The Frontier AI question
In January, the question came up occasionally. By April it was in every conversation.
Anthropic released Fable 5 and Mythos 5 on June 9, two months after first announcing Mythos in April. Within days, the U.S. government directed Anthropic to suspend access to both, underscoring how quickly the Frontier AI picture is changing.
The U.S. Treasury and the Federal Reserve convened an emergency meeting with major bank CEOs on April 8, and the IMF flagged Mythos-class models as a financial-stability risk. The Cloud Security Alliance has described the moment as the start of an "AI vulnerability storm."
How can Panaseer help our customers in the face of an attacker with unlimited resources?
Strategy and stakeholder management
Name the root cause: complexity.
We're working with our customers to support their board and exec conversations, sharing a unique perspective on the root cause of the problem.
This nine-minute video summarizes how I see complexity as the root cause, and frames how we can help.
There's a chain reaction at play.
The speed of business drives accelerating IT adoption, which creates cyber complexity. As complexity grows, many large organizations lose full visibility of their assets and start to experience avoidable control gaps. The business gets disconnected from cyber risk, at which point it becomes CISO risk, and this human friction results in preventable breaches and escalating regulation.
In the spirit of "never let a crisis go to waste" some customers are using this Frontier AI moment to address some of these consequences. They’re pushing hard on asset hygiene, and on business and IT ownership of their controls, to ensure the business owns its own risk.
Broader stakeholder engagement.
Our latest product feature Cyber Advisor opens Panaseer's data to any stakeholder through a natural-language chat interface, without requiring platform knowledge. There are no per-user limits or fees, so the new Cyber Advisor extends Panaseer's reach inside your business without adding cost.
The force multiplier for the defender
Frontier AI models will identify chained vulnerabilities and control gaps at machine speed so that Agentic AI becomes the force multiplier for the attacker. Panaseer can be the force multiplier for the defender by identifying all your assets, control gaps and chained control gaps through our Compound Risk capability. We’re helping customers.
Panaseer’s deterministic data is automated and trusted to ensure people and systems have the ground truth to make informed decisions. This is increasingly important to be able to defend at machine speed. There are three ways we’re helping customers move faster:
- prioritization
- deterministic data
- and identifying the root cause.
- Prioritize based on threat and business criticality.
Concerns are growing about the operational impact of trying to patch everything at once. We know it's impossible to close every control gap at once. Instead, you need an operational resilience perspective to inform decision making. As one customer described: "It's now impossible to patch fast enough. We need a 360-degree view of assets and services to make informed decisions."
So you, our customers, are using Panaseer to prioritize, combining business service criticality with the chained control gaps and the mitigations available to inform operational decision making.
We're helping customers make business-informed decisions by combining three things: business criticality, the control gaps associated with assets or business services, and the mitigations available to protect assets with open vulnerabilities.
2. Deterministic data to inform agentic (probabilistic) defenses.
We've spent a lot of time with customers on how Panaseer's deterministic ground truth can support their agentic defense. Agentic systems work best when they have a foundation of automated, consistent, transparent and current data about your attack surface and security posture to draw on.
From that foundation, you can share data with other technologies to defend at machine speed.
Panaseer data is already available via the Snowflake API – but we’ve also made the strategic decision to develop an MCP server and Metric API to make Panaseer data available across your infrastructure. Trusted data now becomes the prerequisite for any agentic AI initiative.
3. Identify and fix the root cause – the broken business processes
We've helped customers identify and fix the underlying broken business processes that lead to significant recurring control gaps. The Compound Risk feature resolves huge numbers of control gaps in simple steps by shifting left, identifying the root cause so you stop dealing with the forever-growing downstream symptoms.
Patterns we've helped customers fix:
- Assets missing from patching domain. Fewer than 100 servers drove 93% of out-of-SLA detections. The servers weren't part of the patching domain. Panaseer’s Compound Risk metrics identified the business process gap, provided understanding on why they were missing, and identified a process that needed fixing.
- Assets missing from CMDB. Cross-source visibility catches what a single tool can miss. For one customer, the CMDB was inaccurate in both directions: real devices active on the network were absent from it, while thousands of entries in it referred to devices that no longer existed. Panaseer cross-referenced all tool populations against each other and the CMDB, surfacing both missing entries and stale ghost records. Accountable owners were identified and driven to act.
- Assets missing from one or more critical controls. Critical PCI devices were identified as missing core endpoint controls. Coverage gaps by control, business unit, and criticality were surfaced by Panaseer, enabling accountable owners to drive targeted remediation, resulting in a 98% reduction in PCI devices missing the controls.
- Build images with unpatched vulnerabilities. Large volumes of devices were identified as sharing identical vulnerabilities despite repeated patching activity. The same CVEs kept reappearing across the same asset cohorts with each new scan cycle. Panaseer moved the infrastructure team from chasing individual vulnerabilities to investigating automation and process issues. The gold build was identified as the root cause; patching the image eliminated the downstream exposure permanently across all devices built from it.
- Inherited local admin privileges outside the vault. Admin rights were identified as inherited via AD group membership, not granted explicitly, and not visible to the vault. Because the group itself was in the local admin group, every member inherited privilege through the nesting chain without anyone intending to grant it. Panaseer surfaces the full privilege inheritance path, then identifies which groups are responsible for the most inherited access, so remediation targets the highest-impact group first. Removing or reassigning one group can clear inherited admin access for thousands of accounts in a single action, rather than working account by account.
- Tickets closed when patch applied but box not rebooted. Vulnerability scanners were continuing to flag devices as exposed despite corresponding patch tickets being marked closed in the ITSM. The patch programme looked compliant on paper, but wasn't reducing actual risk. By correlating deployment status & reboot history, the root cause was identified as patches being deployed, but devices not being rebooted. By ensuring reboot was added to the patching process, patches were applied effectively.
- Patches deployed but a conflict means the patch doesn't stick. An outsource provider was patching vulnerabilities and reporting them as remediated, but vulnerabilities kept reappearing. Investigation uncovered a bug in the patching process: Windows 10 patches were installing, then silently uninstalling. Fixing the patch issue resulted in 25% reduction in total vulnerability detections.
- Third-party privileged users inactive. Third parties often have access to company systems, but third-party processes often fail to update companies when their staff leave or are absent for a period. Correlating third party accounts with business IDAM policies: stale account age, password reset compliance, account creation method and privileged vault status, enabled third-party risk management and GRC teams to gain a dedicated view of external account posture and hold third-party providers to the same standards.
- Leaver accounts not disabled promptly. Privileged accounts were remaining active after individuals had left the organisation. The average time to disable a leaver account was longer than expected, with no clear explanation from the data available in individual tools. The root cause was identified as an upstream system feeding the offboarding process only reporting on weekdays. Staff who left on a Friday or Saturday were not processed until Tuesday, a 3-4 day window where accounts remained active with no legitimate owner. The batch schedule gap was invisible without cross-referencing employee data against account disable timestamps.
Governance and oversight
Governance over AI controls.
Released in February 2026, our 12th and most recent Cyber Control Domain enables customers to understand the status of their AI controls across sanctioned and unsanctioned internal AI.
“The world changed, we need to behave differently.”
Customer CISO, life sciences manufacturer.
The Four Operational Levels in practice
This operating model lets customers begin at any level to meet their most pressing business needs. Some customers begin with a regulatory focus, others to drive business services accountability and others to address specific control gaps. Over time, we see customers maturing so that all four levels are integrated and using the same system of record.
Level 1
External Assurance
This level is about satisfying external requirements from regulators, auditors, customers, and insurers. By producing credible, mapped evidence of control performance from a single system of record, customers automate evidence collection, reduce audit fatigue, and increase external confidence using real-time, evidence-based controls reporting mapped to frameworks like NIST, the CRI Profile, and DORA.
Audit readiness has become part of how operations teams work day-to-day. It's the use case customers cite most often as essential to their compliance operations, often holding its place through budget reviews.
Level 2
Executive Oversight
This level gives the CISO, risk committee, GRC, and internal audit end-to-end visibility across business, regional, and technology views of ownership and controls, with scorecards and heatmaps for aggregated oversight. It lets executives track progress across cyber control domains, evaluate residual risk, and align priorities with business objectives.
We're seeing customer CISOs log into the platform alongside their teams: one CISO this half found a Linux antivirus (AV) coverage discrepancy on his own, on the platform, with his team in the room. It was the moment that truly cemented his confidence in the data. We're seeing the same at multiple accounts, especially as the board reporting question has shifted from "are we protected?" to "can we keep up?"
Level 3
Business Accountability
This level extends visibility and ownership into the business. Any owner of a line of business, technology stack, business service, region, or product gets scorecards and heatmaps for their own controls, viewed through an operational-resilience and business lens, translating cyber into the language they understand along the way with clear insights and prioritization. By making accountability explicit, customers prioritize resources, remediate gaps, and embed security outcomes into everyday operations.
It's the level that has accelerated hardest this half, driven in part by regulation: DORA is in force, PRA examiners are actively engaged on Important Business Services (IBS) in the UK, and the CRI Profile is becoming the operational framework for global financial services. One customer told their account team that mapping IBS in Panaseer was "a rare opportunity to show innovation to the PRA." Another is going "all in" on the CRI Profile, with one of the Big Four redoing their underlying risk taxonomy in support.
Level 4
Control Execution
At the most operational level, control and tool owners get automated, highly granular operational data and a 360-degree view across multiple tools, with a true denominator for every asset type. Data is enriched with business criticality and ownership to drive prioritization and accountability, so every control effectively covers every asset in scope, continuously, closing gaps faster and in line with organizational priorities.
Success here reinforces the other three levels, creating a cycle of continuous improvement. It's also where customers are pushing hardest, working with control owners where appropriate to run queries and track their own controls.
“Panaseer is too essential to audit readiness for our Ops teams.”
Customer CISO
Audit fatigue
The conversations I've had this half match the data. The volume of audit-related work has grown, the patience to do it manually has run out, and CISOs are telling me their teams are burning out on compliance demands.
Two numbers from our 2026 Security Leaders Peer Report:
- 71% of CISOs say compliance demands are fueling team burnout
- 12% have faced penalties of more than $1 million due to audit delays
Customers who've automated their audit evidence through Panaseer are reporting significant time savings on internal audit response. One customer attested to answering regulator questions in just 10 minutes using Panaseer, instead of the days and weeks it used to take.
That's the shift we're focused on: turning audit from a recurring scramble into a continuous, automated process. Customers using Panaseer are saving tens of thousands of hours of manual work and going into spot audits with confidence. Users of Panaseer have continuous, automated and trusted evidence always available, inspectable from board-level summaries down to the individual control, with a full audit history over time.
