The Book
Explore Membership
Initiatives
Journey to AppSec MaturityAI SecurityProduct SecurityWomen in SecurityS3M2PodcastState of AppSec 2023
Resources
Resource LibraryBlogSecurity Jobs Board
AppSecConPodcastState of AppSec 2023
Events
Upcoming Events
PBC Connect – Black Hat USA 2026Ebola Response to AI Safety: How Security Engineers Can Change the World
Past Events
PBC Virtual - Claude Mythos, Decoded
PBC Virtual - A Security Update from the Scaling Laws Frontier
PBC Virtual - Claude Mythos, Decoded
PBC Connect – RSAC 2026
Dustin Li (Anthropic): How Security Engineers Can Change the World
PBC Virtual - Security Primer on Vibe Coding for Developers
PBC Virtual - Security Primer on Vibe Coding for Non-Developers
PBC Virtual - Exceptions Management
PBC Virtual - The AppSec Starter Pack: What I Wish They Told Me
PBC Virtual - JTAM with Vivek Venkatachalam
Bengaluru ChapterNew Delhi ChapterNYC Chapter LaunchCyber SoireeWomen In SecurityDavos DialogueFirst LookSBOM
Contact Us
The State of AI Risk Management report is here.
Download a copy
The Book
Membership
Journey to AppSec Maturity
Initiatives
Resources
Events
Join Us

Managing Vulnerability Risk with AI-Assisted Remediation

By 
Jyoti Wadhwa
,
Imran Ali Mohammed
,
David Messerschmidt
June 18, 2026

Introduction

AI is surfacing vulnerabilities faster than most organizations can act on them. Detection is improving. Findings are multiplying. Exploit chains built from combinations of lower-severity issues are raising the stakes on findings that would previously have been safely deprioritized. The gap between detection speed and remediation velocity is widening.

Three of us from the Purple Book Community AI CoE have been working through these questions as part of Cohort 2's Product AI Governance track. We are not writing from the other side of a solved problem. We are writing from the middle of it, testing approaches, comparing notes, and sharing what we are learning in real time.

The central question: can AI compress mean time to remediate safely, at scale, and with the governance structures organizations actually need? We think so. But the right workflow, governance model, and organizational change path is still taking shape for most organizations, including ours.

The detection problem is largely solved. The remediation problem is not.

The Transformation Required Goes Beyond Tools

Protecting products, services, and customers under an accelerated threat environment demands more than deploying a new platform. It requires innovation in processes, governance models, and the communication forums that bring the right people together fast enough to drive adoption at the speed the threat requires.

Policy change, process redesign, and platform updates all follow from that. The foundation is organizational alignment. Security, engineering, risk, and compliance need to move together with a shared understanding of what needs to change and why. That alignment is not happening fast enough in most organizations, and the threat is not slowing down to wait.

This is an organizational transformation first. The tooling follows the governance, not the other way around.

Where the Current Model Breaks Down

Traditional ticketing routes vulnerabilities into backlogs and sprint planning cycles. Lower and medium severity findings get deprioritized until AI models chain them into higher-impact exploit paths. By the time a ticket surfaces in a sprint, the risk profile may have already changed.

The ticketing model was built for a world where detection was the hard part and remediation could afford to wait. That world is gone. AI-assisted detection is surfacing findings faster than the ticketing model was ever designed to handle, and the urgency attached to findings that previously seemed manageable is rising.

Ticketing was not designed for AI-speed discovery. The backlog is where risk compounds quietly.

How Leading Organizations Are Innovating in Their Workflows

Organizations at the front of this are moving from ticketing toward pull request(PR)-based remediation and continuous integration workflows. A PR delivers an actual proposed fix, not a description of a problem. Tests run automatically. When checks pass, teams merge without waiting for sprint planning. Security teams play an active role in this model, working alongside engineering to accelerate the fix rather than handing off a finding and waiting.

AI extends the model further, building playbooks, generating proposed fixes, and supporting validation across large backlogs. AI also helps teams decide what to fix first, prioritizing and stack-ranking findings and PRs by exploitability, severity, and business context so engineering effort goes to the highest-consequence issues. Early signals show meaningful improvement in remediation rates. But none of us would call these results final.

Human oversight stays in the loop. Before any AI-generated fix merges, four gates apply:

  1. Automated tests
  2. CI/CD checks
  3. Confidence scoring (or Potential Impacts)
  4. Human review before merge

Confidence scores give reviewers a signal on how much to trust a proposed fix. High confidence with strong test coverage warrants faster review. Low confidence flags the need for deeper human judgment before merge. These gates are essential, not optional.

PR-based remediation compresses time to fix. It does not transfer accountability for the outcome.

What works for dependency upgrades does not automatically transfer to complex fixes or legacy code. Every organization is working through where to draw that line.

Governance, Communication, and Stakeholder Alignment Is What Makes It Stick

The technical workflow questions are easier to answer than the organizational ones. Governance and communication is where adoption takes hold or stalls.

Every organization working through this needs answers to these questions:

  • Who approves the shift from ticketing to PR-based remediation for a given vulnerability class?
  • How does risk leadership maintain visibility when fixes move faster and more autonomously?
  • How do you track which teams are acting on findings without creating overhead that kills the speed advantage?
  • What is the escalation path when an AI-generated fix causes a regression or a missed vulnerability?

The communication forums that support this are not optional. They are how the transformation actually moves. Risk steering committees, cross-functional operating cadences, and executive reporting that connects remediation velocity to business risk outcomes are what turn a pilot into a program. Stakeholders across security, engineering, risk, compliance, and product need a shared view of what is changing and what is expected of them.

Define the approval model and communication cadence before you scale the automation. Speed without accountability is a different kind of risk.

Evolving Reporting — KRIs and How to Measure Progress

What gets measured has to change alongside the workflow. Vulnerability volume tells you how much is coming in. It does not tell you how fast you are closing it.

The metrics that matter in an AI-assisted remediation model:

  • Mean time to remediate by vulnerability class
  • Merge rates on AI-generated PRs
  • Stale ticket and stale PR reduction (a PR-based model can create its own backlog if adoption is not actively tracked).
  • Actual risk closed, not findings opened

These numbers connect operational execution to business outcomes and give risk leadership the real-time visibility they need. This can be done within existing operating models. Governance forums and reporting cadences do not need to be rebuilt from scratch. They need updated definitions, new owners, and new escalation triggers when remediation velocity falls behind the threat.

Shift your primary metric from vulnerability count to remediation velocity. That single change reframes what the security function is accountable for delivering.

Progress Underway to Secure Operations, Customer Trust, and Compliance

The goal is not a faster version of the current model. It is secure operations, customer trust, and regulatory compliance at the speed AI-driven risk now demands.

Getting there requires teams that remediate at velocity, risk leaders with real-time visibility, and governance structures that keep humans accountable as automation accelerates. The approaches being tested today will shape the standards the industry adopts tomorrow.

We will keep sharing what we learn. If your organization is working through similar questions, we would like to hear from you.

Compressing mean time to remediate is no longer a security operations metric. It is a resilience requirement, and meeting it is a shared organizational responsibility.

This is an organizational transformation first. The tooling follows the governance, not the other way around.
Jyoti Wadhwa
Executive Cyber, Risk and AI Governance Leader; Former Global Head, Cloud and Product Security, NetApp
David Messerschmidt
Senior Engineering Manager, Product Security, PayPal
Imran Ali Mohammed
Product Security Strategy Lead, Evernorth
Uniting security professionals on a mission to democratize software security and solve its ever-evolving challenges with the power of Community.
The Book
Membership
Blog
News
Security Jobs Board
Powered by ArmorCode Inc.
Copyright © 2026. All rights reserved.
|
Privacy Policy
|
Terms & Conditions
The information contained in The Purple Book of Software Security and the contents of the Purple Book Community website contain ideas expressed by Purple Book Community members. These opinions are their own, do not reflect the views of the organizations they belong to, and have no affiliation with nor make any endorsement of any commercial products or services, including those of community sponsors.