
This is the argument now coming from an unusual mix of sources: the UK’s National Cyber Security Centre (NCSC), the UK AI Security Institute (AISI), which formally tests frontier models, and security practitioners writing in trade press. Their shared conclusion is less dramatic than "AI will break your security" and more uncomfortable in a different way: AI is probably going to reveal how many organizations already struggle with the basics of finding, prioritizing, and fixing known weaknesses.
Two different stories about AI and security
It helps to separate two narratives that often get blurred together. The first is an attack story: an autonomous AI system breaks into a defended enterprise network on its own, with no human directing it, and causes a breach. That scenario gets attention because it’s vivid, but the evidence for it happening at scale in real, defended environments is thin. AISI has been careful to note that its cyber tests — even the ones showing AI completing complex multi-stage attacks — were run in controlled settings without active defenses in place, which is a very different environment from a company’s actual production network.
The second is an operations story: AI tools, in the hands of security researchers, vendors, and attackers alike, are getting much better at finding software flaws — because that’s essentially a pattern-recognition and reasoning task, which is exactly what these models are increasingly good at. That accelerates the disclosure of vulnerabilities across commercial software, open source components, and legacy systems. The bigger effect isn’t a smarter burglar; it’s a much larger number of unlocked windows being identified all at once, and someone has to go around closing them.
What the evidence actually shows
AISI’s evaluations give some sense of the pace involved. As of its most recent internal tracking, the length of cyber-related tasks that frontier AI models can complete autonomously — measured against how long a human expert would need — has been doubling roughly every 4 to 8 months since late 2024, and the two newest models tested substantially beat even that faster estimate, though it’s still unclear whether that’s a genuine new trend or a temporary jump. In earlier testing, models could barely handle tasks requiring a year of human cyber experience; more recent ones have started completing tasks that would take a seasoned expert a decade to master.
Two caveats matter here, and they’re worth taking seriously rather than skating past. First, these are benchmark results in constrained test conditions, not evidence of successful intrusions against organizations that are actively monitoring and defending their systems — AISI itself says its evaluations don’t tell us how these capabilities will "translate against defended, real-world systems". Second, a faster doubling time doesn’t mean attackers automatically win; it means the gap between a flaw being discovered and someone being able to exploit it is shrinking, which raises the value of moving quickly on the defensive side too.
From patch backlog to patch wave
This is the part with the clearest official backing. The NCSC has warned organizations to prepare for what it calls a "vulnerability patch wave": a surge of security updates addressing years of accumulated technical debt — the built-up shortcuts, deferred fixes, and outdated components that organizations have tolerated because replacing them was expensive or disruptive. The NCSC’s reasoning is that AI-assisted analysis is now capable of finding weaknesses in that debt "at scale and at pace," which will force a correction across commercial, open-source, and cloud software alike.
Crucially, the NCSC is explicit that patching alone won’t be enough. Some of that technical debt lives in end-of-life systems that can no longer receive updates at all, meaning organizations will need to replace or re-support them rather than simply apply a fix. That single point undercuts a tempting but wrong takeaway — that this is purely an IT ticket-processing problem. It’s also an asset-management and budgeting problem.
Here’s how the pieces connect, from AI capability to organizational consequence:
| Stage | What happens | Where things typically get stuck |
|---|---|---|
| AI-assisted discovery | AI tools help researchers and attackers find flaws in code and systems faster | Discovery outpaces internal capacity to even log new findings |
| Disclosure volume | More vulnerabilities are published across vendors, open source, and supply chains | Security teams lack a full inventory of affected assets |
| Prioritization | Teams must decide which flaws are actually exploitable and dangerous in their environment | Unclear which systems are internet-facing or business-critical |
| Patch deployment | Fixes are tested and rolled out across the technology stack | Change windows and testing capacity can’t scale with volume |
| Change governance | Approvals, exceptions, and ownership decisions are tracked | No one has authority to approve fixes fast enough |
| Residual exposure | Some risk remains despite best efforts | Legacy or unsupported systems can’t be patched at all |
Notice that AI only really touches the first row. Everything below it is organizational — and it was already a source of friction long before frontier models existed.
Why more vulnerabilities can mean more risk, even without smarter attackers
It’s worth being precise about the mechanism, because it doesn’t require attackers to become dramatically more skilled. Thousands of vulnerabilities are disclosed every year, and historically only a small fraction are ever actively exploited, which is exactly why prioritization — figuring out what’s dangerous in your specific environment — is the actual skill in vulnerability management, not just patching everything as fast as possible.
When disclosure volume spikes suddenly, that prioritization exercise gets harder, not easier. Security teams still need answers to basic questions: which systems are exposed to the internet and therefore reachable by outsiders, which ones are critical to the business, and which of the organization’s suppliers are themselves ready for a similar surge. Without a reliable, current asset inventory, teams can’t tell a routine flaw from an urgent one, and the natural response — treating everything as equally urgent — leads to fatigue and, eventually, things quietly falling through the cracks.
How a patch wave actually moves through an organization
It’s useful to picture vulnerability management as a pipeline rather than a single action. A newly disclosed flaw doesn’t get fixed the moment it’s known — it has to travel through several handoffs, and a bottleneck at any one of them stalls everything downstream.
flowchart LR A[Vulnerability disclosed] --> B[Asset inventory check] B --> C[Risk prioritization] C --> D[Owner assigned] D --> E[Change approval] E --> F[Testing] F --> G[Deployment]
Under normal disclosure volumes, most organizations can absorb friction at any one of these stages. During a genuine patch wave, the same friction compounds: if asset inventories are incomplete, prioritization stalls; if ownership is unclear, approvals stall; if change windows are limited, deployment queues grow even after everything upstream has been resolved. This is why the NCSC’s core advice isn’t just "patch faster" but also "know your internet-facing systems first" and build a policy of updating by default wherever possible.
Using AI to defend without adding new risk
It’s tempting to treat "get an AI security tool" as the answer to an AI-accelerated problem. It can help — AI-assisted scanning can surface issues earlier than manual review would. But adopting a detection tool doesn’t automatically translate into better security if the organization still lacks the process to triage, assign, and track what it finds; it can just as easily produce a bigger backlog and a more overwhelmed team. There’s also a more mundane new risk worth flagging: giving AI tools broad access to source code or production systems without proper controls can open exposures of its own, quite apart from anything an external attacker does.
The takeaway: speed of process, not just speed of code
None of this means frontier AI is harmless or that organizations should relax. It means the danger is less exotic than "an AI attacks you" and more structural: can your organization tell which of a sudden pile of new vulnerabilities actually matters, does someone have clear authority to approve an urgent fix, and can your change process move at the speed the fixes now arrive? Cyber fundamentals — asset visibility, prioritization discipline, tested change processes, and clear ownership — were always the difference between organizations that recover quickly and those that don’t. Frontier AI hasn’t replaced that truth. It’s just raising the price of ignoring it.


