The Patching Gap Nobody’s Ready For

Anthropic’s Project Glasswing has identified a problem that keeps security teams awake at night: AI is now finding security flaws faster than organisations can possibly patch them. Over the past weeks, Claude Mythos Preview discovered thousands of zero-day vulnerabilities across every major operating system, web browser, and critical software infrastructure. The catch? Over 99% remain unpatched.

This isn’t a theoretical concern. The discovery spree involved a carefully vetted coalition including Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorgan Chase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks. Even with coordinated industry participation, the patching velocity simply can’t keep pace.

Why This Matters Now

For years, cybersecurity operated on a relatively stable rhythm: vulnerabilities were discovered, responsibly disclosed, patches developed, and organisations deployed fixes on their own timeline. AI-accelerated vulnerability discovery has shattered that equilibrium.

The implications ripple across every software-dependent sector. Irish financial institutions, government agencies, and enterprise software shops are now facing a scenario where their third-party dependencies and operating system foundations contain unpatched flaws that sophisticated actors could theoretically exploit. The window between discovery and remediation has become a permanent vulnerability landscape rather than a temporary gap.

The Irish National Cyber Security Centre (NCSC) has already flagged this dynamic as a systemic risk. With Ireland’s critical infrastructure increasingly reliant on cloud services, digital payments systems, and enterprise software, the patching crisis moves from academic concern to operational reality.

The Compound Problem: AI-Generated Code Vulnerabilities

Paradoxically, as AI finds more flaws, it’s also creating new ones. CVE entries linked to AI-generated code jumped from 6 in January to 35 by March 2026. Anthropic itself suffered a code leak exposing nearly 2,000 source files and discovered a critical bypass in Claude Code when presented with commands exceeding 50 subcommands.

This creates a vicious cycle: AI tools accelerate development velocity, introducing vulnerabilities faster than traditional development might, while simultaneously discovering flaws that can’t be patched quickly enough.

What European Builders Should Do

For Irish and European organisations, this requires strategic shifts:

Immediate: Inventory all critical dependencies and establish clear vulnerability remediation SLAs. Assume zero-days exist in everything.

Short-term: Implement compensating controls—network segmentation, zero-trust architectures, and enhanced monitoring—rather than waiting for patches.

Strategic: Evaluate whether vendors are participating in coordinated disclosure initiatives like Project Glasswing. Those in the consortium receive advance notice.

The Open Question

How do vulnerability disclosure timelines need to evolve when AI discovers flaws at scale? Current responsible disclosure practices assume humans need time to develop patches. With AI potentially able to both discover and exploit vulnerabilities, the entire disclosure framework may require rethinking before EU regulators and the AI Act’s enforcement mechanisms take effect in August 2026.

Source: Security research publications