Preparing for AI-Enabled Cyber Threats: How Board Directors Can Support AI Readiness

Frontier AI models such as Anthropic's Mythos and OpenAI's GPT 5.5-Cyber are rapidly changing the cyber threat landscape as both a threat accelerant and transformative capability. Financial institutions must rethink their existing approach not just to traditional defensive measures but also their resilience and ability to withstand disruptions that are highly likely to occur. The speed, scale and investments needed will require the agreement of senior management and support of the board of directors.

Industry guidance^[1] indicates that AI is accelerating vulnerability discovery, compressing the time between disclosure and exploitation and increasing the need for institutions to run current software, tighten patching cycles and embed security into AI development and deployment. It also highlights the need to quickly adopt cutting-edge AI tools for cyber defense.

Against that backdrop, the following questions are intended to help facilitate an effective conversation between the board of directors and technology leaders on readiness for AI-enabled threats and the resources and investment needed to prepare for this massive change.

1. Are our critical systems and software dependencies running on current, supported versions? Given the scale of vulnerabilities frontier AI models can discover, major software providers are likely to prioritize remediating vulnerabilities in the latest versions of their products. Financial institutions should maintain an inventory of business-critical systems, including internet-facing assets, and major dependencies that remain on outdated or unsupported versions, particularly where providers no longer deliver meaningful patch support for legacy releases.
2. How quickly are known vulnerabilities being remediated, and are we prepared for a wave of new patches? Board directors may find it useful to discuss current targets for deploying patches, whether the institution is meeting those targets and if they are being revised in response to new frontier AI models. A wave of vulnerabilities is predicted to hit cyber teams in the coming months, and the speed at which patches can be prioritized and implemented based on risk of exploitation is critical.
3. Where is deferred maintenance or aging infrastructure causing operational bottlenecks that slow remediation? It is important to identify where legacy architecture, manual testing, limited engineering capacity or change-management constraints could delay the deployment of security fixes in a faster-moving threat environment. The primary bottleneck is often organizational capacity and the ability to introduce software updates and configuration changes without taking systems offline or causing customer-facing disruptions.
4. What is the plan to eliminate or mitigate the risk associated with end-of-life systems and unsupported components? Financial institutions should identify legacy platforms, obsolete code libraries and unsupported hardware or software, along with target dates, funding needs and accountability for retirement or replacement.
5. What AI tools are we using today to scan code, detect vulnerabilities, automate triage and support defensive operations? Institutions should be evaluating and deploying AI-enabled defensive capabilities in areas such as cybersecurity alert triage, vulnerability analysis and remediation support, subject to defined guardrails, data protections and oversight. While access to the Mythos frontier model remains limited, institutions can implement practical AI-enabled defensive capabilities using other advanced models.^[2] Internal cyber workflows are emerging as a practical proving ground for early GenAI and agentic AI deployment for cyber defense. They often have clearer users, more measurable outcomes and more controllable environments than broader enterprise or customer-facing AI uses.^[3]
6. Have resilience, incident-response and recovery plans been updated for attacks and incidents powered by AI? How quickly can the institution detect, contain, recover from and communicate through a material cyber or operational incident, and have plans been tested through realistic exercises and simulations? For example, have continuity plans been established and tested for critical operations in a scenario where service capacity and continuity objectives cannot be met? Incidents could become more likely when vulnerabilities are discovered faster than they can be fully remediated or the associated risk mitigated.
7. Do we have a current view of third-party software exposure and concentration risk? Institutions should have visibility into key dependencies, including software providers, outsourced operations, open-source components and other external technology relationships whose disruption or compromise could materially affect the institution.
8. How are we engaging critical third-party software and service providers on AI-enabled cyber risk? Institutions should ask whether key providers are preparing for larger patch volumes, faster disclosure cycles and the increased strain on cybersecurity and technology teams. Boards and executive management should have an understanding of contingency or exit strategies for the most critical services such as how the institution would operate if a key provider were unavailable or compromised for an extended period.

While AI is making the job of cyber defenders harder - at least in the short term^[4] - financial institutions have the foundations in place to address these risks. Nevertheless, the challenge is to significantly increase the speed of changes and program upgrades at greater scale than institutions had originally planned. This is no easy task and doing so will require increased focus on investment in modernization, AI-augmented defense and the resilience to operate through disruption. The board and executive leaders should understand that Incidents and outages may be more likely to occur and an intense focus on cybersecurity, technology modernization and resilience planning now can go a long way to protecting the institution in the months and years to come.

[1] See Sector Risk Advisory: Preparing the Enterprise for AI-Enabled Vulnerability Discovery | FS-ISAC and Fortifying the enterprise: 10 actions to take now for AI-ready cyber resilience

[2] While access to Anthropic's Mythos model remains limited, other models are readily available to cyber teams including Anthropic's Claude Opus 4.6 and 4.7 and OpenAI's GPT 5.5-Cyber. These models, when used effectively, can identify critical vulnerabilities

[3] Financial regulators recently updated model risk management guidance cited by many firms as a hindrance to deploying GenAI models for security, fraud prevention and anti-money laundering use cases. The new guidance specifies that institutions may use other enterprise risk processes to govern the use of GenAI models, providing greater flexibility to design processes fit for the unique aspects of GenAI and agentic AI. The new guidance can be found here: The Fed - FRB: Supervisory Letter SR 26-2 on Revised Guidance on Model Risk Management - April 17, 2026

[4] https://www.philvenables.com/post/things-are-getting-wild-re-tool-everything-for-speed