By Kim Basile, CIO at Kyndryl, and Cory Musselman, CISO at Kyndryl
By now, most cybersecurity experts have acknowledged that Frontier AI models like Mythos and Chat GPT-5.5 have changed cybersecurity forever. But there’s a great deal of debate and uncertainty about how organizations should adapt their security and risk postures to meet these new challenges.
From what we’ve seen so far, these new AI models dramatically lower the technical bar for attackers, accelerating both discovery and potential exploitation of software vulnerabilities. In announcing its Mythos model, for instance, Anthropic claimed to have found thousands of “high-severity vulnerabilities” in software everyone uses, a scale far beyond anything we’ve seen. These models can also string together vulnerabilities across software providers and reverse-engineer software into the underlying code. While AI doesn’t fundamentally change the threat vectors, it significantly collapses the time organizations have to understand, decide and act.
If such vulnerabilities are not properly found and addressed, and soon, Frontier AI models, including open-source models yet to become available, could have significant negative impacts across sectors. Since every business is a digital business now, this could lead to exposure of consumer and personal data, theft of IP, and disruption of services and utilities. Downstream effects would include increased mistrust, severed commercial relationships, as well as hearings, investigations, and litigation.
It also points to a broader organizational shift: Enterprises need to eliminate barriers to rapid action and streamline decision-making. Speed and information sharing — both within an individual organization and across companies — will be critical to detecting and responding to threats. Collaborations like Palo Alto’s recently announced Frontier AI Defense initiative, of which Kyndryl is a partner, are welcome moves.
At Kyndryl, we are evaluating Frontier AI models through controlled testing in non-production environments. The stakes are high, but importantly, Frontier AI can also help defenders better prepare as well, though organizations will need to consider trade-offs and changes to their IT models, their operating models, and business-risk calculus as well. Reinforcing and enhancing existing security measures, including Zero trust, defense in depth, and cyber hygiene will better equip IT estates to manage and recover from attacks at machine speed.
Speed now matters more than ever. Traditional cybersecurity strategies were built for a slower threat environment, where security teams had time to detect and respond, with regular updates at fixed intervals. That’s no longer sufficient.
Some good news for defenders: AI models get better at doing a specific task through learning. When deployed defensively, as they get more context about an IT environment, they’ll get better at identifying weaknesses and areas of improvement. Over time, this can benefit the defenders more than attackers. Today’s IT estates are complex, built up over decades. As we train Frontier AI models on IT environments to look for vulnerabilities, those models will learn more about the specific collection of hardware, software and certificates that make it function. Attackers will not benefit from such deep knowledge, and they also won’t know the steps organizations are taking to defend themselves — for example, operational constraints or human intervention points. For defenders, a greater picture of how each estate comes together will be critical.
Speed now matters more than ever. Traditional cybersecurity strategies were built for a slower threat environment, where security teams had time to detect and respond, with regular updates at fixed intervals. That’s no longer sufficient. AI is changing that dynamic by accelerating the speed, scale and sophistication of attacks. Simply adding more security tools is not enough. Enterprises need resilient architectures with security, automation and governance built into the foundation. Cyber resilience is no longer just an operational challenge — it is an architectural one.
Coordination across government and industry will be critical as the world adapts to this new security paradigm. Information-sharing in real time will be particularly important, for example, if the government becomes aware of a particular threat actor targeting a particular vulnerability. This cooperation becomes even more important to protect smaller organizations that don’t benefit from large IT budgets, expertise, and modern technology. And since it’s not confined to one geography or another, it will require global cooperation.
Enterprises need to eliminate barriers to rapid action and streamline decision-making. Speed and information sharing — both within an individual organization and across companies — will be critical to detecting and responding to threats.
In the next few months, enterprises can expect an unprecedented remediation challenge. Companies with access to Mythos are using it now to identify vulnerabilities in software and develop remedies, which will be rolled out in a flood of patches in the coming months. Because Mythos can string together vulnerabilities from different software providers, isolated patch releases may create temporary gaps attackers can still exploit. Organizations that fail to apply patches quickly can easily become targets for attackers that reverse-engineer updates to uncover the vulnerabilities they address.
As a result, vendors may increasingly bundle dozens of fixes into larger coordinated releases. Organizations will need deep visibility into their IT estates to understand how bundled patches interact across systems. Observability and testing will be critical; coordinating downtime for mission-critical environments may require enterprise-wide planning. If failures or breaks occur, teams will also need to quickly identify which patch from which provider caused the issue.
Remediation may require taking systems offline or limiting services, creating ripple effects across customers, teams and business operations. These decisions become even more complex in regulated industries, where leaders need clear visibility into the operational, legal and financial consequences before acting.
Each industry will face these challenges uniquely. Most large, well-financed institutions will sprint ahead to test and patch. They’re also better positioned to do so: they typically have strong redundancies, which means you can patch one system while another continues to operate. Healthcare, which has been the target of high-profile attacks in recent years, faces other challenges, where resources are more constrained. Taking medical equipment offline for maintenance needs to be considered very carefully. And many organizations simply don’t have the resources to make these updates at speed.
Most organizations still operate legacy systems that are no longer supported and cannot receive security patches. These legacy systems are often difficult to retire because they contain decades of mission-critical data and embedded business logic. Agentic AI can help accelerate modernization efforts. If a certain device can’t be modernized, organizations need to strengthen protections around those systems through measures such as MFA, tighter traffic controls and network segmentation to limit the impact of a potential breach.
We are entering a new security paradigm where cybersecurity is not just a control function: it’s also an enterprise-wide discipline of continuous adaptation, where resilience is defined less by whether you can stop an attack, and more by how quickly and intelligently you can respond when the inevitable occurs. Greater cooperation and coordination will be necessary between industry and government. That means building architectures designed for containment and recovery, enabling governance that can make decisions in hours instead of quarters, and treating visibility, coordination and rapid response as core security capabilities.
