Maksim Kabakou - Fotolia

AI won't break your security, but your governance might

The Computer Weekly Security Think Tank considers if Anthropic’s Claude Mythos frontier AI model is a benefit or barrier to achieving resilient enterprise IT security, and how security leaders need to adapt.

Frontier AI models such as Claude Mythos are accelerating vulnerability discovery, but the bigger risk is whether organisations can maintain cyber fundamentals and manage the surge of fixes that follow.

The real risk isn’t AI-powered attacks, it’s what comes after

Recent coverage of Anthropic’s Claude Mythos has triggered anxiety that autonomous AI systems may soon find and exploit vulnerabilities faster than organisations can defend.

There is some truth in that concern, but it risks missing the more immediate issue: AI is accelerating vulnerability disclosure, creating a different kind of problem.

A wave of newly discovered vulnerabilities, driven by AI-assisted analysis of accumulated technical debt, is now expected. The UK National Cyber Security Centre (NCSC) has already warned organisations to prepare for a “vulnerability patch wave” – a surge of fixes requiring rapid prioritisation and deployment across entire technology stacks.

The question for most organisations is not whether attackers will move faster, but whether governance, change processes and system understanding can keep up.

What the evidence actually shows

The UK AI Security Institute (AISI) has helped cut through hype by evaluating frontier models such as Claude Mythos in controlled environments. Its findings are notable: AI systems can now chain together multiple stages of a cyber attack, completing complex simulations that take human experts many hours.

However, these tests were conducted in controlled environments without active defensive controls. At the same time, AISI’s broader analysis shows that AI cyber capability is improving quickly, with the complexity of tasks models can complete autonomously doubling on the order of months.

The implication is not that compromise is inevitable, but that the window between discovery and exploitation is shrinking. Boards should focus on how quickly controls operate in practice, particularly patching for internet-facing and identity and access management systems.

From ‘patch backlog’ to ‘patch surge’

This shift in tempo is where the real disruption lies. Most organisations have built vulnerability management processes around a manageable number of disclosures, addressed through governance, risk assessments, and change windows.

In the near term, AI will dramatically increase the rate at which vulnerabilities are found. For example, organisations may face hundreds of new vulnerabilities across legacy systems within weeks, far exceeding existing change capacity. This creates two immediate challenges:

  • Visibility gaps: organisations can lack a complete understanding of assets, dependencies and risk exposure, making prioritisation difficult.
  • Governance bottlenecks: most vulnerability assessment and remediation processes are not designed for high-volume remediation.

Why prioritisation becomes harder, not easier

Thousands of vulnerabilities are disclosed each year, but only a small proportion are actively exploited. This is why effective prioritisation, focusing on what is exploitable in an organisational context, is critical

AI complicates this:

  • It increases the number of vulnerabilities identified
  • It enables more efficient chaining of vulnerabilities into multi-step attack paths
  • It reduces time to determine what matters most

At the same time, organisations may still struggle with basic questions: Which systems are most critical? Which are internet-facing? Are our critical suppliers “patch wave” ready?

Without clear answers, prioritisation falters and teams become overwhelmed.

The governance stress test

Claude Mythos and similar models should be seen less as a direct threat, and more as a stress test of organisational capability.

The NCSC’s broader guidance is clear: organisations can retain defensive advantage by focusing on fundamentals: reducing exposure, applying updates rapidly, and monitoring effectively.

In practice, these depend on:

  • Patch deployment at speed and scale, especially for internet-facing systems
  • Accurate asset and dependency management, to support prioritisation
  • Streamlined change governance, able to operate under continuous update conditions
  • Clear ownership of risk decisions when trade-offs must be made quickly

Without these, even the best detection tools or AI-assisted defences will struggle to compensate.

Using AI defensively without making things worse

Many organisations will respond by adopting AI tools themselves to identify vulnerabilities earlier. This has value but does not automatically improve security. Without a process to manage, prioritise and fix issues, organisations risk overwhelming their own teams.

There is also the risk of introducing new exposures. For example, by providing AI tools with access to sensitive codebases or production environments without sufficient controls.

Used well, AI can support resilience and accelerate discovery, used poorly it can bring disorder.

The real question is operational readiness

Evidence does not suggest that frontier AI renders cyber fundamentals obsolete; good cyber hygiene remains important. The risk is whether organisations can absorb, prioritise and remediate vulnerabilities at the pace AI is now setting. Tabletop and live-play cyber exercises can also help stress test this.

Security failures are increasingly likely to result not from lack of awareness, but from inability to act quickly on what is already known. Frontier AI is not removing the importance of cyber fundamentals, it is raising the cost of failing to deliver them at speed.

Chris Atkinson is digital trust and cyber security expert at PA Consulting

Read more on Application security and coding requirements