Why AI is changing how organizations achieve cyber resilience.
For decades, cybersecurity has been built around one assumption: defenders had enough time.
- Enough time to discover vulnerabilities.
- Enough time to assess exposure.
- Enough time to deploy patches.
- Enough time to verify that critical systems remained protected.
That assumption shaped how organizations built security programs, how vendors developed security products, and how regulators measured cyber resilience.
That assumption no longer holds.
Artificial intelligence has not created an entirely new category of cyber risk. It has exposed the limitations of a security operating model built for a world where attackers operated at human speed. When AI can identify vulnerabilities, generate working exploits, analyze attack surfaces, and chain weaknesses together at scale, the timeline between exposure and exploitation compresses dramatically.
That shift is beginning to reshape more than cyber operations. It is changing how governments, regulators, and security leaders think about resilience itself.
The European Central Bank’s recent supervisory letter is one of the clearest examples yet.
On July 7, 2026, the ECB directed every significant institution under its supervision to submit a comprehensive action plan addressing AI-enabled cybersecurity threats by October 31. While the letter applies specifically to Europe’s largest banking institutions, its significance extends well beyond financial services. More important than the deadline is the ECB’s conclusion that AI represents a long-term shift in the threat landscape rather than a temporary phenomenon or a risk associated with any single technology.
That statement marks an important moment in the evolution of cybersecurity.
The ECB Isn’t Asking for More of the Same
At first glance, the ECB’s recommendations appear familiar.
Protect the attack surface. Accelerate vulnerability and patch management at scale. Enhance monitoring, detection, and defense. Strengthen governance, funding, training, and supply chain assurance. Reinforce defense-in-depth while modernizing infrastructure. Improve operational resilience and information-sharing.
None of those disciplines are new. Mature security programs have invested in them for years, and many are already reflected in frameworks such as DORA and existing supervisory expectations.
What the ECB is acknowledging is something more fundamental. Cybersecurity’s traditional operating model was built for a world where attackers operated at human speed, giving organizations time to reduce risk before adversaries could exploit it. AI eliminated that advantage. The ECB’s letter reflects a broader shift that is already underway.
The challenge is no longer whether organizations have visibility into their environments. It is whether they can generate enough evidence to make confident security decisions before attackers exploit them.
Security has become an evidence problem, not a visibility problem.
Visibility tells you what exists. Evidence tells you what matters.
That distinction sits at the heart of the ECB’s letter. The objective is no longer to perform more security activities. It is to ensure those activities produce meaningful reductions in operational risk despite dramatically compressed attack timelines.
This Shift Didn’t Begin with the ECB
The ECB’s supervisory letter did not emerge in isolation. It is the latest signal in a broader progression that has been unfolding across governments, intelligence agencies, and cybersecurity organizations over the past year.
Last month, CISA’s Binding Operational Directive 26-04 signaled an important shift away from treating vulnerability management primarily as a severity problem. Instead, it emphasized prioritizing remediation based on operational risk, exposure, and the likelihood of exploitation.
Around the same time, the Five Eyes intelligence alliance, CERT-EU, the UK’s National Cyber Security Centre, FS-ISAC, and other organizations warned that frontier AI models are fundamentally changing the economics of cyber operations. Activities that once required experienced operators working methodically over days or weeks can increasingly be executed in minutes and repeated at virtually unlimited scale.
Although each organization framed the challenge differently, they all point toward the same conclusion: the assumptions that have shaped cybersecurity for decades are no longer sufficient in an era of AI-accelerated attacks.
The ECB’s letter represents the next step in that progression. Rather than encouraging institutions to prepare for a future possibility, it acknowledges that AI-enabled cyber threats are already reshaping how regulators evaluate cyber resilience. That distinction matters because it marks a shift from discussing AI as an emerging risk to managing it as an operational reality.
The Operating Model Must Change
If cybersecurity’s traditional operating model can no longer keep pace with AI-accelerated attacks, organizations need more than faster patching, more scans, or additional security tools. They need a different way to make security decisions.
If AI has exposed those limitations, the obvious question becomes: what should replace them?
The answer is not another security category or another framework. Organizations need an Evidence-Based Security Operating Model, one grounded in current evidence rather than assumptions.
What is actually exploitable?
Validation
Prove which vulnerabilities and weaknesses attackers can actually exploit in your environment.
What is the business impact?
Context
Demonstrate how those exploitable weaknesses could be chained together to create measurable business risk.
Did remediation eliminate meaningful risk?
Verification
Prove remediation eliminated the exploitable weakness and closed the associated attack path.
Has anything changed?
Continuous Operation
Continuously refresh the evidence as your environment evolves.
Viewed through this lens, the ECB’s recommendations become easier to understand. The letter is not asking institutions to perform more security activities. It is asking them to demonstrate that those activities are producing meaningful reductions in operational risk. Together, validation, context, verification, and continuous operation enable organizations to keep pace with the speed of AI-driven cyber operations.
From Periodic Assessments to Evidence-Based Security
For leading organizations, evidence-based security is no longer a periodic exercise. It is becoming an operating rhythm. Rather than relying on annual assessments or assuming security activities achieved their intended outcome, organizations are continuously generating the evidence needed to make confident security decisions as their environments evolve.
At Horizon3.ai, we’ve spent the past several years building the NodeZero® Proactive Security Platform around exactly this way of operating. Rather than producing another list of theoretical findings, NodeZero generates the evidence organizations need to validate exploitability, demonstrates the business impact, verifies that remediation eliminates meaningful risk, and continuously refreshes that evidence as their environments change.
The ECB’s guidance reinforces the direction our customers have already been taking. They are no longer measuring security by the activities they complete, but by the evidence those activities produce.
That is how organizations make confident security decisions at machine speed.
Learn more about how NodeZero supports the ECB’s objectives.
This Shift Will Not End in Europe
The ECB’s supervisory letter applies specifically to the largest banking institutions under its supervision. Its significance, however, extends well beyond those organizations.
History suggests that major regulatory shifts rarely remain confined to one jurisdiction. GDPR began as a European regulation, yet it ultimately reshaped privacy practices around the world. Cyber resilience is likely to follow a similar path.
Whether other regulators follow suit is almost beside the point. The broader direction is already becoming clear. Governments, intelligence agencies, industry organizations, and regulators are independently arriving at many of the same conclusions. AI has accelerated the pace of cyber operations, compressed the time available to make security decisions, and raised expectations that organizations can demonstrate, not simply assume, that risk has been reduced.
The question is no longer whether organizations should adapt to AI-enabled threats. The question is whether their security operating model can produce the evidence needed to make confident decisions at the speed those threats now demand.
The significance of the ECB’s letter is not that another regulator issued another cybersecurity directive. It is that one of the world’s leading banking supervisors publicly acknowledged what security teams have already been experiencing in practice.
Artificial intelligence changed the speed of attack.
The ECB’s message is that it’s time for cybersecurity to change the speed of defense.