I was in a customer meeting a few months ago and shared what I saw as an exciting technological advance. It had just been revealed that Anthropic’s Project Glasswing had surfaced 10,000 high- or critical-severity vulnerabilities across critical enterprise software in a single month. Using the tool, it was reported, a single partner organization had found 2,000 bugs in its own systems over thirty days, with a false positive rate their security team rated better than human testers. The results were being held up as a powerful indicator of the future. I was excited.
But the customer didn’t look pleased. They mainly just looked tired. For them this was less of an exciting step forward, and instead it foreshadowed a new and potentially endless queue of vulnerabilities that will need handling.
Away from the hyper-speed of AI advances and back in the average SOC, the median time to remediate a high-severity vulnerability is two weeks, which means that the queue that this customer could see looming in their future (and the future of their well-resourced team) had nowhere to go. In fact, open-source maintainers have already asked Anthropic to slow disclosures, not because they dispute the findings, but because they can’t absorb the volume.
And of course the prospect is that that queue of vulnerabilities just became very visible to attackers too, because while Project Glasswing was an attempt to put some guardrails around Mythos access, defenders aren’t the only ones running advanced models. What once required weeks of skilled manual work (mapping an environment, chaining attack paths, developing an exploit) now takes minutes. The patch window was always a race and AI just made the other side dramatically faster.
At this point, the obvious instinct is to focus on patching faster: tighter SLAs, better automation, more headcount. But that is the wrong instinct. The surface is too large and the throughput will never catch up. The better question isn’t “how do we patch everything?” It’s “how do we control what can be reached while we wait for the patch to land?”
So… how *do* we control what can be reached, while we wait for the patch to land?
First take a look at the tools you already have to hand. The past decade of enterprise security produced something genuinely valuable. Zero trust principles and secure access technologies and architectures such as ZTNA and SASE were all built on the insight that security needed to be data-centric in the new era of cloud and hybrid access. The investments made in those technologies were right at the time and they are still right now. The vulnerabilities being exposed by AI are vulnerabilities because they allow bad actors to access and view, change, lock or steal infrastructure or data, for their nefarious purposes. This has not changed, and so these secure access technologies remain a central piece of the solution.
Protect the data, because there are 10,000 new holes in your perimeter.
Next look at what is new. Something that has probably changed since you started your SSE or zero trust program is the attack methods available to bad actors (thanks to clever AI models), and your controls cannot be blind to them while you wait for that patch.
According to Netskope’s AI Risk and Readiness Report, 98% of organizations report unmanaged AI use. I am not even going to call that ‘most’, because I think it qualifies as ‘virtually all’. And only 12% can detect all shadow AI activity in their environment. And then there’s AI agents… 91% of organizations say they cannot reliably stop a risky AI-driven action before it executes. In most organizations, AI use is an incredibly opaque black box, and the data going in and out (and AI system integrations and interactions) are, frankly, a mystery.
An AI agent that clears an access checkpoint doesn’t stop there. It makes API calls continuously. It chains to other services, queries databases, reads email threads, processes documents, and touches code repositories. The blast radius from a misconfigured or compromised agent doesn’t live at the access boundary. It lives inside the session, at the data layer, in transactions that perimeter controls were never designed to inspect.
CVE-2025-32711, disclosed in June 2025 with a CVSS severity of 9.3, made all of this concrete. A zero-click prompt injection in Microsoft 365 Copilot required no user interaction at all. It only took one carefully crafted email, ingested during routine summarization, which extracted data from OneDrive, SharePoint, and Teams and exfiltrated it through a trusted Microsoft domain. Antivirus spotted nothing, and neither firewalls nor static scanning fired up. The instructions arrived in natural language, not code… invisible to tools watching for known-bad signatures.
Build unified data protection that spans the entire data ecosystem: Do not leave AI applications, workflows and use cases out in the cold.
Finally, don’t forget the housekeeping. Because there’s also a quieter problem compounding the risk of this sprawling access: authority drift. Permissions provisioned for one use case expand through inheritance, integration, and convenience over months of deployment. No single process approved the aggregate and the authorization boundaries dissolve in production, without an alert firing. When an attacker exploits an agent with an oversized footprint and overprovisioned access permissions, lateral movement happens at machine speed, across everything the agent was authorized to touch.
Remember that zero trust means the right people and agents have the right access to the right resources at the right times for the right reasons. And no more.
The tired look in that customer’s eye a few months ago was completely understandable. The patch window has been replaced by an AI-speed threat window, and the race to patch will always be a losing battle. I strongly believe that it should serve as a forcing function for organizations to stop trying to chase every vulnerability, and instead start securing the data that is the lifeblood of our enterprises.
Whether we are architecting a secure way to make use of public AI infrastructure, support hybrid workforces or enable AI at pace, the answer is always to put the data at the center of the diagram.
Sources:
- Project Glasswing field report, Anthropic, May 2026
- AI Risk and Readiness Report, Netskope, 2026
- Gartner AI Forecast 2025–2026
- CVE-2025-32711, NVD / Microsoft Security Advisory, June 2025
