AI finds more flaws. Fixing the right ones still drives risk
27th May 2026AI is accelerating cyber risk, but not in the way many expect. Attackers are beginning to use AI to uncover and exploit software flaws faster, including zero-day vulnerabilities. The real exposure has not changed. Most organisations are already overwhelmed with known issues they have not fixed.
The key question is not “Can we find more vulnerabilities?”
It is “Are we fixing the ones that actually matter to our business fast enough?”
What’s changed
AI is now a practical tool for attackers. In a recent case, a criminal group used an AI model to identify a zero-day vulnerability in a widely used remote access tool, potentially enabling large-scale compromise.
At the same time, defenders can detect and stop these attacks with strong visibility and rapid response. In this case, the vulnerability was patched before it could be widely exploited.
Bottom line: AI increases speed and scale, but it does not change the fundamentals.
What hasn’t changed
Most breaches are still driven by familiar issues:
- Stolen or reused credentials
- Phishing and social engineering
- Internet-facing vulnerabilities such as VPNs, edge devices and web apps
- Misconfigurations and exposed services
- Third-party and supply chain weaknesses
Attackers continue to choose the easiest route, often logging in rather than breaking in.
The real risk gap
The challenge is not a lack of data. Organisations already receive:
- Thousands of CVEs
- Scanner and testing outputs
- Vendor alerts and audit findings
Treating everything as urgent creates noise, delays action and increases risk.
Even widely used prioritisation tools have limits:
- CVE listings confirm a flaw exists, but not whether it matters in your environment
- CISA KEV highlights active threats, often after exploitation has already begun
Waiting for external signals means you are already behind.
What actually drives loss exposure
A vulnerability becomes dangerous when it is:
- Reachable in your environment
- Reliable for attackers to exploit
- Present on critical systems
Without that context, patching effort can be misdirected while high-impact risks remain open.
Where AI adds real value
For clients, AI’s biggest value is not finding more issues. It is improving decision-making and speed:
- Risk-based prioritisation so teams focus on what is most likely to be exploited in their environment
- Business impact translation to connect technical issues to operational and financial risk
- Faster remediation through support for patching, testing and deployment
- Coordination to route tasks, track progress and escalate delays
What brokers should emphasise
For underwriting and client engagement, the signal is clear.
Organisations that reduce exposure effectively:
- Prioritise vulnerabilities based on real-world exploitability
- Patch critical internet-facing systems quickly
- Enforce strong identity controls, especially MFA
- Maintain visibility over assets and third-party access
- Align security, IT and business teams around remediation
The differentiator is not how many vulnerabilities are found. It is how quickly the right ones are fixed.
Takeaway for clients
AI will increase both the speed of attacks and the volume of findings.
The advantage will go to organisations that act decisively on the few issues that truly matter.
References:
New York Times – “Google Says Criminal Hackers Used A.I. to Find a Major Software Flaw”,
https://www.nytimes.com/2026/05/11/us/politics/google-hackers-attack-ai.html
Google‑related coverage of AI‑assisted hacking
Reuters – “Hackers pushing innovation in AI‑enabled hacking operations, Google says”
US News – “Google Disrupts Hackers Using AI to Exploit an Unknown Weakness”,
Politico – “Google says hackers used AI to develop a major security flaw!”
The Guardian – “AI‑powered hacking has exploded into industrial‑scale threat, Google says”
Verizon Data Breach Investigations Report (DBIR) – 2025 and 2026
DBIR 2026 landing page and summary of human‑element patterns and vulnerability exploitation
DBIR 2025 executive summary and PDF, including statistics on vulnerability exploitation, phishing and credential abuse
Vulnerability and KEV analysis
Infosecurity Magazine – “Verizon's DBIR Reveals 34% Jump in Vulnerability Exploitation”, 22 April 2025
The Register – “CISA's KEV list improving private and public‑sector patching”, 6 May 2024
runZero – “KEVology: An analysis of CISA KEV exploits, scores, & timelines”, 3 February 2026
Original AI vulnerability article content
“AI-can-find-more-vulnerabilities-Article.docx”