The Collapse of Traditional Cybersecurity Timelines

The 90-day vulnerability disclosure window—a foundational practice that has governed software security for two decades—is effectively dead. Google’s latest research confirms what security teams have feared: AI language models enable attackers to reverse-engineer security patches into working exploits in mere minutes, rather than the weeks or months defenders previously relied upon.

This acceleration fundamentally reshapes the threat landscape for European enterprises preparing for August 2026’s EU AI Act enforcement deadline.

What’s Changed: The Copy Fail Case Study

A vulnerability called “Copy Fail,” discovered through a single one-hour AI scan, demonstrates the new reality. The flaw grants root access on nearly every Linux distribution dating back to 2017—affecting infrastructure across countless enterprise networks. Within days of patch disclosure, Iranian threat actors exploited the vulnerability to hijack servers for large-scale DDoS attacks.

This isn’t theoretical. Multiple security researchers discovered the same flaw simultaneously using AI tools, collapsing the traditional discovery window from months to hours. The patch-to-exploit timeline compressed from weeks to minutes.

Why This Matters for Irish and European Infrastructure

With Ireland hosting major data centre operations and serving as a regulatory hub for European AI governance, this vulnerability acceleration creates immediate compliance risks. Organisations subject to the EU AI Act’s August 2026 high-risk system requirements must now assume their security patches have a weaponization window measured in minutes, not days.

This directly impacts:

  • Critical infrastructure operators relying on timely patching cycles
  • Cloud service providers managing distributed systems
  • Healthcare and financial institutions processing sensitive data across EU borders

The Broken Disclosure Model

The traditional 90-day window assumed:

  1. Vulnerability discovered by one actor
  2. Vendor notified and given time to develop patches
  3. Coordinated disclosure across ecosystem
  4. Defenders have window to deploy patches before public exploitation

AI language models have demolished this assumption. They can:

  • Identify the same security flaw across multiple actors simultaneously
  • Reverse-engineer patches to understand the underlying vulnerability
  • Generate working exploits from patch analysis in minutes
  • Scale exploit distribution across attack infrastructure

Practical Implications for Builders and Defenders

The message is stark: patching timelines must compress dramatically. European enterprises cannot wait weeks for testing cycles.

Immediate actions:

  • Implement automated patching for critical systems
  • Shift from monthly patch cycles to continuous deployment
  • Deploy vulnerability detection at runtime, not just at deployment
  • Assume zero days will be weaponized within hours of public disclosure

The Regulatory Pressure Building

Anthropc’s Project Glasswing—bringing together Amazon, Apple, Google, Microsoft, and JPMorgan Chase—signals that the technology industry recognises this as a threat to “public safety, national security and the economy.” This coalition’s work will likely inform both EU AI Act enforcement and emerging cybersecurity regulations.

For Irish organisations, this acceleration creates a paradox: August 2026’s AI Act compliance deadlines require robust security testing, yet AI-enabled attackers are compressing the vulnerability lifecycle. Enterprises must design systems assuming patches provide only minutes of protection, not days.

Open Questions

Several critical gaps remain:

  • How will vulnerability disclosure evolve when the 90-day model is obsolete?
  • Should European regulators mandate continuous patching capabilities as part of AI Act compliance?
  • How do defenders validate patches when the exploitation window collapses?
  • What liability frameworks apply when AI weaponizes vulnerabilities faster than human response times?

These questions will shape European cybersecurity policy through 2026 and beyond.

Source: Google Security Research