For thirty years, the dominant model of enterprise vulnerability management has been some version of patch-and-pray. A vulnerability gets disclosed. A patch ships. Defenders have a window, days, sometimes weeks, to deploy the patch before exploits appear in the wild. The whole apparatus of patch SLAs, vulnerability management programs, and threat intelligence cycles rests on that window existing.
The window is gone.
Not narrower. Not under pressure. Gone, in any meaningful sense, for an increasing fraction of the threat surface. AI vulnerability discovery means attackers can find their own zero-days at scale. The CVE list, the canonical record of "what defenders need to patch", captures only the vulnerabilities someone responsibly disclosed. The vulnerabilities being exploited right now in your environment, by attackers using their own AI tools, will not appear in any CVE database until the exploitation is observed independently. Often that takes months. Sometimes it never happens.
Read that carefully. The CVE you patch today is the public version of a problem. The private version, the zero-day an attacker found six months ago and has been quietly using, is invisible to your patch program by definition. You cannot patch what no one has disclosed.
This is the uncomfortable thing the industry has been refusing to say plainly. Patch-and-pray was never about making attacks impossible. It was about making them expensive enough to push attackers toward easier targets. That economic argument worked when finding novel zero-days required elite human researchers and weeks of work. It does not work when finding novel zero-days requires an API key and a few hours of compute.
The implication is not "stop patching." Patching still matters. Patching is just no longer adequate as a primary defense. It needs to drop down the stack to "necessary hygiene" while something else moves up to "primary defense", and that something else is not another scanner.
Defense-in-depth stops being a slogan and becomes the only thing that works. Network segmentation that limits blast radius when an unpatched flaw gets exploited. Identity hygiene that prevents lateral movement when an endpoint gets compromised. Comprehensive logging that lets you reconstruct what happened after the fact, because preventing the compromise was never going to be 100%. Immutable infrastructure that makes recovery faster than re-securing. Architectural simplicity that limits how much damage any single failure can do.
These are not new ideas. They have been on every CISO's slideware for ten years. The reason they have stayed on slideware rather than getting funded is that patching seemed adequate enough that the deeper architectural work could be deferred. That deferral just expired.
The defenders who recognize this in Q2 2026 will spend the next 18 months building the architectural layers that AI-era attacks cannot easily bypass. The defenders who keep treating "more scanners, faster patching" as the answer will spend the next 18 months patching faster and falling further behind. The math has changed.
Read the deep dive: Patch Window Collapsed: AI-Native Incident Response Now, the full operational playbook for compressed exploit windows, including the 30-60-90 day plan for CISOs.
The patch SLA that was acceptable in 2024 is a structural exposure in 2026. The board question coming next quarter is "how fast can we determine blast radius when a Mythos-class CVE drops?" If your answer is "we'll patch it within seven days," you are answering the wrong question.