What Boards Must Demand in the Age of AI-Automated Exploitation

"You knew, and you could have done something This article explores risk management operational. . Why didn't you?

This is the question you don't want to be asked. And more and more, it's the question leaders have to answer after something bad happens. For years, many boards and executive teams have seen a big backlog of vulnerabilities as something that is uncomfortable but unavoidable: "we've accepted the risk." People who would rather look the other way often say things like, "We have other priorities," "This will take years of engineering time to fix," or "How do you know these are really high-risk CVEs?"

when they see a report with thousands (or tens of thousands) of open Highs and Critical CVEs. Important, we're still making decisions about what to do first.

That story wasn't great, but it was often possible to live through it in the past. The modern business needs a model that makes emergency repairs less common and less damaging, not one that just speeds up the same fragile process. The truth about the supply chain is that responsibilities are moving.

Liabilities are changing as regulators and courts pay more attention to the cleanliness of the software supply chain and the ability to keep things running smoothly. The Cyber Resilience Act (CRA) is now in effect in the EU. Its main requirements will go into effect in December 2027. Many businesses will have to meet higher standards for how they handle vulnerabilities, how they design software to be secure, and how they are held accountable throughout the software lifecycle.

In financial services, DORA (Digital Operational Resilience Act) has entered into application, bringing harmonized ICT risk management and operational resilience requirements across the EU.