AI Is changing cyber risk

There is a widely used metric in cybersecurity known as mean time to exploit, the interval between the identification of a vulnerability and its active exploitation.

That interval is narrowing rapidly. In certain instances, exploitation begins even before remedial measures are fully deployed.

This shift warrants a fundamental reappraisal of how Indian boards approach cyber risk. The issue is no longer whether systems are patched. It is whether organisations can identify and close vulnerabilities faster than they are discovered and weaponised.

A Compression of Time, Not a New Threat

Over the past two years, advances in artificial intelligence have begun to reshape how vulnerabilities are identified, tested, and exploited.

Leading technology firms and research programmes have demonstrated systems capable of identifying weaknesses within complex codebases, testing multiple exploit pathways simultaneously, and, increasingly, recommending or implementing corrective actions.

These developments do not introduce an entirely new category of cyber risk. Rather, they accelerate existing dynamics. The window between vulnerability discovery and exploitation is collapsing from weeks to hours. In some cases, it is approaching zero. That is not an incremental change. It removes the margin of error most organisations rely on.

In cybersecurity, where advantage is often measured in time, this compression is consequential.

The fundamentals of cybersecurity have not changed. The problem is that the operating model built around those fundamentals no longer works at current speeds. Detection and response capabilities designed for human-paced workflows are now competing with machine-paced exploitation.

The outcome is not a breakdown of the system, but a sustained increase in pressure on infrastructure, on processes, and critically, on governance frameworks.

The Emergence of a New Asymmetry

The most significant shift is not merely between attackers and defenders, but between organisations themselves. A subset of firms, typically those embedded within advanced technology ecosystems, are beginning to develop the capability to identify and mitigate vulnerabilities at scale and in near real time. Others continue to rely on periodic assessments and assumptions of baseline security.

A structural asymmetry is emerging: some organisations will know their exposure continuously; others will discover it after it is exploited. In cybersecurity, that gap does not remain theoretical. It translates into breaches, client loss, and regulatory scrutiny.

India’s Structural Exposure

India’s digital ecosystem has expanded at an unprecedented pace. Platforms supporting identity, payments, taxation, and public services now operate at national scale, serving hundreds of millions of users and processing vast transaction volumes. Enterprise systems across financial services, healthcare, and industry are deeply integrated with global platforms and vendor networks.

While this scale represents a strategic advantage, it also introduces significant complexity. In cybersecurity, complexity is closely correlated with exposure.

Recent cyber incidents and threat assessments indicate both the scale and persistence of attacks targeting Indian organisations. Notably, many of these incidents have relied on conventional vulnerabilities rather than advanced techniques. The implication is clear: existing weaknesses remain widespread. AI-enabled discovery will not create new vulnerabilities, but it will surface existing ones with greater speed and efficiency.

Three structural factors further amplify this exposure.

First, the depth of the supply chain. India’s IT services sector occupies a central role in the global technology ecosystem, operating and maintaining critical systems for international clients. As these clients adopt more advanced, AI-driven security practices, disparities in security posture are likely to become commercially material.

Second, the extent of dependency on third-party components. Modern enterprise architectures rely heavily on external vendors, SaaS platforms, and open-source libraries. Accelerated vulnerability discovery increases the likelihood of multi-stage attacks that traverse these dependencies rather than targeting core systems directly.

Third, the evolving regulatory environment. India’s data protection and cybersecurity frameworks are tightening, with increasing expectations around breach reporting, data security, and governance oversight. Regulatory standards are progressively aligning with the realities of AI-enabled risk.

A Governance Failure Disguised as a Technology Problem

Most boards are treating AI-driven cyber risk as a technology problem, when it is truly a governance failure.

AI-accelerated cyber risk is often framed as a technological challenge. In practice, it is fundamentally a question of governance. Our work with global boards highlights a persistent gap between organisational ambition in AI adoption and readiness to manage associated risks. This gap is particularly evident in cybersecurity, where operational velocity is increasing while decision-making structures remain fragmented.

(The author is Partner, Kearney India. Views are personal.)