When frontier AI models outpace cyber remediation: Banking’s new security challenge

The cybersecurity playbook for financial institutions is facing one of its most consequential tests in years. Frontier AI models can discover zero-day vulnerabilities, which are previously unknown flaws that attackers can exploit before they’re fixed, at a speed and scale that traditional security infrastructure wasn’t built to handle. In recent weeks, many institutions have taken a hard look at their response capabilities by setting up command centers and escalation and triage trees. They’ve discovered the bottleneck is shifting from finding vulnerabilities to responding to them.

Based on our experience working with financial institutions, banks should consider bolstering their cybersecurity response capabilities in four ways: prioritizing which vulnerabilities to address first; improving execution speed for quick remediation; building architectural resilience to reduce risk while simultaneously fixing issues; and implementing governance frameworks that enable faster, more distributed decision-making while maintaining appropriate oversight and control.

These challenges are compounded by the nature of banks’ technology infrastructure, which generally exists as a patchwork: open-source components, third-party platforms, cloud services, and highly regulated transaction systems. This complexity not only creates an extensive attack surface but also makes rapid coordinated response extraordinarily difficult.

Prioritization: Deciding what matters

As frontier AI models find vulnerabilities at unprecedented volume and velocity, the newly discovered flaws can add to the existing backlog of known issues. Banks should be continuously reassessing risks across this combined pool of exposures, distinguishing which vulnerabilities actually matter.

Also, vendors regularly release updates. Without clear separation between security and non-security patches, banks should analyze each release to determine which ones meaningfully reduce exposure, or they could risk misallocating resources to low-impact updates while critical vulnerabilities remain unpatched.

To help manage prioritization at this new scale and velocity, banks should consider shifting their approach in three ways:

• Moving beyond static scores to context-driven risk assessment: Risk severity scores, which rate how serious a vulnerability could be in theory, aren’t sufficient on their own. Banks should continuously reassess risk based on exploitability, exposure, and asset criticality.
• Automating triage to separate signal from noise: To focus on the updates that actually pose risk, banks can use automated systems to filter by security relevance and map vulnerabilities to their real attack surface.
• Empowering faster, distributed decision-making: Long escalation chains can slow things down when responding to active exposures. To overcome this challenge, banks should consider giving frontline teams clear authority and guardrails so they can act quickly. They should also consider building feedback loops on what worked and what didn’t to keep improving how they prioritize vulnerabilities.

Execution speed: Transforming how banks remediate at scale

Execution speed in many financial institutions is structurally constrained. Even when cybersecurity vulnerabilities are identified and prioritized, the ability to remediate them quickly often might be limited by both technical architecture and process design.

Typically, legacy technology systems have interdependencies such that one change in a component can affect others, requiring extensive testing across the tech stack before deployment. Also, testing and validation take time because banks have to ensure that patches don’t disrupt critical functions, introduce new risks, or violate regulatory requirements. Plus, traditional change management prioritizes control over speed. Approval chains, deployment windows, and governance checkpoints are necessary, but they weren’t built for continuous remediation at scale.

Moreover, many banks manage vulnerabilities through mechanisms built for control, such as severity scoring, remediation ticket queues, escalation chains, and scheduled patch windows. These controls weren’t designed for AI-driven vulnerability discovery at scale.

Addressing these constraints may require a different operating model:

• Integrating AI into testing and validation: Banks should consider embedding frontier AI models into testing cycles to validate patches faster and identify conflicts before deployment. This compresses the window between discovery and safe remediation without sacrificing control or introducing new risks.
• Enabling cross-functional collaboration at machine speed: It’s important to break down silos between security, infrastructure, risk, legal, and business teams. Remediation at scale requires real-time coordination and shared visibility into priorities.
• Managing third-party dependencies for speed: Banks shouldn’t rely on passive vendor notifications because they may arrive too late. Establish real-time visibility into critical dependencies, direct communication channels during incidents, and pre-established escalation protocols. Most importantly, clarify decision ownership upfront for shared infrastructure vulnerabilities. Without it, banks could face a tough choice: Act on incomplete information or wait while exposure grows.
• Unifying project management office (PMO) capabilities for rapid remediation: Banks should consider combining elements from the delivery PMO (execution discipline), crisis PMO (rapid response), transformation PMO (coordination), and remediation PMO (accountability). AI-driven vulnerability discovery requires all four simultaneously—not sequential hand-offs between siloed teams.

Architectural resilience: Mitigating risk while vulnerabilities await remediation

Systems awaiting remediation shouldn’t remain exposed without protection. Banks should deploy mitigating controls to contain cybersecurity risk until patches can be safely implemented and build resilience into systems that can’t be patched immediately. And rather than relying solely on prevention, banks should assume some vulnerabilities will remain exploitable and design defenses that limit damage:

• Isolating critical systems and restricting network connections: This limits what attackers can reach. Even when vulnerabilities exist, breaches stay contained. An attacker who exploits one system can’t automatically access everything else.
• Layering security: Implementing multiple checkpoints across systems, controls, and business processes can reduce impact and help ensure that no single weakness becomes catastrophic.
• Using behavior-based threat detection: To block exploitation—or stop attacks in progress—even when underlying cybersecurity vulnerabilities haven’t been fixed, banks can use tools that monitor application behavior, filter web traffic, and watch for suspicious activity.
• Developing zero-trust architecture: Banks should assume breaches will happen. Rather than trusting everything inside the network, banks should continuously verify identity and access, creating boundaries around sensitive systems that limit damage when vulnerabilities are exploited.
• Building resilience through backup and recovery: For systems in the “remediate later” category, banks should increase backup frequency to support rapid recovery. Improved monitoring can provide early warning, while backups ensure systems can be restored if compromised.

Governance: Enabling speed without losing control

Traditional cyber governance was built for human-paced threats, with time for deliberation, escalation, and alignment. AI-accelerated vulnerability discovery compresses these timelines, forcing organizations to make faster decisions without sacrificing control.

At the same time, frontier AI can turn vulnerability management into an enterprise problem that spans infrastructure, applications, risk, legal, compliance, and the business. Governance models should evolve accordingly, extending beyond security teams to enable coordinated action while maintaining accountability and oversight.

Four shifts should be considered:

• Pre-authorizing decision rights: Banks should consider defining which actions security teams can take immediately within clear guardrails, such as disabling vulnerable features, deploying compensating controls, or accelerating releases, without routing every decision through committees while exposure is active.
• Integrating decision-making across functions: Aligning cyber, risk, technology, AI governance, and business leadership can help ensure that decision authority is clear and escalation paths work under pressure. Fragmented governance slows response at exactly the wrong moment.
• Enabling real-time visibility and accountability: Leaders should be able to act while events are unfolding, not after the fact, so banks should consider replacing periodic reporting with live insight into vulnerabilities, remediation status, and residual risk.
• Building organizational muscle memory: Through realistic exercises, banks should consider running cybersecurity crisis simulations in which security, infrastructure, legal, risk, and business teams make decisions under pressure with incomplete information, developing their ability to respond to cyber threats in ways that are quicker, faster, and smarter.

Rearchitecting cyber defense in the age of frontier AI models

Frontier AI model capabilities signal a radical shift: Cyber risk is about to move faster than most banks are built to handle. Preparing for this future means getting four things right: prioritization, execution speed, and architectural resilience, backed by governance frameworks that enable rapid, confident decisions. The aim is to prime the organization to respond to cybersecurity vulnerabilities at machine speed, with coordinated and controlled execution.