Earlier this year, an AI model found a serious security flaw deep inside the Linux kernel — one of the most heavily reviewed pieces of software on the planet. The bug had been sitting there since 2003, missed by every code review and bug bounty hunter for over two decades. The model found it on a routine sweep.
That result, shared by Anthropic researcher Nicholas Carlini at the [un]prompted 2026 conference, should make every business owner take notice.
What actually changed
For decades, finding software vulnerabilities was expensive — skilled people, months of effort, specialist knowledge. That cost was a quiet form of protection. No attacker would spend three months hunting flaws in your accounting platform.
Carlini’s talk shows that this rate-limit has collapsed. A trivial bash script can prompt a current-generation model to scan every file in a software repository for exploitable bugs and verify them in a second pass — with close to 100% success. In one demo, the model autonomously uncovered a SQL injection vulnerability in Ghost, a popular CMS.
What used to take a team of specialists is now a commodity workflow anyone with modest technical skill and an API key can run.
Why this matters here
The numbers give the game away. In March 2026, Chrome’s vulnerability submissions doubled in a month. In one project, roughly a quarter of an entire year’s worth of bugs landed in a single batch of reports. Discovery is now outpacing patching.
For a Hawke’s Bay business, the gap between a flaw becoming known and your systems being patched is no longer a harmless administrative window. Attackers running the same workflows aren’t waiting for public disclosure — they’re finding the flaws themselves.
What to do about it
This isn’t a problem you solve with one purchase — it’s one you address with discipline:
- Patch faster. Shift from monthly to weekly patching and treat critical patches as same-day work. Waiting to get to it no longer cuts it.
- Know your inventory. You can’t patch what you don’t know you own. Old plugins, abandoned websites, legacy servers, the smart printer no one has looked at since 2019 — all of it counts.
- Reduce your attack surface. Decommission anything you don’t actively use. Every online system can be scanned.
- Layer your defences. Endpoint detection, network segmentation, and tested backups buy you time when — not if — something gets through.
- Test the plan. An untested business continuity plan is just paperwork, and that message lands twice as hard now.
The bigger picture
The unsettling part isn’t that AI can find vulnerabilities. It’s that the economics of cyberattacks have permanently changed. The implicit protection we used to enjoy is gone.
The good news: the same tools are available to defenders. At Govern Cybersecurity, we’re folding AI-assisted vulnerability work into our ISO 27001 engagements, so your side keeps pace with theirs.
The hackers just got an upgrade. Make sure your defenders do too.
Watch Nicholas Carlini’s full talk: https://www.youtube.com/watch?v=1sd26pWhfmg
One last thing — IPP3A is now live
As of 1 May 2026, a new Information Privacy Principle — IPP3A — has been added to the NZ Privacy Act. If your business collects personal information about someone from anywhere other than that person directly — third-party data, lead lists, referrals, public records, even an AI tool — you must take reasonable steps to tell them who collected it, who holds it, whether the law required it, and that they can access and correct it. Review your privacy statement and your data-collection sources now, before someone else does it for you.
Tom is the owner of Govern Cybersecurity. He has over 18 years in the cybersecurity and IT industry at management level, and for the past 6 years has been a lecturer in cybersecurity at the Eastern Institute of Technology. He has earned certifications in ISO 27001 Lead Auditing, Lead Implementation, SOC2, and Ethical Hacking.
