AI Attacker Doubling Rate Hits 4.7 Months: Govern Data Now

The U.K. government just published the most uncomfortable benchmark in cybersecurity. The AI Security Institute (AISI), a research arm of the Department for Science, Innovation and Technology, has been tracking how well frontier AI models perform end-to-end, multi-stage penetration tests — the kind a senior human red-teamer would run against a corporate network. In November 2025, the difficulty of tasks the best models could complete autonomously was doubling roughly every eight months. By February 2026, that doubling rate had collapsed to 4.7 months. The latest evaluations of Claude Mythos Preview and GPT-5.5 suggest the curve is steepening further, according to AISI.

Key Takeaways

1. The Doubling Rate Is Accelerating, Not Stabilizing. U.K. AI Security Institute benchmarks show the difficulty of cyber tasks AI models can complete is now doubling every 4.7 months — down from every eight months in November 2025. The trajectory keeps shortening.
2. This Is an Autonomy Measurement, Not a Hype Claim. AISI measures whether AI can chain multi-step exploits end-to-end with 80% reliability against tasks calibrated to human expert hours. That is a different and harder bar than "AI can write a phishing email."
3. The Attacker Timeline Is Collapsing Faster Than the Defender Timeline Can Adjust. CrowdStrike measured 29-minute average eCrime breakout times and an 89% year-over-year increase in AI-enabled attacks before the latest AISI benchmarks were even published.
4. Patch-and-Detect Models Were Already Losing the Race. Only 33% of organizations know where their sensitive data lives, and most cannot recover compromised AI training data after an incident. Faster attackers expose those gaps immediately.
5. The Durable Defense Moves to the Data Itself. When the time between vulnerability discovery and weaponization compresses toward zero, the only control surface that still holds is one that governs, encrypts, and audits the data regardless of which exploit reaches it.

Move over, Moore’s Law. The defender’s adversary just got an exponential.

This is not a story about AI writing better phishing emails. AISI’s benchmark is specifically designed to measure autonomous capability — whether a model can sustain context across multiple steps, recover from failures, and complete the kind of work a human expert measures in hours. Kat Traxler, principal security researcher at Vectra AI, framed the significance for CSO Online: “The AISI benchmarks don’t measure if models can spot a flaw. Rather, they measure whether various models can chain together a series of exploits into working attacks to achieve an end goal, like a real-world attackers do.”

That distinction matters. A model that can chain exploits into a working attack is not a tool. It is a junior red-teamer that does not sleep, does not miss work, and is improving faster than any defender’s training budget can match.

Why the AISI Numbers Matter More Than the Vendor Demos

AISI is the rare independent voice in a field saturated with vendor claims. It is government-funded, methodologically transparent, and has no commercial product to sell. When AISI says the doubling rate accelerated from eight months to 4.7 months between November and February, that is not marketing copy. It is the measured output of a controlled benchmark that runs the same models against the same tasks over time.

The benchmark methodology is worth understanding. AISI first measures or estimates the time a human expert needs to solve a given challenge, then estimates the longest task — in human work hours — that an AI model can complete with an 80% success rate. The number that gets reported is not raw speed. It is autonomous reliability over multi-step work. To complete a long task, the model must hold context, recover when something fails, and keep going.

A few caveats are worth naming. AISI capped the AI systems at 2.5 million tokens to allow cross-model comparison over time, which limits the models’ ability to remember earlier stages of the attack. The benchmark, like all benchmarks, is an inexact predictor of real-world performance. And as AISI itself notes, AI sometimes struggles with tasks humans find easy and breezes through tasks humans find hard. None of those caveats blunt the trendline. The slope of capability against difficulty is steepening, regardless of where any individual model sits on it.

The Doubling Rate Sits Next to a Compressed Defender Window

The AISI trajectory does not arrive in a quiet threat landscape. It arrives in one already pushed to its operational edge.

The CrowdStrike 2026 Global Threat Report measured an 89% year-over-year increase in attacks attributed to AI-enabled adversaries. It clocked the average eCrime breakout time — the gap between initial access and lateral movement — at 29 minutes, with the fastest at 27 seconds. Zero-day exploits prior to public disclosure rose 42%. Eighty-two percent of detections were malware-free in 2025, up from 51% in 2020, because attackers are using legitimate credentials, native tools, and human-driven techniques that traditional signature-based defenses cannot see.

Stack the numbers honestly. CrowdStrike collected its data through 2025, before the AISI doubling rate accelerated. The 89% increase, the 29-minute breakout window, and the 42% zero-day growth all reflect a threat landscape that predates the latest capability jump. Whatever the next CrowdStrike report says, the trajectory points one direction.

Meanwhile, the Thales 2026 Data Threat Report found that only 33% of organizations claim full knowledge of where their sensitive data resides. Two-thirds of the world’s organizations cannot answer the question an AISI-benchmarked attacker would ask first: Where is the valuable data?

This is the math no security strategy memo wants to confront. The attacker’s capability is doubling every 4.7 months. The defender’s breakout window is 29 minutes. Two-thirds of organizations cannot inventory their own crown jewels. That is not a widening gap. That is a structural mismatch.

The CVE-and-Patch Model Was Built for a Different Decade

Every assumption baked into modern vulnerability management is calibrated to human-paced attacker discovery. Vendors disclose a flaw. NIST scores it. Security teams prioritize against the score. Patches deploy in days or weeks. The cadence works when the time between vulnerability discovery and weaponization is measured in days, sometimes weeks.

That cadence is already cracking. The Cloud Security Alliance’s April 2026 “Mythos-Ready” briefing — signed by Jen Easterly, Bruce Schneier, Chris Inglis, and Phil Venables — warned that “the window between discovery and weaponization has collapsed to hours.” NIST conceded in mid-April that it can no longer enrich the majority of CVEs submitted to the National Vulnerability Database, with more than 30,000 entries sitting unanalyzed and “not scheduled” as the new default category. The Dragos 2026 OT/ICS Cybersecurity Report found that 15% of 2025 CVEs had incorrect CVSS scores — 64% of those corrections adjusted the score upward — and that 25% of public vulnerability advisories contained no patch or mitigation advice at all.

Then add the AISI signal: The AI systems doing the discovery are doubling in capability every 4.7 months. The defender’s reference system is narrowing coverage by more than half. The attacker’s discovery engine is industrializing.

The asymmetry is structural. It is not a problem any individual tool, training program, or patching SLA can close.

Why “Defender AI” Is a Necessary but Insufficient Answer

The most common rebuttal to AISI’s findings is that defenders get AI too. Chris Lentricchia, director of cloud and AI security strategy at Sweet Security, told CSO Online that “the same acceleration improving attacker capability can also improve defensive capability in areas like proactive threat detection and response automation.” He is right. Defender AI matters. So does faster patching, better detection telemetry, and improved IR automation.

But defender AI does not solve the underlying asymmetry. The attacker only has to succeed once. The defender has to succeed across every asset, every account, every API, every workflow, every day. Defender AI raises the floor; attacker AI raises the ceiling. The gap between them is still defined by how much surface area is exposed and how well that surface is governed.

There is also a survivorship problem. Defender AI works in the SOC, in the EDR console, in the cloud security posture management tool. It does not work very well at the place where data actually moves — between employees and external partners, between applications and external SaaS, between humans and AI agents. The fastest, most reliable defender AI in the world does not help if the sensitive data was already exfiltrated through a governed-but-unmonitored channel.

Kiteworks Data Security and Compliance Risk: 2026 Forecast Report found that only 43% of organizations have a centralized AI data gateway, while 7% have no dedicated controls of any kind for how AI systems access sensitive data. The remaining 50% sit in some flavor of “partial,” “ad hoc,” or “distributed-without-coherent-policy.” That is the surface attacker AI will find first.

The Architectural Answer: Govern the Data, Not Just the Vulnerabilities

When the attacker’s capability curve is exponential, no defender can win by trying to outpace it through perimeter hardening alone. The control surface must move underneath the attack — to the data itself.

This is the architectural pattern that holds when patch cadence breaks. A hardened virtual appliance with embedded firewall, WAF, and IDS so that security is a product property rather than a customer configuration burden. Zero-trust access control with attribute-based enforcement across every data exchange channel — secure emailemail, file sharing, SFTP, managed file transfer, APIs, web forms, and AI agents alike. FIPS 140-3 encryption with customer-controlled keys. Tamper-evident audit logging delivered to the SIEM in real time, with no throttling, so that incident response has evidentiary records that survive forensic review. Single-tenant isolation so a multi-tenant compromise cannot expose your data through someone else’s flaw.

Kiteworks was purpose-built around this thesis. The platform unifies governance, security, and visibility across every channel an enterprise uses to move sensitive data, including AI access through the Kiteworks Compliant AI and Secure MCP Server. When Log4Shell hit the industry as a CVSS 10 vulnerability in December 2021, Kiteworks customers experienced it as a CVSS 4 — because the architecture had already removed the exploit paths a generic deployment would have exposed.

The next Log4Shell will not arrive with a CVE number attached. It will arrive as a zero-day discovered by an AI system the world had not yet benchmarked. The defense that holds is one designed for the threat we cannot pre-score.

What Organizations Need to Do Now — Not in the Next Budget Cycle

The AISI doubling rate is not a problem to study. It is a problem to act on, with the assets and people you have today.

First, treat the AISI trajectory as a strategic input, not a research curiosity. Add the doubling-rate observation to your board briefings, your risk register, and your threat modeling exercises. Frame the conversation around what changes when attacker capability outpaces patch cadence, because the answer drives every downstream architecture decision.

Second, audit the gap between your detection cadence and the 29-minute breakout window. Kiteworks 2026 Forecast Report found that only 43% of organizations have a centralized AI data gateway, and a majority lack the unified telemetry needed to detect cross-channel data movement at attacker speed. If your IR plan assumes hours of dwell time, it is calibrated to the wrong decade.

Third, inventory your AI access paths. Every internal copilot, every agent, every model-context integration, every API into a sensitive data store is now a potential AI-attacker target. According to the Kiteworks report, 7% of organizations have no dedicated controls for AI access at all. Those organizations are not “early adopters.” They are unsecured.

Fourth, move encryption key custody back to your control. Cloud-managed keys, fragmented across services, multiply the blast radius when an AI-discovered exploit reaches a privileged service. Customer-controlled keys, FIPS 140-3 validation, and HSM integration are baseline expectations for the next twelve months, not differentiators.

Fifth, demand evidence-quality audit trails across every data exchange channel. Kiteworks found that 33% of organizations lack the kind of tamper-evident logging that holds up under regulator scrutiny or litigation discovery. When a faster attacker compromises a faster system, the forensic record is often the only artifact that distinguishes a contained incident from a reportable breach.

Sixth, push your AI vendors on data-layer governance, not just model safety. A jailbroken model that cannot reach your sensitive data is a contained incident. A safe model with broad access to ungoverned data is a single prompt injection away from disaster. The control surface that matters is the data, not the model.

The doubling rate will not pause to let any organization catch up. The organizations that build for the curve win. The organizations that build for the last paradigm get the next breach.