The Patching Crisis: AI Vulnerability Discovery Now Outpaces Industry Remediation Capacity
AI systems are finding thousands of critical vulnerabilities faster than organisations can patch them, creating a dangerous security gap across critical infrastructure.
The Vulnerability Discovery-Remediation Gap Reaches Crisis Point
According to recent research from Anthropic, AI vulnerability detection has entered dangerous territory: the systems are finding security flaws far faster than organisations—particularly those managing critical infrastructure—can realistically patch them.
Anthropics’s Mythos vulnerability scanner has identified thousands of high-severity vulnerabilities across major operating systems and web browsers. The alarming part: over 99% remain unpatched.
This isn’t a theoretical problem. The vulnerability discovery velocity is now outpacing remediation workflows, creating what security researchers are calling a “velocity gap.” For organisations managing operational technology environments—manufacturing systems, building controls, industrial control systems, and power grids—the implications are severe.
Why This Matters Now
Traditionally, the security community has relied on a rough equilibrium: vulnerability researchers find flaws, vendors patch them, and organisations deploy patches. That model is breaking down.
AI systems like Mythos don’t get tired. They don’t prioritise based on business logic or patching cycles. They find vulnerabilities at a rate that exceeds what patch management teams can handle, particularly in sectors where downtime means physical consequences.
For Irish and European organisations managing critical infrastructure—especially those regulated under the NIS2 Directive and similar frameworks—this creates a compliance headache. You can’t patch what you don’t know about, but you also can’t patch faster than your operations allow.
The Operational Technology Problem
The vulnerability discovery crisis hits hardest in operational technology (OT) environments. Unlike IT systems that can often be patched during maintenance windows, OT systems frequently can’t be taken offline without real-world consequences.
A manufacturing plant, building automation system, or power grid component might require weeks or months of planning before a patch can be deployed. But Mythos and similar tools will have already catalogued dozens of new vulnerabilities by then.
What This Means for Irish and European Builders
If you’re developing security tools, vulnerability management platforms, or critical infrastructure software, this is your moment. The bottleneck isn’t discovery anymore—it’s:
- Automated prioritisation: Which vulnerabilities actually matter for your specific environment?
- Risk-informed patching: How do you sequence patches when you can’t patch everything at once?
- Remediation acceleration: Can you develop faster patching workflows without compromising stability?
For organisations running critical systems, the practical implication is clear: you need vulnerability management processes that can handle discovery rates that AI is now capable of delivering.
Open Questions
Several critical questions remain unanswered:
- How should organisations weight the risk of unpatched vulnerabilities against the operational risk of deploying patches?
- Should regulatory frameworks like NIS2 include specific requirements for vulnerability discovery velocity?
- Can automated patching and testing frameworks close the gap, or is this fundamentally a capacity problem?
- What does “reasonable patching timescales” mean when AI can find vulnerabilities faster than humans can even read the reports?
The consensus among security experts is clear: discovery is no longer the constraint. Remediation is. And that’s a much harder problem to solve.
Source: Anthropic Security Research