Contact Us
Close
CBIZ
Contact Us

Insights. Applied. Integrated solutions that turn strategy into action.

Explore Resources
  • Article
June 15, 2026

How AI Is Reshaping Cybersecurity Risk and Vulnerability Management

By John Verry, Managing Director Linkedin
How AI Is Reshaping Cybersecurity Risk and Vulnerability Management
Table of Contents
    Get in Touch

    On April 7, 2026, Anthropic announced Claude Mythos Preview, a model that uncovered thousands of previously unknown zero-day vulnerabilities in internal testing. Anthropic said the findings included bugs that had survived years of review, including a 27-year-old vulnerability in OpenBSD and a 17-year-old remote code execution flaw in FreeBSD. In benchmark testing, the model produced a working exploit on the first try in more than 83% of cases. Days later, AISLE reported that smaller open-weight models could reproduce much of the same capability at little or no cost, including on commodity laptops and desktops.

    That means vulnerability discovery is becoming faster, cheaper, and easier to scale. These developments represent a significant shift in AI in cybersecurity, accelerating vulnerability discovery and changing how organizations manage cyber risk. For mid-market organizations, the message is straightforward: Vulnerability management programs built for a slower threat environment need to change. If access to Mythos-class capabilities broadens, attackers with less specialized expertise will be able to find and scale exploits more quickly. If your program still relies on old assumptions, incremental improvements likely won’t reduce risk enough.

    Why Traditional Cybersecurity Risk Models No Longer Work

    Many security programs still depend on long-standing beliefs about how cyber risk works. As vulnerability discovery becomes faster, cheaper, and easier to scale, those beliefs no longer hold.

    • Defenders can patch faster than attackers can exploit. That assumption held more often when vulnerability discovery moved slowly, and a smaller number of researchers found the most serious bugs. AI shortens the gap between discovery and exploitation.
    • Signature-based detection will catch most attacks. It works best for known patterns, not first-time exploits. As more exploits target previously unseen vulnerabilities, first sightings will matter more.
    • Scanning and pen testing provide a complete view of exposure. They still matter, but they cannot keep pace with AI-driven discovery. Showing that no known exploit is currently available matters less when attackers can discover or weaponize flaws much faster.
    • Large vendors reduce third-party risk enough. A major provider outage or compromise can still disrupt operations at scale. If a critical provider such as Microsoft 365, AWS, or Salesforce becomes unavailable for an extended period, many organizations would struggle to operate effectively.

    A Practical Framework for Managing Cybersecurity Risk

    Most organizations will not patch fast enough or build a strong enough perimeter to keep up. A more practical response has three layers.

    Layer 1: Reduce What an Adversary Can Reach

    If vulnerability discovery becomes cheap and abundant, “harden everything” is no longer realistic. Reduce your attack surface and limit the paths to critical systems and data.

    Real-Time Asset and Software Inventory

    Many organizations still can’t answer a basic question fast enough when a new zero-day appears: Are we affected, and where? Build a live inventory of assets, software, and dependencies, ideally via a configuration management database linked to software bills of materials for both internally developed and procured applications.

    Attack Surface Reduction as Policy, not a Project

    Unused services, legacy systems, and unnecessary internet exposure all create avoidable risk. Retire them systematically, and treat attack-surface reduction as an operating principle rather than a one-time cleanup project.

    Segmentation as a Primary Control

    Perimeter defenses alone are not enough if an attacker can move laterally after the initial compromise. Use zero-trust architecture, micro segmentation, and least-privilege access to contain the blast radius and keep a zero-day from becoming a broader breach.

    Layer 2: Make Stolen Credentials Less Useful

    Segmentation helps, but it doesn’t solve the problem of a compromised admin account. In this environment, privileged credentials are among the most valuable assets an attacker can steal because they allow an attacker to bypass an entire chain of exploits. Your goal should be simple: make credentials as low-value as possible unless someone is using them for a specific, approved task.

    Eliminate Standing Administrative Access

    Standing administrative access gives attackers too much value if they compromise an account. Just-in-time privileged access limits exposure by granting elevation only when it’s needed, for a defined task, and for a limited window. Tools such as CyberArk, BeyondTrust, Delinea, and Entra PIM can make this approach practical for mid-market organizations.

    Phishing-Resistant Multifactor Authentication for Privileged Access

    Not all multifactor authentication provides the same level of protection. For privileged access, organizations should rely on phishing-resistant methods rather than weaker options such as text messages, push notifications, and one-time passcodes. FIDO2 hardware keys and platform passkeys provide stronger protection. Incidents at MGM, Caesars, and Snowflake all underscored the risks of multifactor authentication bypass. For admin access, phishing-resistant multifactor authentication should be nonnegotiable.

    Take Workload Identities Seriously

    In many cloud environments, workload identities now create as much operational risk as human administrators. Service principals, connected applications, application programming interface keys, and continuous integration and continuous delivery pipelines often carry broad privilege, weak credential rotation, and limited behavioral monitoring. Inventory workload identities, narrow permissions, rotate credentials aggressively, and monitor them as closely as you monitor human users.

    Identity Threat Detection and Response

    Valid authentication doesn’t always mean legitimate activity. Identity threat detection helps organizations spot signs of credential abuse that traditional access controls may miss. Tools such as Microsoft Defender for Identity, CrowdStrike Falcon Identity Protection, and Silverfort can detect patterns that suggest someone is abusing a credential, even when authentication itself appears valid. Watch for impossible travel, unusual resource access, off-hours activity, and abnormal command patterns.

    Layer 3: Cybersecurity Resilience Matters More Than Ever

    For many mid-market organizations, the bigger risk is not a zero-day in their own environment. It is a major outage or compromise at a core provider such as AWS, Microsoft 365, Salesforce, or Okta. Recent large-scale outages, such as the AWS us-east-1 outage and the CrowdStrike Falcon disruption, have shown how quickly disruption can cascade across customers and operations, even without malicious intent.

    You can’t harden someone else’s infrastructure, but you can prepare for the operational disruption it may cause. That is the core of resilience in this environment.

    Map Concentration Risk

    Start by identifying the vendors whose outage or compromise would most threaten operations. Score them based on time to impact, potential data exposure or integrity loss, and the availability of substitutes. Most organizations will find a short list that deserves board-level attention.

    Design for Graceful Degradation

    Full redundancy is out of reach for many mid-market organizations. A more realistic goal is to keep critical operations running with manual or alternative workflows if a provider becomes unavailable. The objective isn’t to replicate the platform, but to keep the business functioning.

    Keep Independent Backups of Critical SaaS Data

    Independent backups of Microsoft 365, Salesforce, and other critical SaaS data may be the only practical recovery path during a major provider incident. Many organizations assume the provider already handles this, but that often falls short in the scenarios that matter most. If critical SaaS data is corrupted, an independent backup may be the only viable recovery option.

    Evaluate Resilience, Not Just Security

    Vendor reviews should test resilience, not just baseline security controls. Review recovery commitments, failover testing, incident communication, data portability, isolated backups, and exit options. Vendors should also be able to demonstrate that they can contain disruptions and recover in ways that protect your operations.

    Test Vendor-Loss Scenarios

    Tabletop exercises should include a 72-hour or longer loss of a critical provider. Many disaster recovery plans still assume vendors will remain available, even when recent incidents suggest otherwise.

    Where to Start in the Next 90 Days

    Don’t try to do everything at once. Start with the steps that reduce risk fastest.

    • Identify your most critical vendors and rank them by business impact.
    • Inventory privileged accounts, both human and workload, and remove standing admin access where you can.
    • Enforce phishing-resistant multifactor authentication on every privileged path, including break-glass accounts.
    • Test how the business would operate during a 72-hour outage of a core SaaS provider.
    • Confirm independent backups for Microsoft 365, Salesforce, and other critical SaaS data.
    • Stand up an emergency patch process that can move critical fixes in hours, not weeks.
    • Use AI to test your own environment before attackers do.

    Bottom Line

    The issue is bigger than Mythos. AI is accelerating vulnerability discovery and exploitation, which changes the assumptions behind traditional security programs. Organizations that adapt now will be better positioned than those still relying on outdated models. If you want to discuss what this means for your environment, the CBIZ Cybersecurity team can help you prioritize the next practical steps.

    Frequently Asked Questions

    AI is changing cybersecurity by accelerating vulnerability discovery and giving both defenders and attackers new ways to identify weaknesses more quickly. Organizations can use AI to strengthen security operations and improve vulnerability management, but threat actors can also use it to discover and exploit vulnerabilities faster. That means security teams need to adapt to a threat environment that is moving more quickly and becoming harder to predict.

     

    A zero-day vulnerability is a software flaw that is unknown to the vendor or has not yet been patched. Because no fix is available at the time of discovery, attackers may be able to exploit it before organizations have a chance to respond. As AI accelerates vulnerability discovery, organizations should expect more pressure to maintain accurate asset inventories, segment critical systems, and move quickly on emergency patching.

     

    Organizations should focus on reducing exposure, strengthening identity controls, and improving operational resilience. Priority actions include maintaining an accurate inventory of assets and software, implementing phishing-resistant multifactor authentication, limiting privileged access, strengthening vulnerability management practices, and preparing for disruptions involving critical vendors or cloud providers. Organizations that take a proactive approach will be better positioned to manage cybersecurity risk as AI continues to accelerate the threat landscape.

    © Copyright CBIZ, Inc. All rights reserved. Use of the material contained herein without the express written consent of the firms is prohibited by law. This publication is distributed with the understanding that CBIZ is not rendering legal, accounting or other professional advice. The reader is advised to contact a tax professional prior to taking any action based upon this information. CBIZ assumes no liability whatsoever in connection with the use of this information and assumes no obligation to inform the reader of any changes in tax laws or other factors that could affect the information contained herein. Material contained in this publication is informational and promotional in nature and not intended to be specific financial, tax or consulting advice. Readers are advised to seek professional consultation regarding circumstances affecting their organization.

    “CBIZ” is the brand name under which CBIZ CPAs P.C. and CBIZ, Inc. and its subsidiaries, including CBIZ Advisors, LLC, provide professional services. CBIZ CPAs P.C. and CBIZ, Inc. (and its subsidiaries) practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations, and professional standards. CBIZ CPAs P.C. is a licensed independent CPA firm that provides attest services to its clients. CBIZ, Inc. and its subsidiary entities provide tax, advisory, and consulting services to their clients. CBIZ, Inc. and its subsidiary entities are not licensed CPA firms and, therefore, cannot provide attest services.

    Insights that Impact

    View All Insights
    View All Insights
    Top Considerations for Migrating from Epicor to NetSuite
    Top Considerations for Migrating from Epicor to NetSuite

    If you are looking to move from Epicor to NetSuite, a migration plan is top priority. Learn the five key considerations for a successful ERP migration.

    Read More
    Article
    Ready, Set, AI: How Agentic AI Is Giving Apparel Brands the Forecasting Power of Industry Giants
    Ready, Set, AI: How Agentic AI Is Giving Apparel Brands the Forecasting Power of Industry Giants

    Learn how Agentic AI in apparel transforms forecasting with continuous data signals, helping brands react faster and improve margins.

    Read More
    Article
    Sage Future 2026 Recap: What AI-Driven Finance Means for Your Business
    Sage Future 2026 Recap: What AI-Driven Finance Means for Your Business

    Explore key takeaways from Sage Future 2026, including AI-driven finance, ERP automation, real-time insights and the future of financial operations.

    Read More
    Article
    AI Governance for Fund Managers: Why Policy Can’t Wait
    AI Governance for Fund Managers: Why Policy Can’t Wait

    AI Governance is essential for fund managers. Learn why tailored policies, oversight, and compliance controls can’t wait.

    Read More
    Article
    Not-for-profit Streamlines Claims and Financial Workflows with Sage Intacct Integration
    Not-for-profit Streamlines Claims and Financial Workflows with Sage Intacct Integration

    See how CBIZ helped a not-for-profit automate claims processing and financial allocations in Sage Intacct, saving 290+ hours and reducing errors.

    Read More
    Case Study
    The Best of Humanity Meets the Worst of AI: Cautionary Tales
    The Best of Humanity Meets the Worst of AI: Cautionary Tales

    What happens when AI agents go rogue? Explore risk management lessons from the PocketOS outage and how to safeguard critical data.

    Read More
    Article
    Maximizing ERP Impact: Best Practices for Planning and Implementation
    Maximizing ERP Impact: Best Practices for Planning and Implementation

    Learn the key aspects of planning and implementing your ERP System. From understanding cost of ownership through developing a migration strategy.

    Read More
    Article
    CBIZ Centrally HR: Now a Certified Acumatica Marketplace HCM Solution
    CBIZ Centrally HR: Now a Certified Acumatica Marketplace HCM Solution

    CBIZ Centrally HR is a certified Acumatica Marketplace HCM solution. See how seamless ERP integration simplifies HR, payroll, and compliance.

    Read More
    Article
    Why Professional Services Firms Choose NetSuite ERP as Their Single Source of Truth
    Why Professional Services Firms Choose NetSuite ERP as Their Single Source of Truth

    A unified ERP system like NetSuite can help centralize data for professional service firms. Learn how a centralized system can benefit your org.

    Read More
    Article
    How Real-Time Manufacturing Data Improves Shop Floor Decisions
    How Real-Time Manufacturing Data Improves Shop Floor Decisions

    Learn how real‑time manufacturing data in cloud ERP improves shop‑floor decisions with live visibility from production to finance.

    Read More
    Article
    Global Chip Shortage 2026: How to Beat Rising Prices and Delivery Delays
    Global Chip Shortage 2026: How to Beat Rising Prices and Delivery Delays

    Global Chip Shortage is tightening supply for laptops, servers, and networking gear. Learn how this shortage may impact tech purchases for organizations.

    Read More
    Article
    Artificial Intelligence in Not-for-Profit Accounting: Balancing Efficiency, Risk, and Opportunity
    Artificial Intelligence in Not-for-Profit Accounting: Balancing Efficiency, Risk, and Opportunity

    Not-for-profit organizations can use AI to improve accounting efficiency, but responsible adoption requires strong internal controls.

    Read More
    Article
    Cloud Accounting Security: How Sage Intacct Protects Financial Data
    Cloud Accounting Security: How Sage Intacct Protects Financial Data

    Protect your financial data with a secure cloud accounting platform. Learn how Sage Intacct strengthens security, supports compliance and reduces cyber risk.

    Read More
    Article
    How Governance Unlocks AI Value in Higher Education
    How Governance Unlocks AI Value in Higher Education

    Learn how AI governance helps higher education institutions scale AI, manage risk, and align innovation with mission to drive sustainable value.

    Read More
    Article
    Choosing the Right ERP: Key Considerations for Your Next Accounting System
    Choosing the Right ERP: Key Considerations for Your Next Accounting System

    Explore key steps to choosing the right ERP system for your company. Learn how to assess scalability, compliance, and integration needs.

    Read More
    Article

    Let’s Connect

    Our team is here to help. Whether you’re looking for business solutions, financial strategies, or industry insights, we’re ready to collaborate. Fill out the form, and we’ll be in touch soon.

    This field is for validation purposes and should be left unchanged.
    Sign up for additional emails