What Boards Must Demand in the Age of AI-Automated Exploitation

“You knew, and you could have acted. Why didnt you?” That is the question Quincy Castro, CISO at Chainguard, says no executive wants to face after a breach. For years boards tolerated large vulnerability backlogs as an unpleasant reality. Castro argues that tolerance is now reckless.

Anthropic said attackers are using agentic AI to speed up reconnaissance, vulnerability discovery and exploit development. According to Anthropic, that shift lets less experienced groups do work that used to require skilled operators. Castro warns this changes the risk calculus: a backlog that once felt manageable can be weaponized in hours instead of weeks.

Why this matters to boards

Castro says the old defenses relied on constraints that no longer exist. “If it was really as bad as you say, wed be compromised right now” was a common refrain when exploitation was slower. That excuse no longer holds, he adds. Boards must move from compliance checklists to operational truth about their tech resiliency.

Dr Megha Kumar, Chief Product Officer at CyXcel, frames the problem more broadly. She says AI risk is systemic and crosses sectors, because models and infrastructure touch finance, healthcare and utilities. “AI governance is not solely the domain of governments or technologists,” Kumar says. She urges companies to treat AI adoption as a matter of shared responsibility, not only of competitive advantage.

Concrete questions boards should demand

• What does our vulnerability management process look like end to end, and who owns each stage? Quincy Castro recommends insisting on operational detail, not dashboards that obscure reality.
• How many High and Critical vulnerabilities are in production now? Castro says boards need a single, auditable number they can discuss.
• How long did it take to remediate High and Critical findings last quarter and last year? Time to fix matters more than raw counts, Castro argues.
• If a zero day appeared in our top product today, how long before we could tell customers the risk is contained? This is an incident readiness question Castro says every board should expect to see answered.
• What is the dollar cost of our current backlog, calculated as people hours to fix multiplied by fully loaded engineering cost? Castro recommends this to make the problem governable at the board level.

Simply promising to “patch faster” is not a full answer, Castro warns. Many organizations experience customer impact from emergency patches. That tradeoff between exposure and downtime means leaders must build systems that reduce the frequency and blast radius of urgent fixes, not only accelerate fragile processes.

Regulatory pressure is increasing. The European Commission enacted the Cyber Resilience Act, with major obligations phased in through 2027, and EU regulators are applying the Digital Operational Resilience Act in financial services. Castro says these rules shift liability toward better software hygiene. Kumar adds that procurement and supply chain decisions will be powerful levers, and companies should demand vendor transparency on model training data, safety testing and environmental impact.

Both Castro and Kumar urge structural change. Castro highlights reducing vulnerability accrual by design, starting with secure default components and fewer fragile dependencies. Kumar calls for AI governance to sit alongside cyber security and regulatory compliance at the highest level of oversight, with scenario planning and cross industry coordination.

When executives are asked after a breach why they tolerated thousands of High vulnerabilities, Castro says the only defensible answer is: we changed the system. That means making the backlog visible, measurable and expensive enough that boards no longer accept vague assurances.

#Cybersecurity #AIsecurity #BoardGovernance #VulnerabilityManagement