AI Is Speeding Up Vulnerability Discovery. Most Security Teams Aren’t Built to Keep Up
IBM and Red Hat’s May 28 announcement of Project Lightwell puts a hard dollar figure behind a problem security leaders have been feeling for years. The companies are committing $5 billion to help secure open-source software through AI-assisted validation, patching and engineering support, backed by more than 20,000 engineers and positioned as a trusted enterprise clearinghouse for open-source security.
That scale matters because the risk is no longer limited to software teams. IBM noted that more than 90% of Fortune 500 companies rely on open-source software. That means the weaknesses sitting inside common libraries, developer tools, AI frameworks and third-party dependencies are now board-level exposure. They affect resilience, vendor risk, legal risk, business continuity and executive accountability.
For Kathryn Mihalich, founding partner of Cyber Knowledge Partners and governance strategist, that is the real headline. The market is not just dealing with better tools for defenders. It is dealing with a faster vulnerability cycle across the entire software supply chain. Cyber Knowledge Partners provides board-level cybersecurity and AI strategy for banking, healthcare, and government leaders, with a focus on translating cyber risk into decisions executives and boards can act on.
“AI is accelerating vulnerability discovery and exploit development at a pace most companies are not operationally prepared to absorb,” says Mihalich.
That’s the pressure point Project Lightwell is really exposing. AI can help find flaws faster, but discovery is not the same as remediation. A vulnerability still has to be understood in context. Security teams need to know where the affected asset sits, whether it is internet-facing, which identities and vendors can reach it, what business process depends on it, and whether a patch can be deployed without breaking production.
The work is slow because it crosses too many internal lines. Security may own the finding. IT may own the patch. Engineering may own the code. Procurement may own the vendor. Legal may own disclosure risk. The business may own the downtime decision. AI can shrink the time it takes to identify a weakness, but it does not automatically shrink the time it takes for a company to decide what to do about it.
“Security teams are already overwhelmed by alert volume, fragmented environments, third-party dependencies and remediation backlogs, and AI increases the speed and scale of all of those pressures simultaneously,” Mihalich says.
Open source makes the problem even harder. Project Lightwell is expected to reach beyond traditional product boundaries into independent libraries, language toolchains, AI frameworks and data-streaming platforms. In plain terms, companies are not only exposed through the software they build or buy directly. They are exposed through layers of code they may rely on every day without fully seeing, owning or governing.
That lack of visibility is one of the biggest fault lines in the AI era. “Open-source ecosystems create additional complexity because businesses are now deeply dependent on software components and libraries that extend far beyond their direct visibility,” Mihalich says.
This is where the conversation needs to move beyond more scanning, more alerts and more dashboards. Most companies do not fail because no one told them a vulnerability existed. They fail because too many disconnected findings arrive without clear ownership, prioritization or follow-through. The result is a backlog that looks technical on the surface but is really a governance problem underneath.
Mihalich argues that security leaders need to treat exposure management as a way to connect risk across assets, users, vendors, vulnerabilities and dependencies, not as another tool category. “Companies can no longer afford to look at vulnerabilities, assets, users, vendors and software dependencies as separate security problems,” she says.
That distinction matters for boards and executive teams. If AI is increasing the speed at which weaknesses are discovered and exploited, then cybersecurity strategy cannot sit entirely inside the technical function. Leaders need to know where exposure is concentrated, who owns the response, what tradeoffs are being made, and how quickly the business can act when a vulnerability touches multiple systems or outside dependencies at once.
“Security teams do not necessarily need more findings. They need stronger prioritization, better operational coordination and the ability to reduce exposure before threats scale faster than response capacity,” Mihalich says.
IBM’s investment is a clear sign that the market understands the scale of the problem. But the harder question is whether most companies are built to move at the pace AI is creating. The next phase of cybersecurity will not be defined by who can find the most weaknesses. It will be defined by who can turn discovery into action before those weaknesses become attack paths.
:::tip
This story was distributed as a release by Jon Stojan under HackerNoon’s Business Blogging Program.
:::
