Seemant Sehgal is Founder & CEO of BreachLock Inc., a leader in Continuous Attack Surface Discovery & Penetration Testing as a Service.getty​Every few weeks, I see the same thing happen. A major AI lab ships a new frontier model, the security industry erupts with headlines about autonomous vulnerability discovery and my inbox fills up with variations of the same question from CISOs and security leaders: "Does this change everything?"​My answer, after 30 years in this industry—first running security programs as a part of the CISO's office, then building security products from the vendor side—is always the same: Faster discovery has never been the constraint. And until we're honest about that, we'll keep celebrating the wrong milestones.​The Metric That Actually Matters​The AI models like Mythos getting attention right now are genuinely impressive. Discovery is faster, broader and more autonomous than anything I saw coming up in this industry. That's real progress, and I don't want to dismiss it.​But here's what I've noticed after three decades of watching technology waves reshape this space: Every leap in discovery capability tends to widen a gap that already exists. This is the gap between what you find and what you actually fix.​When I was running security programs, the problem was never that we couldn't identify enough vulnerabilities. It was that we had more findings than we could confidently validate, more validated findings than we could intelligently prioritize and more prioritized findings than engineering teams could absorb without disruption. AI acceleration doesn't close that gap; it makes it larger and faster.​What Faster Vulnerability Discovery Actually Produces​I want to be specific about what happens operationally when discovery speed increases without equivalent maturity in the rest of the pipeline.​First, shorter time-to-exploit. When AI dramatically compresses the time between finding a vulnerability and weaponizing it, defenders don't benefit equally. Attackers, who don't have change management processes or DTAP constraints, move faster on new discovery than most enterprise security teams can respond.​Second, more noise. The most persistent operational problem I see in security programs isn't a lack of findings. Instead, it's an overabundance of unvalidated ones. AI-powered scanning at scale produces more alerts, more potential issues and more tickets. Volume creates the illusion of progress while burying the signal that actually matters.​Third, prioritization becomes exponentially harder. There's a paradox at the center of modern security operations: The more you can find, the harder it becomes to decide what to act on. Most organizations I've worked with are not capacity-constrained on identification. They're judgment-constrained on prioritization.​The Three Things AI Still Can't Change​I've watched this dynamic play out through every major technology wave, namely automated scanners, bug bounty platforms, cloud-native tooling and now AI. And through all of it, three things have remained constant.​A potential vulnerability and a confirmed, exploitable vulnerability in your specific environment are completely different threat categories. Confirming real impact, understanding what that finding means for the business and determining whether it represents actual risk—this work hasn't been automated away. Unvalidated findings don't move the needle; they just create work.​Why Prioritization Requires Judgment That Tools Don't HaveRisk is not a CVSS score. It's a function of your environment, your business model, your regulatory exposure, your threat actors and a dozen other variables that differ from organization to organization. I've seen critical-rated vulnerabilities that represented low real-world risk and medium-rated findings that were existential for a specific business context. The judgment to tell those apart reliably still lives with experienced practitioners.​The Demand For Discipline That CompoundsFixing vulnerabilities without introducing new instability is an operational discipline. Whether you're following structured release processes, change management frameworks or continuous deployment pipelines, faster discovery puts more pressure on remediation workflows, not less. Organizations that haven't matured that discipline find that AI-accelerated discovery creates a larger backlog, not a shorter one.​Where I've Seen Organizations Actually Improve​The security programs that have made meaningful progress on outcomes—not just on metrics—share a common pattern. They stopped asking "How do we find more?" and started asking "How do we close the loop faster?"​That shift looks different depending on the organization, but it usually means treating validation as a first-class step, not an afterthought. It means building continuous adversarial testing that mirrors how real attackers operate, not just generating snapshots on a quarterly schedule. It means integrating discovery, validation, prioritization and attack surface management as a connected operational loop, not separate tools producing separate reports that no one has time to reconcile.​Most importantly, it means measuring outcomes, not findings generated, not scans completed, not tickets opened. How quickly does a confirmed high-impact finding reach remediation? How much of the remediation queue represents real risk versus noise? What percentage of last quarter's validated findings are actually fixed?​Those numbers tell you whether you're improving your security posture or just generating more activity.​The Question Worth Asking​The next frontier model announcement will likely come in a few weeks. It will be faster, broader and more capable than what came before. That's the direction this technology is moving, and it won't stop.​When it lands, I'd encourage security leaders to resist the reflex of asking "Can this replace our current tooling?" and instead ask: "Do we have the operational maturity to take advantage of this?"​Because the honest answer, for most organizations, is that they don't yet have a validation workflow that can keep pace with what they're already finding. They don't have a prioritization process that produces consistent, defensible decisions. They don't have remediation velocity that matches discovery velocity.​ They cannot visualize attack paths.No AI model closes those gaps automatically. Those are organizational and operational problems, and they require organizational and operational solutions—with technology as an enabler, not a substitute for doing the hard work.The Imperative To Validate Attack Paths​The future of security isn't about finding more vulnerabilities. It's about validating exploitable vulnerabilities and concluding how they fit in an attack path. Capabilities such as adversarial exposure validation combined with human judgment can help the industry cover the gap between finding and fixing.Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?