Washington Is Betting on Faster Patching. That's Not Enough.

When I was at Raytheon in 2015, the company was a finalist in DARPA's Cyber Grand Challenge – a competition built around a simple but unsettling premise: could a machine autonomously find vulnerabilities in software, reason about how to exploit them, and patch them, all without a human expert in the loop? The competition format was capture the flag, but the underlying question was much larger. DARPA wanted to know if automated systems could do what had always required the best offensive security minds in the world.

I thought about that competition yesterday when I read the new White House executive order on AI security.

What DARPA was probing in 2015 is no longer a research question. Autonomous systems that can discover vulnerabilities, reason about how to chain them, and identify attack paths through complex codebases aren't a future concern. They're here. Anthropic's Mythos work, and the broader wave of AI-accelerated zero-day research, has made that undeniable. The proof of concept that DARPA was chasing a decade ago is here. Sadly, we aren’t well prepared and are yet again playing security’s favorite game, catch up.  

This week, the White House published an executive order titled Promoting Advanced Artificial Intelligence Innovation and Security. If you read it looking for compliance obligations aimed at private companies, you won't find much. No new mandates, no licensing requirements, no enforcement deadlines.

But if you read it as a signal about where the threat landscape is heading, and what the government now believes needs to exist to defend against it – it tells you a lot. It tells you that the government has correctly identified the threat and that the solution they're reaching for is AI-accelerated patching. Unfortunately, that isn’t enough. We need to prioritize building better, more resilient software infrastructure. And that element is woefully missing from the order. 

What the EO Says and Why It Matters

The order directs CISA, NSA, Treasury, and OMB to take coordinated action within 30-60 days: harden federal systems against AI-enabled attacks, establish a voluntary AI cybersecurity clearinghouse for vulnerability scanning and patch coordination, and determine whether federal grant funding can be directed toward AI-powered vulnerability detection. (I have my popcorn ready for how this all comes together in practice.)

The language is deliberate. The government isn't worried about AI as an abstract risk – it's worried about AI being used to find and chain vulnerabilities at a speed and scale that existing defenses weren't built to handle. For those of us who've been watching Mythos and the wave of AI-accelerated zero-day research, none of this is surprising. The government is catching up to a threat model that enterprise leaders have been grappling with for months.

Executive orders don't create overnight change. But they force a formal accounting. Agencies have to act. Guidance gets written. Frameworks get set. And once those frameworks exist, they propagate – into procurement requirements, into audit checklists, into the questions security teams get asked by the people above them.

I watched this play out with EO 14028, while at Google. Before that order, software supply chain security was something forward-thinking teams understood and cared about. After it, the conversation changed in character. It wasn't a “nice to have” anymore – it was a named priority with named owners and named deadlines. It also created an entirely new market of companies focused on solving it.

Where EO 14028 forced a reckoning around software supply chain integrity, this EO is signaling something similar for computing infrastructure. Models are being released and updated on continuous, overlapping timelines, by dozens of organizations, into infrastructure that wasn't designed to contain them. Proactive vetting and vulnerability assessment will always have gaps. The question is what happens in those gaps; between model release and patch, between discovery and remediation, between the moment an attacker finds a path and the moment you close it. This is bigger than a software fix, it's an infrastructure problem.

Where the EO Falls Short – IMHO 

Here's my honest read of the order: it largely borrows from what you might call the vulnerability management school of security thinking. Find vulnerabilities faster. Patch them faster. Coordinate that process at scale with an AI assist. You can see it throughout – the clearinghouse for scanning and remediation, the CISA programs enhancing AI-enabled defensive tools, the OMB review of grant funding for AI vulnerability detection. All of it is oriented around the same loop: detect, patch, repeat.

That's not entirely wrong. But it's insufficient – and what I can tell you is that the answer to AI-accelerated attacks isn't AI-accelerated patching. 

What's largely absent from this EO is any mention of building better, more resilient software infrastructure. There's almost nothing about blast-resistant systems design, about workload isolation, about making it so that when a vulnerability is exploited the damage is structurally contained. The assumption baked into the vulnerability management school is that you can stay ahead of the attacker. Find it before they do. Patch it before they chain it. That assumption was already strained before AI. Now it's genuinely untenable.

Blast-Resistant Infrastructure: The Answer Patching Can't Provide

The more durable answer is to build infrastructure where a successful exploit has nowhere to go.That’s what we are focused on building at Edera – infrastructure that stops attackers in their tracks – they cannot move laterally, cannot chain further, cannot reach anything outside the security boundary. And in that moment of compromise, the system sustains and remains operational.This  doesn't replace vulnerability management. But it changes the stakes of imperfect vulnerability management, which is the only kind that exists.

This EO is a step. The government naming AI-accelerated vulnerability discovery as a national security priority matters, and the institutional infrastructure it's standing up will have real effects. But the harder architectural conversation – about what it means to build systems that are resilient by design rather than just patched more efficiently – hasn't made it into the chat yet. And that’s just a damn shame.