US officials weigh faster bug-fixing deadlines as AI raises cyber threat concerns

US cybersecurity officials are considering a major reduction in the time federal agencies have to fix actively exploited software flaws, amid growing concern that artificial intelligence could sharply accelerate the speed of cyberattacks.

According to Reuters, officials are discussing a proposal that would cut the deadline for fixing known exploited vulnerabilities in government IT systems from roughly two or three weeks to just three days. The proposal has not yet been finalised, but it reflects mounting concern that advanced AI cyber models could compress the time between vulnerability discovery and real-world exploitation.

The discussions reportedly involve Nick Andersen, acting director of the Cybersecurity and Infrastructure Security Agency, and Sean Cairncross, the US national cyber director. CISA and the Office of the National Cyber Director had not commented publicly on whether a final decision has been made.

For years, CISA has maintained a catalogue of known exploited vulnerabilities, known as KEVs, which federal civilian agencies are required to prioritise because the flaws are already being abused by criminals or state-linked hackers. Agencies have typically had around three weeks to address those flaws once they are added to the catalogue, though some recent deadlines have already been shorter.

The proposed shift to a three-day default deadline would mark a dramatic acceleration in the federal government’s vulnerability response expectations. It would also send a wider signal to state agencies, local governments and private organisations that old patching timelines may no longer be fast enough in an AI-enabled threat environment.

The urgency is being driven in part by the emergence of advanced cybersecurity-focused AI systems, including Anthropic’s Mythos and OpenAI’s GPT-5.4-Cyber. OpenAI recently announced GPT-5.4-Cyber as a model designed for defensive cybersecurity work, with access initially limited to vetted security professionals and organisations through its Trusted Access for Cyber program.

Anthropic’s Mythos has also attracted intense attention because of its reported ability to identify serious vulnerabilities across major software platforms. Reuters reported earlier this week that Australia’s prudential regulator had warned banks that frontier AI models such as Claude Mythos could increase the probability, speed and scale of cyberattacks.

The concern is that AI could give attackers a much shorter path from discovering a flaw to building a working exploit. In the past, weaponising newly disclosed vulnerabilities could take days, weeks or even months, depending on complexity. With more capable AI systems assisting reconnaissance, code analysis and exploit development, some experts fear that window could shrink to hours.

Stephen Boyer, founder of cybersecurity company Bitsight, told Reuters that defenders need to move faster if they are to protect civilian agencies. “We don’t have as much of a window as we used to have,” he said.

But experts warn that shorter deadlines may be difficult to meet in practice. Patching software vulnerabilities is not always as simple as installing an update. Agencies may need to test patches, check whether they break critical systems, coordinate with vendors, assess operational impacts and manage legacy technology that cannot be quickly replaced.

Kecia Hoyt, a vice president at threat intelligence firm Flashpoint, told Reuters that a three-day deadline could be “simply impossible” for some environments. John Hammond, a senior principal security researcher at Huntress, described the potential move as “quite a change”, while saying he was cautiously optimistic about faster response expectations.

There are also questions about whether CISA itself has the resources to support a more aggressive timeline. Nitin Natarajan, a former deputy director of CISA, said tighter deadlines made sense given the changing threat landscape, but warned that the agency has faced reductions in funding and expertise.

The proposal comes as governments, regulators and the cybersecurity industry reassess how AI changes defensive planning. In the financial sector, regulators have already begun warning institutions that traditional cyber controls may not be engineered to keep pace with AI-enabled threats. Australia’s APRA recently said some banks were relying too heavily on vendor summaries and had not sufficiently challenged the emerging risks of frontier AI.

If CISA proceeds with the three-day deadline, the move could become an important benchmark for the wider cybersecurity industry. Even organisations not bound by federal rules may face pressure from boards, insurers, regulators and customers to patch critical vulnerabilities more quickly.

The question is whether faster deadlines will lead to stronger resilience, or whether they will expose the gap between cyber policy ambitions and the practical reality of maintaining complex IT systems.

What is clear is that the timeline for cyber defence is tightening. As AI tools become more capable of finding and exploiting weaknesses, governments and businesses are being forced to confront an uncomfortable possibility: the old patching calendar may already be too slow.

As AI changes the speed and scale of cyber threats, stronger defences begin with better knowledge. Whether you are protecting a business, managing systems, or simply trying to stay safer online, understanding how cyber risks work can help you recognise vulnerabilities earlier and respond with confidence.

Knowledge is power. Strengthen your cybersecurity awareness with The Hack Academy’s online courses: https://training.thehackacademy.com/course/

Photo Credit: DepositPhotos.com