Back to all posts
AI vulnerability management: When AI finds vulnerabilities, who fixes them?

In June, the U.S. government blocked access to a frontier AI model just days after it launched, citing security. Access came back two weeks later, this time with conditions attached. In between, the government told another company it could only release its newest model to approved customers.

Governments now treat the most capable AI models the way they treat advanced chips or encryption: too powerful to allow free movement. Sometimes that means an outright block, sometimes it just means controlling who gets access. Either way, it comes down to the same thing: the tools you rely on can be switched off or handed back on someone else's terms.

For anyone who runs software, the imbalance is the real problem. Cybercriminals adopt the latest AI tools freely and immediately, while AI adoption on the defensive side is slow and cautious. The gap cuts two ways:

  • Even if you feel you are using AI, you are almost certainly not using it fast enough to match the people attacking you.
  • The tools your defense depends on may not always be available to you.

We covered the technical side in our earlier piece on Claude Mythos and vulnerability management. This article goes deeper into the part most coverage skips: what AI vulnerability management actually changes for a normal IT team, and why where you run your security now matters as much as how.

Why does AI change vulnerability management?

For decades, a disclosed vulnerability was not an emergency on day one. Turning a public advisory into a working exploit took skill, time, and effort that gave defenders a quiet safety margin. Patching in the next cycle worked because attackers were slow too.

Frontier AI models remove that friction. They read code, find weaknesses, and produce working exploits quickly. The same capability that helps a defender audit code helps a cybercriminal weaponize it. Two things follow:

  • The effort to attack drops sharply, while the effort to patch stays roughly where it was.
  • The window between disclosure and exploitation closes, and the safety margin most teams were unknowingly relying on disappears.

Teams are already feeling this. Critical vulnerabilities are being disclosed and weaponized within hours, and security teams are under real pressure to compress patch cycles and apply fixes almost immediately. The volume of newly disclosed Common Vulnerabilities and Exposures (CVEs) is climbing as researchers point these models at their own code, and the time you have to respond keeps shrinking.

What does this mean for IT teams?

Most writing on this assumes a mature security team with a dedicated function. The reality for a large share of organizations is one IT manager or a small team owning security alongside the network, the helpdesk, and the backups.

The hidden trap: “Low risk” often meant “hard to exploit”

Here is the part that catches teams off guard: frontier AI is very good at chaining lower-risk vulnerabilities together. Individually, those findings looked minor, so they were deprioritized as low risk - but "low risk" usually meant "hard to exploit," not "harmless," and AI removes that difficulty. Strung together, a handful of low-severity issues becomes a realistic attack path, which significantly increases the chance of a successful breach. Revisit your prioritization so it reflects how AI can combine weaknesses, not severity scores from a calmer era.

Three shifts that keep a small team ahead

The answer is not a transformation program. It is moving from periodic effort to a continuous system that surfaces the few things that genuinely matter today:

  • Assess continuously, not in bursts. A quarterly assessment cannot keep pace with disclosure that moves in days. A new exposure should surface when it appears, not three months later.
  • Let the system prioritize for you. When many findings arrive at once, the bottleneck is deciding what to fix first. Risk-based prioritization that reflects real exploitability keeps a small team from drowning.
  • Know what you actually have. You cannot protect assets you do not know about. Shadow IT and forgotten servers are where this hits hardest, so automatic asset discovery is no longer optional.

None of this is extreme. It is the steady discipline that increasingly matters because the tempo has risen. Alongside remediating faster, it helps to make each unpatched gap less useful to an attacker, since strong segmentation and least-privilege access limit how far anyone can move once inside.

Why does sovereignty matter for cybersecurity in Europe?

If frontier AI is a controlled national asset, then depending entirely on infrastructure you do not control becomes a continuity risk rather than a philosophical preference. A single directive in another country can change which tools you are allowed to use, and the events of June showed this is no longer hypothetical. For a European IT manager, that turns an abstract policy debate into a concrete question: will the platform you rely on tomorrow still be available to you?

This is not an argument against U.S. technology. It is an argument for choice and resilience. Europe needs credible options across the full stack, from the models themselves to the security platforms that run on top of them - not as an academic exercise but as a competitive necessity. This is especially relevant in cybersecurity: where you build your proactive defense and where your data lives have become strategic decisions rather than procurement footnotes.

This is the direction we have built toward at Holm Security. We are Stockholm-born, our platform is EU-hosted, and we hold European cybersecurity sovereignty labels. When your defense depends on tools that a foreign directive could withdraw overnight, a reliable European partner stops being a preference and becomes part of risk management – including on the board level.

The bottom line

You still need to know what assets you have, what is vulnerable, prioritize by real risk, and remediate systematically. What has changed is the speed at which that must happen and the importance of running it on infrastructure you can rely on. The organizations that weather the AI-enabled cyberattack storm will have quietly closed this gap on terms they control.

Book a meeting with our team to talk about where your remediation process stands today and how we can help.


FAQ

  1. What is AI vulnerability management?

    AI vulnerability management uses AI to help find, prioritize, and remediate vulnerabilities faster than manual processes allow. As AI speeds up both vulnerability discovery and exploitation, continuous assessment and risk-based prioritization become essential to keep pace.

  2. Does AI increase the number of vulnerabilities?

    In the short term, yes. As researchers and software vendors use AI to audit their own code, the volume of disclosed CVEs is rising sharply. Over the longer term, AI built into development may catch more issues before code ships - but that is years away, not an immediate trend.

  3. What should IT teams do about AI-accelerated threats?

    Move from periodic to continuous assessment, prioritize by real exploitability rather than raw severity, maintain accurate asset discovery, and run your security on infrastructure you control. Speed of remediation, not detection, is now the deciding factor of whether your organization makes the next headline.