Menu

Menu

Menu

Menu

Menu

Menu

Menu

Menu

Menu

Menu

Loading Results

When every weakness is visible: Leadership in the age of AI-exposed risk

  • Insight
  • 5 minute read
  • April 17, 2026

AI-enabled vulnerability discovery has upended a core assumption of cyber risk: that the most dangerous weaknesses in critical networks are difficult and time-consuming to find. For business leaders, this development is a material shift in enterprise risk, not a technology trend. Perfect prevention is not an achievable standard, but leaders who act now to narrow the gap through AI-augmented scanning, disciplined configuration management, and well-rehearsed response plans can materially reduce both exposure and impact.

Anthropic's Claude Mythos Preview is the first model to demonstrate this at scale, but the capability is structural, not proprietary, and similar models will follow within months. Businesses are now in a race to recalibrate strategy, budget, and preparedness against this new reality, and to find and fix critical vulnerabilities before adversaries find them for you.

A call for focused urgency

It’s not surprising that AI is supercharging vulnerability discovery: exposing the weaknesses in our code and configurations at a speed, depth, and scale that far outstrips human ability. What distinguishes this generation of models is their ability to autonomously chain multiple vulnerabilities into working exploits — a task that previously required elite human operators. This means that vulnerabilities once considered “safe” now can be weaponized.

This is not about one model. Similar capabilities are emerging across frontier AI labs, making this a structural market shift. New models with similar capabilities will emerge faster than companies can prepare. Business leaders should confront an essential truth: there will be vulnerabilities in your environment that neither you nor your management team are aware of, and some will be actively exploitable before they can be fixed. 

Your security posture is a leadership obligation

Collaborative, ecosystem responses like Anthropic’s technical consortium, Project Glasswing, are an important starting point but can’t secure every business and network. Glasswing includes roughly 50 organizations. Most enterprises sit outside that perimeter and must build their own defensive posture, including the capacity to apply patches at an order of magnitude greater than before. Otherwise, as widely used platforms are hardened, adversaries will redirect toward the enterprise-specific targets only you can secure. That makes your security posture a leadership obligation.

The place to start is by leveraging new capabilities. AI-assisted defensive scanning is the most significant capability defenders have gained in a decade. It’s also the most credible answer to the standard-of-care question leaders will soon face. Every week organizations continue operating at human speed while attackers leverage AI only widens the asymmetry. And as these tools become broadly available, choosing not to use them will become harder to defend.

Your business doesn’t need direct access to a specific frontier model to act. Focus investment where two questions intersect: what in your environment would be indefensible at machine speed, and what, if breached, would cause catastrophic harm? Then close the loop. Finding vulnerabilities faster only matters if you fix or contain them.

Six steps business leaders can direct now

Findings from PwC’s 2026 Global Digital Trust Insights survey and Annual Threat Dynamics report show that AI magnifies execution gaps. Many organizations still fail to remediate known vulnerabilities, and these known, unpatched weaknesses are commonly exploited in real attacks. Prioritize rapid, risk‑based patching; strong identity and access management with universal multi-factor authentication; segmentation around crown jewels; behavioral detection beyond known signatures; and relentless attack surface reduction.

Point AI-based agents at your own code, configurations, and dependencies. Require agent-driven security review before code merges to production. Build toward a standing Vulnerability Operations capability that continuously discovers and remediates zero-days. AI-powered vulnerability discovery tools are ready to deploy, and adoption should be mandated, not optional. As you deploy AI-powered agents for defensive scanning, ensure you govern those agents with the same rigor you apply to any privileged access. Autonomous security tools without audit trails create a new attack surface.

You can’t secure what you can’t see. Establish a consolidated inventory of critical applications, data stores, identities, and external dependencies. Start with the systems where compromise would create outsized impact. Then use automation to keep your view current and to highlight drift.

Deploy deception (canaries, honey tokens, decoy credentials) so attackers trigger a high-confidence signal the moment they move laterally. Pre-authorize containment actions your team would almost always take (isolating a host, disabling a credential, blocking an egress, rotating a secret) to execute automatically when trigger conditions are met. The goal is not to remove humans but to confirm the first critical minutes of containment aren’t lost to approval chains designed for a slower era.

Brief the board within 90 days on:

  • Pace of adaptation: How are you adapting to an adversary that scales without fatigue? Can you deploy new defenses as fast as adversaries evolve?
  • Visibility and exposure. What percentage of critical assets are fully inventoried and monitored? Where do unremediated vulnerabilities sit and pose an active business risk? Which third parties represent your greatest unmitigated exposure?
  • Resilience and containment. How does your time-to-patch compare to AI-driven exploitation timelines? What is the maximum blast radius if your most critical system is breached? How quickly would you detect lateral movement?
  • Remediation. What is the current ratio of discovered to remediated vulnerabilities, and how will that change as AI-driven discovery scales? What budget and staffing adjustments are required to build an acceptable remediation velocity?
  • Governance and disclosure readiness. Can your SEC materiality assessment and incident reporting process execute within the four-business-day window? Are SOX-relevant IT General Controls (ITGCs) designed for this speed? Is there a governance framework around the AI-powered tools you're adopting for defense that satisfies both management and auditor expectations? Will you be able to demonstrate that your organization adopted commercially available AI-powered defensive tools at the point they became standard practice?

Every organization is grappling with this challenge. Participate in sector-specific information-sharing groups. Challenge critical third-party providers to demonstrate how they’re remediating vulnerabilities as AI shortens time-to-exploit. Reevaluate dependencies based on concentration risk and patch responsiveness.

The leadership choice

This new generation of AI capability is a wake-up call, but not a reason to despair. Most cyber risk comes from longstanding weaknesses and misaligned incentives, not novel threats. We now have tools powerful enough to address those weaknesses at scale, if we choose to act.

We have crossed the Rubicon. The response is known, and the tools exist. Leaders have a short time to mobilize resources to find and fix vulnerabilities at a greater scale than ever before. Success will belong to leadership teams that acknowledge their organization’s exposure, prioritize closing the most material gaps quickly, build strong governance for new agentic capabilities, and meet the legal standard of care.

How PwC can help

This shift demands strategic clarity at the board level, operational acceleration across the enterprise, and confidence that AI itself is governed responsibly. The six steps above require execution across strategy, technology, and governance simultaneously. We work with leadership teams to:

Quantify the gap. We conduct AI-accelerated vulnerability assessments that give boards an honest picture of exploitable exposure, not a compliance score.

Close it at speed. We help stand up Vulnerability Operations, agent-driven code review, and automated containment—so defensive response matches the new threat timeline.

Govern the response. We provide the governance and assurance frameworks that regulators, auditors, and boards will expect as AI-powered security tools become standard.

{{filterContent.facetedTitle}}

Contact us

Morgan Adamski

Principal, Deputy Platform Leader, Cyber, Data, and Tech Risk, PwC US

Email

Rob Joyce

Cybersecurity Senior Fellow, former Cybersecurity Director, National Security Agency, PwC US

Tonya Ugoretz

Cyber & Risk Innovation Institute Leader, PwC US

Email

David Ames

Principal, Cyber, Data, and Tech Risk, PwC US

Email
Follow us

Required fields are marked with an asterisk(*)

I agree PwC can email me about its insights, newsletters, events, services, products, and offerings.*

Your personal information will be handled in accordance with our Privacy Statement. You can update your communication preferences at any time by clicking the unsubscribe link in a PwC email or by submitting a request as outlined in our Privacy Statement.

Hide

© 2017 - 2026 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details.