AI Is Accelerating Vulnerability Discovery Faster Than the Grid Can Adapt
What happens when the speed of information begins to outpace the speed of governance, infrastructure, and operational response?
The Structural Mismatch
Modern electronics manufacturing was not designed for software-speed change. For most of the past century, the hardware that underpins critical infrastructure evolved more slowly than the software running on top of it. Governance processes, market rules, and reliability frameworks developed around an implicit assumption: physical hardware and the systems they comprise change incrementally and predictably.
That assumption is cracking under the pressure of artificial intelligence (AI).
The gap between vulnerabilities that are patched versus those that remain unpatched is shown in Figure 1, which captures a structural trend that extends beyond cybersecurity and into reliability. Research consistently shows that unpatched vulnerabilities are a primary attack vector. This is why secure boot chips using signed firmware has moved from best practice to operational requirement for critical infrastructure reliability.
Figure 1. The gap between publicly known (blue) and unknown (red) vulnerabilities grows as unmanaged risk, and exploit risk increases for every vulnerability the longer it remains unpatched.
Current Conditions
The pace of AI-driven vulnerability discovery is accelerating across nearly every sector of the economy. Several developments define where things stand today:
Published CVEs (Common Vulnerabilities and Exposures) are forecast to reach approximately 60,000 by end of 2026 — over 3x the number published in 2020.
AI discovery tools (such as Mythos and similar automated analysis systems) are finding 3–5x or more vulnerabilities than manual methods, compressing what once took months into hours.
The cost of discovering vulnerabilities has collapsed faster than institutions responsible for validating, prioritizing, disclosing, remediating and governing them can adapt.
The estimated number of discovered vulnerability inventory, which includes duplicates, unpublished and dark web traded findings, is projected to exceed one million by year-end 2026, versus approximately 60,000 officially disclosed CVEs.
This estimate reflects a broader discovered vulnerability inventory that includes duplicate findings, unpublished vulnerabilities, AI-generated variant discoveries, pre-disclosure inventories, and probabilistic exploit candidates (not one million unique publicly confirmed CVEs).
Critical infrastructure, including the electric grid, water systems, and gas pipelines, is increasingly dependent on software-driven operational technology (OT) systems that were not designed with rapid patching cycles in mind.
The gap between IT and OT visibility remains a primary structural weakness: many grid operators lack unified monitoring across cyber-physical layers.
These aren’t mere projections about hypothetical future risk; they describe conditions already underway, suggesting a category of operational and institutional risk that many have not yet accounted for in traditional reliability or risk models.
Recent industry commentary increasingly reflects a structural shift in vulnerability discovery economics. Several vulnerability disclosure and bug bounty platforms have reported substantial increases in duplicate submissions and AI-assisted findings. Public reporting suggests duplicate submission rates have risen from roughly 22% to approximately 47% within recent reporting periods as AI-assisted systems increasingly identify similar or adjacent vulnerabilities simultaneously.
This trend appears driven by several converging dynamics:
AI has industrialized vulnerability discovery.
Variant generation has expanded rapidly.
Multiple researchers and models increasingly identify near-identical issues simultaneously.
AI-assisted tooling has substantially increased submission volume.
Remediation capacity has not scaled proportionally.
Triage queues are increasingly strained by AI-generated findings.
Valid submission rates may decline as automated systems generate larger volumes of probabilistic or low-confidence findings.
As a result, the bottleneck in cybersecurity is shifting away from vulnerability discovery and toward validation, remediation, patch coordination, operational deployment, and governance response. The structural challenge is not simply “more vulnerabilities,” but rather that the cost and speed of discovery are now improving faster than many institutions can realistically adapt operationally.
Beyond a Cybersecurity Problem
AI is accelerating the discovery, analysis, and exploitation of software weaknesses across nearly every sector of the economy at the same time critical infrastructure becomes increasingly software-dependent. The resulting mismatch is not simply technical. Vulnerabilities can now be discovered, analyzed, and propagated faster than many institutions can realistically coordinate remediation, adaptation, and governance response. Figure 1 illustrates this broader structural trend: the widening gap between the speed of information propagation and the slower pace of institutional adaptation.
The Grid as a Multi-Layered System
Critical infrastructure is no longer purely a physical system. The electric grid in particular is simultaneously an information system, a software system, a market system, and (as the data now shows) an AI-exposed system. Many of the institutions responsible for governing and operating the grid still function on timelines measured in months or years.
Transmission infrastructure may take seven to fifteen years to permit and build. Governance processes can require months of stakeholder coordination. Reliability standards evolve slowly by design. Yet software analysis, vulnerability discovery, and automated exploitation capabilities now evolve continuously.
This does not mean catastrophic outcomes are inevitable. But much like purchasing millions of lottery tickets rather than a few increases the statistical likelihood of a win, unmitigated vulnerabilities cumulatively increase the probability of an exploit occurring. This makes visibility across cyber-physical layers (especially the interface between IT and OT systems), coordination, and response speed deserving of closer examination.
The Asymmetry Problem
Historically, electricity markets and reliability institutions operated under an implicit assumption that information propagated relatively slowly and relatively symmetrically across participants. Increasingly, that may no longer hold.
Some organizations now possess dramatically greater capabilities for software analysis, real-time monitoring, vulnerability discovery, automated remediation, and operational visibility than others. As AI capabilities continue to improve, those information asymmetries may widen. This creates a new class of institutional questions about what governance frameworks were designed to handle and what they were not.
The Institutional Questions
These conditions raise questions that governance institutions will need to address, not as a matter of advocacy for any particular outcome, but as a matter of structural alignment between the functions these institutions are expected to perform and the conditions under which they now operate:
How should critical infrastructure institutions operate when information moves faster than governance processes were designed to handle?
What happens when visibility across participants becomes uneven, and how does that affect accountability?
How should reliability standards evolve when the primary risk vector is software, not hardware?
Can governance systems designed for a slower era still adapt quickly enough to maintain both reliability and affordability?
These are not purely cybersecurity questions; they are increasingly institutional and economic questions as well. The central question is no longer whether AI will reshape critical infrastructure risk. It already is. The question now is whether governance, reliability, and operational institutions can adapt before the asymmetries become systemic.
Disclosure
Dr. Jeanine Johnson is co-founder of Immutaverse. She also serves on various boards and consults. The views expressed in this article are solely those of the author and do not represent those of any board, organization, or client. The analysis reflects the author’s independent research and long-standing interest in the intersection of cybersecurity, engineering systems, and critical infrastructure reliability. All information presented draws on publicly available industry sources and does not rely on any non-public or proprietary information from her board service or client engagements. The views expressed here are analytical and forward-looking.
