New Federal Mandate on AI-Enabled Cyber Defenses

Federal agencies must begin hardening their information systems with AI-enabled cyber defenses within 30 days of June 2, 2026, according to a presidential directive from The White House.

In tandem with this requirement, the Secretary of the Treasury, in consultation with the National Cyber Director, the Secretary of War, and the Secretary of Homeland Security, shall form an AI cybersecurity clearinghouse within 30 days to coordinate scanning for software vulnerabilities, discover and validate vulnerabilities, and coordinate remediation and distribution of vulnerability patches.

CVE Disclosures Reach Historic Highs

The timing of this mandate comes as the cybersecurity landscape faces unprecedented pressure. The updated 2026 CVE forecast projects approximately 66,000 CVEs for the full year, up from the February median of 59,427, marking the first time in history that annual vulnerability disclosures are on pace to approach 70,000, according to FIRST (Forum of Incident Response and Security Teams).

Actual CVE disclosures through April 2026 are running 46.3% above the projections published in February 2026, with 6,420 excess CVEs recorded.

Structural Drivers of the Surge

Three structural factors are fueling the 2026 CVE explosion. AI-assisted vulnerability discovery is accelerating disclosure rates. GitHub Security Advisory (GHSA) volume has surged 449% year-over-year. Additionally, VulnCheck CNA-of-Last-Resort activity has increased 3,119%.

A notable example: there was a 164% spike in Q1 CVE disclosures from the Mozilla CNA, directly attributable to AI-assisted tooling running against the Firefox engine.

The number of distinct software products with tracked vulnerabilities has also grown by two orders of magnitude, driving workload independent of AI or CNA changes.

Actionable Risk Remains Stable

Despite the surge in raw CVE volume, when filtered for real-world risk—using CISA KEV entries or EPSS scores above 10%—actionable exploitability remains flat and the patching burden has not materially increased.


Source: The White House