"Now, there is no reason anymore for any company to say, ‘I didn't know about our glitch or our vulnerability in our application’ because you can actually, right now, see it and fix it," Hans de Vries told attendees at the ESET World conference on 19 May. The comment captured a shift that several speakers said has already arrived: AI tools can find and sometimes repair software vulnerabilities fast enough that ignorance will no longer be a credible defense.
Hans de Vries and ENISA's warning
Hans de Vries, chief cybersecurity and operational officer at the European Union Agency for Cybersecurity (ENISA), framed AI-driven scanning as an immediate compliance and liability issue. He pointed to the EU’s Cyber Resilience Act (CRA) and said, “For me, doing security by design and by default is actually the license to do business right now.” De Vries warned that organisations that have not adopted security-by-design practices risk exploitation by adversaries and subsequent litigation: “If you haven't done so, your adversary definitely will make a misuse of [vulnerable software], and you'll probably be litigated because you should have seen the problem in the first place.”
AI-powered vulnerability scanning and frontier models
Speakers at the event said AI-powered vulnerability scanning has advanced rapidly in 2026. The conference notes name-checked frontier models — Claude Mythos and OpenAI's GPT5.5-Cyber — as examples of technologies that can “identify and fix software bugs at unprecedented speed and scale.” ENISA’s de Vries tied that capability directly to corporate responsibility, saying that the availability of these tools undermines the claim that a company was unaware of an exploitable bug.
The Cyber Resilience Act's looming deadlines
The CRA, de Vries reminded the audience, already demands "cybersecurity by default and cybersecurity by design." The Act entered into force in December 2024. Under the timelines cited at the conference, the CRA’s reporting obligations begin to apply on September 11, 2026, and the main obligations introduced by the Act will apply from December 11, 2027. Those dates frame a compliance runway during which companies are expected to align development and release practices with the Act’s requirements.
Paul Chichester and the NCSC's operational view
Paul Chichester, director of operations at the UK’s National Cyber Security Centre (NCSC), offered a complementary operational perspective. He said we are entering “a phase where poorly coded systems will have vulnerabilities found in them,” while cautioning that “just one vulnerability doesn’t mean you’re automatically compromised.” Chichester suggested vendors will be motivated to use AI internally to “drive those vulnerabilities out of their products,” adding that AI “will allow software products to be assured in a much more uniform way.”
What this means for technologists, policymakers, and vendors
- Technologists and security teams: The availability of automated scanners and repair-capable models such as Claude Mythos and GPT5.5-Cyber creates an expectation — voiced by ENISA — that organisations will find and remediate flaws proactively. De Vries added pressure by saying, “If you’re not using AI in a coherent manner, you probably won’t be successful in a year or two.”
- Policymakers and regulators: The CRA timelines — reporting obligations from September 11, 2026, and main obligations from December 11, 2027 — set clear enforcement milestones. Regulators are positioned to expect demonstrable, design-stage security measures as baseline compliance.
- Vendors and procurement leaders: Both ENISA and the NCSC signalled a commercial and legal incentive to adopt AI-driven assurance. De Vries warned of likely litigation for organisations that fail to identify flaws that current AI tooling can surface; Chichester predicted vendors will be “keen to use AI themselves to drive those vulnerabilities out of their products.”
The conference in Berlin also produced an industry move that mirrors the regulatory and operational signals. Slovakia-based ESET announced a €40m investment to expand research and development, accelerate development of “cybersecurity-first foundational AI models,” build a layered AI stack, and create a new-generation AI security operations centre (AI SOC).
The combined message from ENISA, the NCSC and industry at ESET World was clear: rapid improvements in AI scanning force a recalibration of what counts as reasonable security practice. With reporting requirements starting in September 2026 and the CRA’s main obligations following in December 2027, organisations have both technical tools and regulatory clocks pushing them toward secure-by-design development — and away from claiming ignorance as a defense.
Original story: https://www.infosecurity-magazine.com/news/ai-raises-vulnerability-awareness/




