The rapid advancement of frontier artificial intelligence (AI) models, such as Anthropic’s Claude Mythos, OpenAI’s GPT-5.5 Cyber, and Google Gemini, has introduced a shift in the cybersecurity landscape that demands the attention of every general counsel. These models can identify software vulnerabilities and methods to exploit them at machine speed, find security vulnerabilities that traditional security tools cannot detect, and present ways of chaining together multiple vulnerabilities, including low-severity ones, to exploit and compromise systems.
Together, these capabilities are expected to alter the threat environment in which companies operate. General counsel should consider five critical areas as they evaluate the risks posed by frontier AI models.
1. The Genie Is Out of the Bottle
The question is no longer whether frontier AI models will be used to discover and exploit software vulnerabilities at scale, but when—and the window between “when” and “now” is closing rapidly. Researchers and threat actors have demonstrated that large language models and other frontier systems can analyze codebases, identify zero-day vulnerabilities, and generate working exploit code with striking efficiency. What once required weeks or months of skilled human effort can now be accomplished in hours or minutes.
For general counsel, the practical implication is straightforward: the volume, speed, and sophistication of cyberattacks targeting your organization are poised to increase dramatically. The historical pace at which vulnerabilities were discovered and exploited provided organizations with a reasonable, if imperfect, remediation window. That window is closing. Legal and compliance teams must internalize this shift and begin planning accordingly, because the liability exposure that accompanies a failure to adapt will be significant.
2. Expect Increased Exposure Across the Enterprise
One of the most consequential effects of AI-accelerated vulnerability discovery is the compression of the timeline between identification and exploitation. Threat actors have long exploited zero-day vulnerabilities. For the broader universe of vulnerabilities, however, organizations historically relied on a period of relative grace, during which patches could be developed, tested, and deployed before widespread exploitation occurred. Frontier models threaten to collapse that timeline to zero far more routinely, making what was once the exception increasingly the norm.
This creates two distinct and compounding problems. First, the sheer volume of newly discovered vulnerabilities may overwhelm even well-resourced IT and security teams. Prioritization, already a challenge, becomes even more difficult when the queue of critical vulnerabilities grows faster than the organization’s capacity to remediate them.
Second, and perhaps more concerning for general counsel, many systems on which organizations rely are maintained by third-party vendors. Internal teams do not have access to the underlying source code and cannot independently develop or deploy patches. Organizations are therefore dependent on vendors’ responsiveness. If a critical vendor is slow to issue a patch, or overwhelmed by the volume of vulnerabilities in its products, the organization remains exposed regardless of its internal security posture. This reliance on third parties to remediate vulnerabilities in software the organization neither controls nor can inspect presents a legal and operational risk that general counsel must squarely confront.
3. A Documented Cyber Risk Strategy Will Help Mitigate Risk
In the face of these evolving threats, one of the most important steps a general counsel can take is to work closely with the chief information security officer (CISO) and broader information security team to develop and document a comprehensive cyber risk strategy. This is particularly important as regulators increasingly take note of the risks posed by frontier AI models.
A sound strategy should begin with a structured framework for prioritizing identified vulnerabilities based on factors such as exploitability, potential business impact, availability of patches or mitigations, and the criticality of affected systems. Build an approach that is tailored to your specific risk profile. The strategy should also include clear protocols for communicating cyber risk to senior executives and the board of directors. Boards are expected to exercise informed oversight of cybersecurity matters, and general counsel play a critical role in ensuring that information flowing to the board is accurate, timely, and actionable. A well-documented communication cadence covering vulnerability posture, emerging threats, and remediation progress helps enable informed decision-making and demonstrates that the organization is taking these risks seriously.
A documented strategy also helps establish a defensible position in the event of a breach. If an organization suffers a security incident before it has been able to patch a known vulnerability, regulators, plaintiffs’ counsel, and courts will examine the steps taken upon learning of the vulnerability and whether those steps were reasonable. An organization that can demonstrate a risk-based prioritization framework, supported by contemporaneous documentation showing how decisions were made and resources allocated, is in a stronger position than one that cannot.
Regulatory expectations regarding what constitutes “reasonable security” may continue to rise in response to the AI-driven threat landscape. Regulators have signaled that the standard of care is not static and that organizations are expected to adapt their security practices as threats evolve. For example, financial regulators in the United States and the United Kingdom have noted that companies deploying AI security tools to defend against threats may be better able to mitigate the risks associated with frontier AI models. The Office of the Comptroller of the Currency (OCC), in its Spring 2026 Semiannual Risk Perspective, highlighted the role of AI in defending against threats and supporting risk management and enhanced threat and vulnerability monitoring processes. Similarly, the New York Department of Financial Services (NYDFS), in guidance released on May 21, 2026, stated that frontier AI models have materially changed cybersecurity risks and may warrant stronger defensive measures. A documented strategy that accounts for these risks helps position organizations to meet that standard.
4. Understand Which Critical Vendors You Rely On
Third-party dependency is a significant risk amplifier in this environment. General counsel should work with procurement, IT, and information security teams to identify vendors on which the organization is most critically dependent, particularly those handling sensitive data, supporting critical business functions, or deeply embedded in the organization’s infrastructure.
Once vendors are identified, the next step is proactive engagement. Organizations should engage with critical vendors now to understand how they are addressing threats posed by frontier AI models and similar tools. Key questions include:
- What is the vendor’s current patch development and deployment timeline?
- Has the vendor invested in AI-driven defensive capabilities to accelerate its own vulnerability detection and remediation?
- Does the vendor have a documented incident response plan that accounts for AI-accelerated attacks?
These conversations should occur before an incident. General counsel should also review vendor agreements to assess whether current terms adequately address evolving risks, including indemnification provisions, service level agreements related to security patching, and notification obligations. Where gaps exist, renegotiation should be prioritized.
5. Consider Engaging a Vendor to Conduct a Readiness Assessment
General counsel should also consider engaging a cybersecurity firm to conduct a readiness assessment focused on preparedness for AI-driven threats. A number of cybersecurity consulting and incident response firms now offer assessment services designed to evaluate an organization’s ability to detect, respond to, and recover from attacks enabled by frontier AI models.
A readiness assessment may include:
- Evaluation of vulnerability management processes and their ability to scale.
- Examination of monitoring and detection capabilities for AI-generated attack techniques.
- Review of incident response preparedness, including tabletop exercises incorporating AI-accelerated attack scenarios.
- Evaluation of third-party risk management programs, including visibility into vendors’ security posture.
Engaging a reputable firm and acting on its recommendations can strengthen the organization’s ability to demonstrate that it has taken reasonable steps to prepare for foreseeable threats.
Conclusion
The intersection of frontier AI models and cybersecurity is not a future concern. It is a present and rapidly evolving reality. General counsel are well positioned to drive the coordination, strategic planning, and vendor engagement required to respond. While not exhaustive, the five steps outlined above offer a practical starting point for addressing these risks now.
Ransomware Fusion Center
Stay ahead of evolving ransomware threats with Alston & Bird's Ransomware Fusion Center. Our Privacy, Cyber & Data Strategy Team offers comprehensive resources and expert guidance to help your organization prepare for and respond to ransomware incidents. Visit Alston & Bird's Ransomware Fusion Center to learn more and access our tools.
If you have any questions, or would like additional information, please contact one of the attorneys on our Privacy, Cyber & Data Strategy team.
You can subscribe to future advisories and other Alston & Bird publications by completing our publications subscription form.