Kyndryl warns AI is shrinking exploit windows to hours

Kyndryl has warned that artificial intelligence is sharply reducing the time between the discovery of software vulnerabilities and their exploitation. The issue emerged in a discussion with more than 20 Canadian chief information security officers and security leaders.

The exchange focused on AI-enabled vulnerability discovery tools, including Mythos, and on how security teams should respond as traditional patching cycles come under strain.

Senior cybersecurity and technology executives from some of Canada's largest brands and institutions took part in the virtual roundtable through Kyndryl's CISO Expert Exchange programme. The discussion centred on what participants described as a breakdown in long-standing assumptions behind vulnerability management, with response windows narrowing from months or weeks to hours.

That shift is forcing organisations to reconsider what level of exposure is acceptable. Security leaders have historically relied on scheduled patching, formal change controls and governance reviews, but those processes can now move too slowly when new weaknesses are identified and quickly weaponised.

Faster exposure

AI models can identify, link and operationalise vulnerabilities across different vendors and technologies at a speed that makes backlog-based vulnerability management harder to defend. In that environment, unresolved software weaknesses are no longer simply technical debt but a live operational risk that can grow quickly.

According to the discussion summary, many organisations already understand that zero-day vulnerabilities exist and that patches are not always available immediately. What has changed is the speed at which attackers can move once a flaw becomes known, reducing the time available for assessment and remediation.

As a result, companies are relying more heavily on compensating controls such as isolation, segmentation and other resilience measures while they work through fixes. The trade-off is that these actions can affect availability and performance, adding pressure on management teams to make decisions quickly with incomplete information.

"The expectation is that time to exploit will drop into hours instead of days, weeks, or months - and that's something we haven't dealt with before," said Cory Musselman, global chief information security officer at Kyndryl.

Process strain

The roundtable also highlighted strain in operating models designed for a slower threat cycle. Manual change procedures, ticketing systems and approval boards were identified as obstacles when urgent action is needed, even though those same controls were originally introduced to reduce risk and maintain stability.

Some organisations are responding by setting up temporary war rooms that bring together security, IT, business and risk leaders to make rapid decisions. Participants viewed these arrangements as useful in the short term, but not as a sustainable long-term structure.

The discussion suggested a wider shift in thinking, with disruption treated less as an exceptional event and more as a possibility that must be managed. That reframes cyber response from preserving uninterrupted service at all costs to choosing the least damaging form of disruption when conditions deteriorate.

Human capacity was another concern. Participants pointed to the risk of staff burnout under constant pressure from patching, alert handling and incident response, particularly if organisations try to maintain an emergency footing for long periods.

"There's only so much capacity, and the human element of surge is real - burnout is going to be a factor for everyone in this industry," said Denis Villeneuve, cyber resilience and connectivity practice leader at Kyndryl Canada.

Beyond patching

The discussion also underscored the need for companies to identify their most important assets, business processes and minimum viable operations before a crisis develops. Without that groundwork, leaders risk reacting too broadly or too slowly when facing a fast-moving threat.

Participants also examined the limits of defence in depth in environments that rely heavily on shared technology providers and common platforms. If a control fails across a widely used service, the impact can spread quickly, meaning resilience planning increasingly assumes that some controls will fail.

Third-party and open-source software exposure remains a major challenge. Dependency chains are often difficult to map fully, and organisations may have limited leverage over suppliers, leaving them with less visibility than the speed at which risk can emerge.

Board oversight is changing as a result. Annual or quarterly risk reviews may no longer be frequent enough for the pace of AI-driven cyber threats, prompting organisations to consider more regular reassessment even though that adds governance work.

Musselman said boards are already asking direct questions about whether the threat is overstated. "One of the first questions I got from our board was, 'Is this hype or is it real?' From the conversations I've had - it's real," he said.

For senior executives, the issue is becoming less about patching as a technical measure and more about business risk, operational continuity and decision-making authority under pressure. "This is becoming a board-level conversation because remediation speed is no longer a technical metric - it's an operational risk reporting capability," Villeneuve said.