The proposed change would be led by the Cybersecurity and Infrastructure Security Agency, which is said to be reviewing whether to cut the standard remediation window for actively exploited vulnerabilities from roughly two to three weeks down to just three days. The discussions, according to people familiar with the matter, also involve the Office of the National Cyber Director, led by Sean Cairncross, and acting CISA chief Nick Andersen.
The urgency stems from concerns that modern AI systems are compressing the time attackers need to find and exploit weaknesses in software. Tools such as Anthropic Mythos and OpenAI GPT-5.4-Cyber are reportedly capable of rapidly identifying vulnerabilities—sometimes reducing exploitation timelines from weeks or days to just hours, according to cybersecurity researchers and industry sources.
Traditionally, CISA has maintained a catalogue of Known Exploited Vulnerabilities (KEVs), giving civilian agencies up to three weeks to patch serious flaws once they are identified. That timeline has already been shrinking in recent years, but the new proposal would mark a dramatic shift toward near-immediate remediation.
“If you're going to protect civil agencies, you're going to have to move faster,” said Stephen Boyer, founder of cybersecurity firm Bitsight. “We don't have as much of a window as we used to have.”
The policy debate comes at a time when governments and industries are grappling with how to respond to increasingly capable AI-driven threats. Experts say financial institutions, in particular, are under pressure as regulators attempt to assess the real-world risks posed by rapidly advancing offensive AI capabilities.
Former CISA deputy director Nitin Natarajan described the potential change as a strong signal for other sectors. “This is a signal to others that says, ‘Hey you need to do this more quickly,’” he said, adding that the acceleration reflects the speed of evolving threats.
However, not all experts are convinced the system can realistically keep up. Security specialists such as Kecia Hoyt of Flashpoint warned that patching critical vulnerabilities often requires extensive testing and coordination. “Realistically, three days is simply impossible for some environments,” she said.
John Hammond, a senior researcher at Huntress, echoed cautious optimism about the shift, noting that while faster response times may be necessary in theory, the practical challenges for organisations could be significant.
The discussions remain ongoing, and no final decision has been announced. Still, the direction of travel is clear: as AI reshapes the cyber threat landscape, defenders may soon be forced into a much faster—and more demanding—operational reality.