Supply Chain Security Crisis: Too Many Vulnerabilities, Too Little Visibility

The cybersecurity landscape is being reshaped by an unprecedented surge in software flaws. Black Kite’s 2026 report documents over 48,000 CVEs published in 2025, yet a mere 58 meet the criteria of a discoverable, exploitable threat to enterprise supply chains. Simultaneously, the mean time to exploit has turned negative—attacks now precede the release of patches by an estimated seven days, according to both Black Kite and Mandiant. This inversion of the traditional patch‑first model forces security teams to confront a velocity‑driven crisis where sheer volume eclipses the ability to remediate.

Artificial intelligence is a double‑edged sword in this equation. Frontier‑model generators such as Claude Mythos are already surfacing more vulnerabilities than human researchers, while AI‑assisted development pipelines churn out ‘vibe‑coded’ applications riddled with hidden weaknesses. Moreover, shadow‑AI tools, often deployed without IT oversight, expand the attack surface and obscure visibility. Traditional safeguards like Software Bill of Materials (SBOMs) struggle to keep pace; their completeness and accuracy remain in question, and AI‑enhanced SBOMs are still years away. The net effect is a rapid erosion of the transparency needed to prioritize risk.

Enterprises must therefore pivot from blanket patching to intelligence‑driven triage. Leveraging metrics such as EPSS scores and KEV inclusion can isolate the critical few—like the 58 high‑priority CVEs identified by Black Kite—allowing resources to focus where impact is greatest. At the same time, a balanced automation strategy is essential: fully autonomous defenses may accelerate response but also risk unintended outages, as illustrated by the CrowdStrike update mishap affecting 8.5 million Windows machines. Embedding human oversight, especially for high‑value systems, preserves operational continuity while AI augments detection and remediation.