Vulnerability Management After AI: Why Your Old Playbook No Longer Holds

Security and vulnerability management teams are under pressure from two directions at once. AI is expanding the attack surface faster than most teams can track it, and the tools available to defend that surface are making promises their current capabilities cannot consistently keep. For organizations managing IoT, OT, IoMT, and IT environments, the gap between what AI-driven attackers can do and what AI-enhanced defenders can actually handle is not closing fast enough.

In April 2026, the Cloud Security Alliance, with the SANS Institute and the OWASP Gen AI Security Project, published a practitioner briefing titled “The ‘AI Vulnerability Storm’: Building a ‘Mythos-ready’ Security Program,” written for the CISO who needs a credible plan for a world where AI-driven offense is the baseline. The briefing was prompted by Anthropic’s Claude Mythos, a frontier model whose vulnerability discovery and exploit development outpaced anything previously published. On a formalized Firefox JavaScript engine benchmark, Anthropic’s own testing showed the Mythos preview producing 181 working exploits, where Claude Opus 4.6 produced 2, and Mythos reportedly surfaced thousands of previously unknown vulnerabilities across widely used open-source software. The briefing is candid that most AI defensive controls and approaches are not yet mature.

The reality has moved quickly since. In June 2026, Anthropic released Claude Mythos 5 and Claude Fable 5, making a Mythos-class model publicly available for the first time through Fable. Fable ships with safeguards that route cybersecurity and biology requests to a less capable model to limit offensive misuse, but access to both models was then suspended under a US government directive citing national security concerns, with Anthropic stating it is working to restore availability. For defenders, the throughline holds: the offensive capability of frontier AI is advancing faster than the industry can safely field it on defense, and the gap is measurable.

Now more than ever, organizations seeking to reduce risk need visibility, prioritization, governance, and coverage across the full attack surface, including IoT, OT, IoMT, and IT environments.

The Time Gap: When Exploitation Outpaces Remediation

Vulnerability management has become a race between defenders remediating exposure and attackers seeking to exploit it. Security teams need AI-driven solutions that help them identify, prioritize, and remediate faster, yet many available technologies make broad promises that do not address real operational needs.

Timing is the central challenge. According to Zero Day Clock, the median time from public vulnerability disclosure to confirmed exploitation fell to roughly 4 hours by 2024, and through 2025 and 2026, the majority of exploited vulnerabilities were weaponized at or before the day of public disclosure. With AI tools capable of generating nearly 200 working exploits for a single application, vulnerability management teams may have only hours, not days, to complete five parallel tasks:

• Identify every affected asset across the environment
• Validate exposure and determine business impact
• Triage findings based on exploitability and criticality
• Prioritize remediation efforts
• Coordinate patching or compensating controls across teams

Manual workflows cannot sustain that pace, particularly in environments with large asset inventories, limited staffing, or unmanaged IoT, OT, IoMT, and IT devices, where conventional tools have incomplete coverage.

The AI Maturity Gap: Why Today’s Tools Create Conflicting Guidance

The Cloud Security Alliance advises security teams to reprioritize resources, review risk levels and controls, and apply AI where possible. At the same time, the same authors acknowledge that Project Glasswing, a broad multi-party vulnerability coordination effort among major technology and infrastructure organizations, must expand coverage quickly and that the patch and disclosure pipeline must accelerate at the pace of adversarial AI adoption.

For many security and vulnerability management teams, that guidance creates real confusion. The guidance tells them to adopt AI rapidly while acknowledging that current solutions lack the maturity to support the decisions that actually matter.

Most teams onboarding AI today use it for administrative tasks and workflows:

• Reading scan reports and summarizing CVEs
• Drafting remediation notes and writing tickets
• Reviewing findings and correlating duplicate alerts
• Producing dashboards and helping understaffed teams process data faster

That efficiency is real, but it is not the problem these teams most need to solve. What they need is an intelligence layer that answers the time-sensitive questions that drive risk reduction:

• Which vulnerabilities matter first?
• Which devices are critical?
• Which systems are exposed?
• Which risks affect operations?
• Which IoT, OT, IoMT, and IT assets cannot be patched easily?
• What can be mitigated another way?
• Where should the team focus today?

Bolt-On AI: Why Traditional Tools Hit a Coverage Ceiling

When experts argue that AI needs to mature further, they mean that current models lack stability, standardization, and consistently trusted patterns across security use cases. These discussions center on four gaps: models improve rapidly but apply unevenly across different security use cases; integration patterns remain inconsistent across vendors and platforms; evaluation and validation approaches remain inconsistent across the industry; and organizations are still working to implement and mature AI system governance.

As vendors rush AI capabilities to market, traditional vulnerability tools bolt on broadly trained models. These tools apply a generalized intelligence layer that improves analysis, correlation, and prioritization of the same data that the platform has always collected. The efficiency gain is real, but it does not expand the tool’s original scope, and that coverage ceiling is the real constraint.

Meanwhile, attackers are using AI to find vulnerabilities across a broader attack surface that includes IoT, OT, IoMT, and IT environments. Even with AI-enhanced vulnerability scanners, organizations may still lack:

• Consistent visibility into unmanaged or semi-managed IoT, OT, and IoMT assets
• Context around operational impact required to accurately prioritize risk
• Reliable exposure mapping across heterogeneous device types and distributed environments
• A unified view of risk across assets that fall outside traditional vulnerability scanning assumptions

As vulnerability management teams work to keep pace with AI-driven threats, they need purpose-built solutions that provide visibility and reflect the modern attack surface.

Purpose-Built Platforms: AI That Reflects the Full Attack Surface

As organizations evaluate AI-driven cybersecurity platforms, the central question is whether the solution is purpose-built for their specific attack surface. When looking for a platform to identify, prioritize, and remediate vulnerabilities across IoT, OT, IoMT, and IT environments, five capabilities matter most.

Continuous Asset Discovery and Visibility

In environments where devices are dynamic, unmanaged, or inconsistently documented, AI-enhanced tools can only analyze what they already know. Without continuous discovery, AI-driven prioritization is incomplete by definition. Expanding visibility ensures that risk modeling reflects the full environment, including previously unknown or unmanaged devices.

When evaluating solutions, organizations should look for one that provides:

• Agentless, continuous asset discovery across IoT, OT, IoMT, and IT environments through passive monitoring and active safe scanning where appropriate
• Identification of unmanaged, semi-managed, and legacy devices
• Automatic classification of device types and functions
• Real-time updates to asset inventory without reliance on manual scans
• Coverage across segmented or operationally isolated networks

Context-Aware Vulnerability Prioritization with Exploitability Analysis

Tools that fail to incorporate operational context misrepresent real-world risk, particularly when prioritization is based on CVSS scores or scan frequency alone. Purpose-built platforms go further: they analyze actual device behavior and network topology to determine whether a vulnerability is exploitable on a specific device in the specific environment, not just in the abstract. That determination is what separates a real remediation priority from theoretical noise.

When evaluating solutions, organizations should look for one that provides:

• Exploitability analysis that evaluates each vulnerability against the actual network topology and device context, not just CVSS base scores
• Risk scoring that includes asset criticality and operational impact
• Exposure-based prioritization that distinguishes reachable from isolated assets
• The ability to factor in compensating controls and segmentation
• Dynamic prioritization based on changing network conditions

Exposure and Attack Path Visibility Across Connected Devices

Real-world risk analysis depends on understanding how vulnerabilities can actually be reached and exploited through device connections and communication pathways. Mapping exposure and connectivity across diverse device types allows organizations to understand the realistic attack paths available to an adversary in their specific environment.

When evaluating solutions, organizations should look for one that provides:

• Network-level visibility into device connectivity and communication patterns across IoT, OT, IoMT, and IT
• Identification of exposure paths across segmented environments
• Mapping of lateral movement risk involving connected assets
• Integration of network topology with vulnerability data
• Identification of internet-facing or externally accessible devices

A Unified Risk View Across IoT, OT, IoMT, and IT

When organizations extend visibility consistently across all device types, they can accurately understand vulnerability risk without the silos that undermine prioritization decisions. A unified risk view requires correlating data across the entire environment with the context needed to act on it.

When evaluating solutions, organizations should look for one that provides:

• A consolidated view spanning IoT, OT, IoMT, and IT assets
• Cross-domain risk normalization and comparison
• The ability to correlate vulnerabilities across heterogeneous systems
• A unified prioritization engine rather than separate tool outputs
• Consistent reporting across all asset categories

Segmentation as a Compensating Control

For devices that cannot be patched, segmentation is often the most effective risk reduction available. But generating and enforcing segmentation policies across thousands of IoT, OT, IoMT, and IT devices has historically required months of manual effort and carries the risk of breaking operational workflows. Purpose-built platforms address this by generating policies from observed device behavior, validating their impact before deployment, and enforcing them continuously across NAC and firewall infrastructure.

When evaluating solutions, organizations should look for one that provides:

• Automated policy generation derived from actual observed device behavior, not templates or assumptions
• Policy simulation that validates impact against real traffic before any rule goes live
• Enforcement across both NAC platforms and firewall infrastructure
• Continuous policy adaptation as devices, firmware, and risk posture change
• An auditable record of what was enforced and why, for compliance and board reporting

Asimily: Purpose-Built for Vulnerability Risk Across the Full Connected Device Fleet

Every connected device that cannot run an agent, that uses a proprietary protocol, or that sits in an environment where a misconfigured policy carries operational consequences represents a gap in attack surface coverage that traditional vulnerability management tools were never designed to close. Asimily’s Proactive Cyber Asset Defense Platform was built specifically for that gap.

Asimily provides a continuously updated, agentless, authoritative inventory of every IoT, OT, IoMT, and IT device, captured safely and without disruption through passive monitoring and active safe scanning where appropriate, capturing more than 100 parameters per device, including firmware version, communication behavior, installed services, and external connections. This gives security teams a complete foundation for vulnerability assessment that reflects the real environment, not what a scanner could reach.

ATT&CK Analysis: Asimily’s Core Capability for Vulnerability Prioritization

Built on that visibility, ATT&CK Analysis is Asimily’s purpose-built capability for determining exploitability. Rather than applying a generic CVSS score, ATT&CK Analysis evaluates whether each vulnerability is actually exploitable on that specific device in that specific network topology, drawing on 15-plus threat intelligence sources, including CISA KEV, NVD, MITRE ATT&CK for ICS, ICS-CERT, and vendor SIRTs. The result is a reduction from millions of theoretical CVEs to the roughly 1% that carry real risk in the environment. The Risk Simulator then models the expected risk reduction of any proposed remediation action before the team commits time and resources.

For devices where patching is not possible, Asimily’s Segmentation Orchestration generates conflict-free policies from observed device behavior through Policy Auto-Recommendation, simulates their impact against real traffic through Policy Simulation before any rule deploys, and enforces them across NAC and firewall infrastructure automatically. Continuous Segmentation adapts policies as devices, firmware, and risk posture change, so enforcement never falls behind the network.

The outcome is a security posture where the highest-risk devices receive immediate attention, compensating controls close the exposures that patching cannot reach, and the team can demonstrate measurable risk reduction rather than a longer list of findings.

Learn how Asimily was purpose-built for the age of AI cyberattacks – request a demo today.