Frontier AI models now scour codebases with tireless precision. They surface zero-days that evaded human eyes for decades. Yet the latest breaches still trace back to the same old lapses. Forgotten credentials. Lazy password practices. Doors left wide open by oversight.
That tension sits at the heart of cybersecurity in mid-2026. Tools like Anthropic’s Claude Mythos Preview have identified thousands of high-severity vulnerabilities across every major operating system and web browser. A 27-year-old flaw in OpenBSD. A 16-year-old issue in FFmpeg. Memory corruption in a supposedly safe virtual machine monitor. The model even chained four separate bugs to escape both renderer and OS sandboxes in a browser exploit. (The Hacker News, April 8, 2026)
Anthropic itself described the advance as a watershed moment. Non-experts using the preview built complete, working exploits overnight. The system turned known N-day vulnerabilities into functional attacks without further human guidance. It solved corporate network attack simulations that would consume a skilled human more than 10 hours. In testing it achieved full control-flow hijack on multiple OSS-Fuzz targets. (Anthropic research page)
But scan the incident reports from recent months and the pattern refuses to shift. The Verizon 2026 Data Breach Investigations Report found the human element present in 62 percent of breaches, up from 60 percent the year before. Social engineering, phishing, stolen credentials. These remain dominant. Generative AI helps attackers move faster at spotting gaps and crafting malware. It does not replace the fundamental weaknesses introduced by people.
Take the Klue breach disclosed in June 2026. Hundreds of organizations saw their Salesforce environments exposed through a single legacy credential that had never been removed. Klue, which serves more than 250,000 users, lost access to CRM data, sales leads, and contact lists for many customers. No financial details or passwords escaped, yet the incident rippled through security firms including Huntress. The attackers, a newcomer group called Icarus active only since late April, quickly moved to ransom and leak what they could. (The Register, June 29, 2026)
Huntress chose early transparency. That decision drew praise but also internal drama. A former employee allegedly passed law enforcement communications to the criminals, sparking legal threats and finger-pointing. The episode underscored how even security-conscious organizations stumble over basic credential hygiene.
Similar stories surface repeatedly. A city water utility fell after attackers used a username and password belonging to an employee who had left ten years earlier. One CEO kept an Excel spreadsheet containing every employee’s inbox credentials for quick administrative changes. LastPass administrators failed to rotate the master vault password after an earlier compromise. These are not sophisticated supply-chain attacks or novel memory-safety escapes. They are failures of process and attention.
The Register podcast team captured the frustration directly. Host Brandon Vigliarolo observed that the easiest path into most systems involves no Hollywood hacking. “It’s a con. It’s lying, putting on a reflective vest, and having a clipboard. It’s relying on password breaches and people being bad about their password hygiene.” US editor Avram Piltch added that the human element remains the biggest problem. “Maybe when I have my agent talk to your agent, they will be much better behaved than when people get involved.” Security editor Jessica Lyons described the current moment as a perfect storm. AI models excel at finding and exploiting bugs while open-source maintainers drown in reports. (The Register)
Open source has become a pressure point. AI tools now scan decades-old projects with relentless speed. They generate pull requests and bug reports at volumes that overwhelm volunteer maintainers. The NIST National Vulnerability Database struggles with backlogs. Security teams face a summer of triage that leaves little room for strategic defense. Georgia Tech researchers tracking CVEs tied to AI-generated code documented a sharp rise. Eighteen confirmed cases in the last seven months of 2025. Then six in January 2026, 15 in February, 35 in March. The true total likely sits five to ten times higher because many lack detectable metadata. (Reddit discussion citing Georgia Tech Vibe Security Radar, June 2026)
Yet the same AI capabilities that create this flood also offer defensive potential. Anthropic launched Project Glasswing to apply Mythos Preview toward finding and fixing vulnerabilities in critical software used by selected organizations. The company committed substantial credits and donations to accelerate patching before adversaries can weaponize the discoveries. Still, only a small fraction of the thousands of bugs located so far have been publicly disclosed and addressed. The rest sit in responsible-disclosure limbo. The trajectory, Anthropic researchers wrote, points toward models that keep improving at both detection and exploitation. “There are only so many classes of vulnerabilities.”
Industry reports echo the duality. IBM’s 2026 X-Force Threat Intelligence Index highlighted more than 300,000 stolen ChatGPT credentials circulating in infostealer malware the previous year. Prompt-injection attacks evolved from curiosity to enterprise risk. One vulnerability in GitHub Copilot allowed remote code execution through hidden instructions in pull-request descriptions. Microsoft 365 Copilot suffered a zero-click data exfiltration flaw. These incidents show AI systems themselves introduce new surfaces that require human oversight. (Cycode blog, March 31, 2026)
So where does that leave security leaders? They cannot ignore the acceleration in vulnerability discovery. Models now outperform all but the most elite humans at certain tasks. They work through the night without fatigue. They combine encyclopedic knowledge of past bugs with exhaustive testing. But they do not eliminate the need for basic controls. Multi-factor authentication. Timely offboarding. Credential rotation. Least-privilege access. These measures still depend on consistent human execution.
Podcasters and analysts alike note that AI-augmented attackers simply compound existing problems. The Verizon report confirms threat actors already use generative tools to speed every stage of an operation. From reconnaissance to payload development. The human factor, however, drives 62 percent of incidents. Configuration oversights on end-of-life routers. Default passwords on exposed management interfaces. Forty-five thousand to fifty thousand such devices were found vulnerable in scans of specific North American sectors during 2025.
One security leader summarized the situation in a recent podcast. Human error accounts for the money lost far more often than exotic zero-days. “It’s not the AI robot breaking down the door. It is a human whether through ignorance they don’t know any better.”
The coming months will test how organizations absorb these dual pressures. More AI-generated code will ship with subtle flaws. More legacy systems will expose forgotten accounts. Defenders must triage an avalanche of findings while still closing the obvious gaps that require no sophisticated model to exploit. Password managers help, yet only when people actually use them correctly. Automated remediation tools from vendors like Snyk promise to fix detected issues at scale. Their effectiveness still hinges on whether teams apply the patches.
Anthropic warned that the transition period may prove tumultuous. Models continue to advance along every axis. Vulnerability research grows more accessible to non-experts. At the same time, the oldest attack methods persist because they prey on predictable behavior. Social engineering with a clipboard still works. An unrevoked credential from a departed contractor still opens the door.
Security teams that treat AI solely as a detection silver bullet will miss the point. The technology sharpens both sides of the contest. It finds bugs faster than humans can patch them. It also magnifies the cost of sloppy practices. The real test lies in whether organizations can pair machine-scale analysis with disciplined, mundane execution. Because right now, the machines are winning at finding holes. Humans keep providing the easiest ones to walk through.
WebProNews is an iEntry Publication