Key Points
- A new generation of AI tools — exemplified by Anthropic’s Claude Mythos Preview — has reportedly identified thousands of previously unknown critical software vulnerabilities, including in every major operating system and web browser.
- These tools have also demonstrated the ability to autonomously exploit known vulnerabilities, with evidence that the latest AI models represent a step change in the pace and scale of cyberattacks.
- Current vulnerability management practices may no longer be enough to satisfy regulator, consumer and commercial counterparty expectations.
- Companies should consider revisiting governance, vulnerability management, incident response and AI-enabled cybersecurity strategies now, before the impact of emerging capabilities becomes widespread.
__________
Regulatory bodies around the world are sounding the alarm as the latest generation of artificial intelligence (AI) models has demonstrated the ability to not only identify thousands of previously unknown high- and critical-severity vulnerabilities in a matter of minutes but also autonomously exploit them.
Many of these vulnerabilities had remained undetected by experienced human researchers and hackers for years. As they are identified simultaneously across the existing installed software base globally, experts are recommending that businesses prepare for a coming “patch wave,” which is expected to overwhelm existing protocols to patch vulnerabilities.
Early indications provide startling confirmation: Of the estimated 6,202 high- or critical-severity vulnerabilities identified by Anthropic’s Claude Mythos Preview in foundational open-source software, only 97 were confirmed to have been addressed as of May 22, 2026.
According to Anthropic, “even at our relatively slow pace of disclosures, Mythos Preview is adding to an already-overloaded security ecosystem.”
For corporate leaders, AI-enabled cybersecurity is both an opportunity and a looming threat: The same tools that promise faster, more comprehensive discovery of defects can be turned against unpatched systems at record speed and scale.
“Frontier AI is materially changing the cyber threat landscape by increasing the speed and scale of vulnerability discovery,” exposing “cyber resilience challenges … across critical systems and the wider economy.” — Shehzad Charania, the director of legal affairs and policy at the U.K.’s cyber intelligence agency
Listen to more insights on the topic in the May 27, 2026, episode of Skadden’s “Decrypted” podcast, “Mythos, Glasswing and the View From the UK GCHQ.”
The frontier labs and national governments have taken different approaches to managing the risks posed by AI-enabled cyber threats.
In April 2026, Anthropic launched Project Glasswing, giving a select group of technology firms and critical infrastructure providers early access to Claude Mythos so they could preemptively identify and patch flaws. The same month, OpenAI bolstered security controls before releasing its latest model, providing unrestricted access only to verified cybersecurity researchers.
Meanwhile, governments are quickly trying to assess what these new capabilities mean for the regulations governing society’s most critical systems.
In the U.S., President Donald Trump issued an executive order on June 2, 2026, directing the federal government to harden both government and private-sector systems against cybersecurity threats, including by establishing a public-private “AI cybersecurity clearinghouse” to coordinate vulnerability scanning, validation and patch distribution. (See our June 9, 2026, client alert “New AI Executive Order Calls for Frontier Model Security, Early Government Access and AI-Enabled Cyber Defense.”)
The order also calls for the development of a voluntary framework for frontier labs to share cutting-edge models with the government so their cyber capabilities can be assessed, and so the models can be used to bolster the defense of critical infrastructure before they are released to the public.
In April 2026, the U.K., the government released an “open letter” to business leaders urging them to prepare for the rapidly developing threat, while cybersecurity and financial industry regulators in India, Japan and elsewhere are working with their nation’s key institutions to help them prepare for the expected onslaught.
A New Legal Landscape: Uncertainty and Rising Litigation Risk
Amid changing regulatory standards and increasing litigation that aims to hold businesses to ever-higher cybersecurity standards, AI-enabled threats create significant uncertainty surrounding the legal expectations facing businesses.
As the technical barriers to conducting advanced cyberattacks are lowered, businesses must prepare to respond to cyber incidents that cross borders and network boundaries in ways that were technically implausible mere months ago.
Given the known risks being trumpeted by industry and governments alike, and the flexible standards used in many regulatory regimes, victims of an AI-enabled breach may struggle to use the novelty of the threat as a shield against enforcement and litigation.
A Shifting Standard of Care in Europe and the UK
Companies operating in Europe and the U.K. already face a dense set of obligations that look increasingly demanding in light of AI-accelerated threats — and may present moving targets as society recalibrates what is considered an “appropriate” cybersecurity measure.
The European Union’s Cyber Resilience Act (CRA) requires producers of “products with digital elements” to ensure there are no known exploitable vulnerabilities, to remediate discovered vulnerabilities without delay and to notify regulators within 24 hours of an actively exploited vulnerability.
Under the EU Network and Information Systems Directive (NIS2) and the U.K. NIS Regulations, essential and important entities are subject to vulnerability management, disclosure and incident reporting obligations, with management bodies personally liable for failures of cyber-risk management.
The EU Digital Operational Resilience Act (DORA), which applies to the financial sector, imposes similarly stringent governance, patching and 24-hour incident reporting duties.
The EU General Data Protection Regulation (GDPR) requires all entities that process personal data to implement “appropriate” technical and organizational measures and adhere to 72-hour breach notification requirements.
As AI-assisted vulnerability discovery and cyberattacks become commonplace, regulators, customers and counterparties are likely to ask whether existing testing, prioritization and remediation practices remain commensurate with known risks. Vulnerability patch cycles measured in weeks, rather than minutes, are unlikely to satisfy these recalibrated expectations.
Evolving US Federal and State Expectations
In the U.S., companies face an array of proactive obligations under state and federal law to maintain reasonable cybersecurity measures, and consumer litigation remains a potent threat. The patchwork of regulatory obligations is likely to put further pressure on businesses as different stakeholders independently pursue remedies for AI-enabled cyberattacks.
At the federal level, the Federal Trade Commission (FTC) has long treated the failure to implement reasonable cybersecurity measures as an unfair or deceptive practice under Section 5 of the FTC Act, and its enforcement posture has increasingly focused on whether security programs keep pace with evolving threats.
The Federal Communications Commission (FCC) imposes related obligations on telecommunications carriers, while the Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) program and related requirements mandate specific controls on government contractors handling controlled unclassified information.
State attorneys general are similarly active under consumer protection and sector-specific statutes. The California Consumer Privacy Act (CCPA) is particularly notable because it provides a private right of action where unencrypted personal information is exposed due to a business’s failure to maintain reasonable security, with statutory damages of $100 to $750 per consumer per incident — figures that can aggregate quickly in larger breaches.
Private plaintiffs across the U.S. may increasingly point to the availability of AI-enabled defensive tools as evidence of what “reasonable” looks like in the current environment. State and federal regulators that have been warning about the risks posed by AI-enabled cyber threats are unlikely to accept the novelty of those threats as an excuse for security programs that have not kept pace.
A company’s security posture is increasingly likely to be measured not against a static benchmark but against the current threat environment, which now includes AI-enabled attack vectors.
Navigating the Multiregime Global Landscape
For multinational groups, the practical challenge is that these regimes overlap but do not align on triggers, timing or cybersecurity baseline expectations. A single AI-accelerated incident can simultaneously implicate 24-hour reporting requirements under the EU’s CRA or NIS2, 72-hour notification under the GDPR, FTC scrutiny and CCPA class exposure under California law — all of which apply a different lens to assess the propriety of existing controls and the incident response.
This overlap is an argument for coordinated playbooks across legal, privacy, compliance, procurement and government affairs functions, with an eye toward proactively preparing to address coming “patch waves” and incorporate AI-enabled defensive tools.
Looking Ahead: Preparing for an AI-Accelerated Threat Environment
The following checklist provides steps companies can take to protect themselves and customers, and keep up with the changing nature of threats:
- Review vulnerability management, patching, testing and incident response documentation to assess whether they remain appropriate given the anticipated step change in the speed at which vulnerabilities are identified and exploited.
- Map existing security testing, open-source diligence and product documentation processes against European and U.S. legal requirements.
- Brief boards and senior management on the augmented risks posed by AI-enabled discovery tools and run tabletop exercises that simulate multivector incidents.
- Identify and develop road maps for defensive use cases for next-generation AI, including penetration testing, internal code review, automated endpoint detection and response, patch development and automated remediation.
- Engage proactively with government regulators and sector peers on collective defense, best practices and threat intelligence sharing.
These steps will do more than just help to align operations with emerging regulatory and consumer expectations. As AI-accelerated vulnerability detection resets the baseline for “reasonable” and “appropriate” safeguards, commercial counterparties such as vendors, lenders and supply-chain partners are likely to expect (or demand) similar levels of assurance.
As risks proliferate, a forward-looking approach would prepare for a world where cybersecurity requirements — including representations regarding the use of AI-enabled tools — are increasingly embedded in commercial contracts.
Companies that wait for the promulgation of new legal requirements before adapting to AI-enabled threats may find that regulatory, consumer and commercial expectations have already moved without them.
For more on this topic, see our April 24, 2026, client alert “What Next-Gen AI Tools Mean for European and US Cybersecurity and Privacy Regulation.”
This memorandum is provided by Skadden, Arps, Slate, Meagher & Flom LLP and its affiliates for educational and informational purposes only and is not intended and should not be construed as legal advice. This memorandum is considered advertising under applicable state laws.