Thought Leaders
AI Is Changing Open Source Security. Software Lifecycle Accountability Must Change With It.

When Drupal disclosed CVE-2026-9082 in May, exploit attempts were reported within 48 hours. That shrinking window between disclosure and exploitation illustrates the new reality facing organizations that rely on open source software. They have less time than ever to assess risk and respond before vulnerabilities are actively targeted.
AI is accelerating that shift by dramatically increasing the speed and scale of vulnerability discovery. As vulnerability discovery accelerates, the challenge for enterprises is no longer just identifying vulnerabilities; it’s ensuring the software they depend on remains secure, supportable, and resilient throughout its lifecycle.
AI Is Accelerating Threats Faster Than Enterprises Can Respond
AI-powered tools are accelerating vulnerability discovery and lowering the barrier to exploit development, reducing the time organizations have to assess risk and respond. Updated industry projections from FIRST now estimate that nearly 66,000 CVEs will be disclosed in 2026, an 11% upward revision from the February forecast, after disclosures ran 46% above projected pace through April.
FIRST rightly notes that exploitable risk hasn’t grown at the same pace as raw volume, and that KEV and EPSS triage can absorb the surge. But triage-and-patch assumes a patch exists. For software built on end-of-life frameworks, it doesn’t, and the entire prioritization model collapses at exactly the point where it matters most.
Meanwhile, security teams don’t operate at machine speed. They still need to determine which systems are affected, assess business risk, test fixes, and deploy updates without disrupting operations. For organizations relying on open source software, that challenge becomes even greater when business-critical components have reached end of life and no longer receive security patches from their original maintainers.
The result is a widening gap between identifying vulnerabilities and actually remediating them. Organizations need more than visibility into vulnerabilities. They need confidence that the software they depend on will remain secure and supportable throughout its lifecycle.
Unsupported Software Is Becoming a Growing Enterprise Risk
Many organizations continue running end-of-life versions of open source frameworks such as Drupal, Spring, and AngularJS because replacing business-critical applications is expensive, disruptive, and often takes years to complete.
That reality is increasingly colliding with new regulatory expectations. Frameworks such as the EU Cyber Resilience Act, DORA, NIS2, and PCI DSS 4.0 place greater emphasis on software maintenance, supply chain visibility, and ongoing software support, making unsupported software a growing compliance and operational concern.
Because modernization often takes years, organizations need a strategy for maintaining secure, supported software throughout the transition.
Organizations Need Lifecycle Visibility, Not Just Vulnerability Visibility
Most organizations have invested heavily in tools designed to identify vulnerabilities across their environments. Those tools answer the question of where the vulnerabilities are. They don’t address another that’s becoming just as important: Is this software still supportable?
Answering that question requires organizations to look beyond vulnerability management. They need visibility into whether business-critical open source components are actively maintained, approaching end of life, or no longer receiving community support, and a strategy for keeping those systems secure until modernization is complete.
Enterprise leaders should focus on three priorities:
- Know what you own. Identify unsupported software before vulnerabilities, audits, or incidents force the issue, and understand which business-critical applications depend on it.
- Plan for secure modernization. Build lifecycle planning into procurement, development, and modernization strategies, with clear plans for maintaining software securely throughout the transition.
- Treat software supportability as a business priority. As software ecosystems become more complex, long-term software support should be treated as a strategic business capability and not simply an engineering concern.
AI is changing how software is built, how vulnerabilities are discovered, and how quickly organizations are expected to respond. What hasn’t changed is the enterprise responsibility to maintain the software businesses already depend on securely. As AI reshapes open source security, success will depend on treating software lifecycle accountability as a core security capability, not just a technical consideration.
The organizations that succeed won’t necessarily be the ones that patch the fastest. They’ll be the ones that can confidently manage software risk across its entire lifecycle, keeping business-critical applications secure and operational while modernizing on their own terms.












