cannot hire your way to a ten-hour patch window. The organizations that keep pace treat remediation as an automated operating capability. Machines detect the issue, generate the fix as a reviewable change and produce the evidence, while people retain control of governance, risk decisions and exceptions. ​

2. Make compliance continuous, not retrospective.

Regulators have signaled this for years, and AI is accelerating it. Compliance was historically backward-looking by gathering documentation, preparing for the audit and proving a process exists. But technology now changes continuously, and examiners increasingly expect demonstrable, ongoing control rather than point-in-time adherence. The goal is no longer proving a process exists. It is proving, every day, that it works. That requires continuous visibility, continuous evidence and continuous remediation, not a quarterly fire drill. ​

3. Reframe security as a productivity lever.

Most security conversations focus on risk. The more strategic one is about productivity. In large enterprises, thousands of engineering hours each year go to keeping software current by patching libraries, updating frameworks, managing dependencies and maintaining audit evidence. None of it is optional. Little of it differentiates the business. That is not just security debt; it’s innovation debt. Every hour spent on manual maintenance is an hour not spent on a customer or a product. Automating that toil is how you return capacity to the teams that drive growth. ​

4. Treat speed as competitive advantage.

Security has long been treated as a defensive cost center, separate from growth. That framing is obsolete. An enterprise that can continuously keep its technology current will adopt AI faster, modernize faster, ship faster and pass audits faster with more engineering capacity left for the work that moves the business. What begins as a security capability becomes a business capability. ​

This is not theoretical. In one engagement my team led for a Tier-1 US bank, an automated remediation model now spans more than 20,000 repositories and roughly 2,000 engineering teams. Most fixes close the same day they are raised, 99.5% land by their compliance due date and changes that once took a quarter happen in days. In one case, a migration across 5,500 repositories completed in two. It has returned thousands of engineering hours to product teams and pays back roughly four dollars for every one it costs to run. ​

Where to start

You do not need a finished platform to begin. This quarter, ask four questions:

• What is our true time-to-remediate for a critical vulnerability today, and how does it compare to a ten-hour exploit window?

• How many engineering hours are we spending on maintenance toil that automation could absorb?

• Could we prove remediation-by-due-date to an examiner right now, without a fire drill?

• Where are we still adding people to a problem that scale has already made unwinnable by headcount?

The enterprises that answer honestly tend to reach the same conclusion. When the exploit window is measured in hours, there are only two options: operate at machine speed, or accept machine-speed risk.


Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?


Read Entire Article