AI-driven vulnerability discovery is accelerating patching demands. HR leaders need to be ready before the tidal wave hits, says a panel of HR and cybersecurity experts
Anthropic's Claude Mythos – the company's most advanced AI cybersecurity model, reported to be so powerful that Anthropic itself has declined to release it publicly – is already redefining what it means to find and exploit software vulnerabilities. When Anthropic announced the Mythos preview and Project Glasswing – a group of technology companies tasked with using Mythos to find and repair security vulnerabilities in software – on April 7, it raised the spectre of a sustained surge in IT patching work that’s coming. It’s a surge some tech experts are calling “patchapalooza.”
From an HR leader’s perspective, no amount of technical infrastructure will hold the line if the people behind it burn out first, says Lewis Curley, Lead Partner in KPMG Canada's People and Change practice for Ontario and Atlantic.
“There's a dawning realization that this is a people challenge as much as it is a technology challenge,” says Curley. “So often I've seen over the past few years and in my career, with new technologies, it’s first seen as a technology challenge solution, and then people realize, ‘Oh, this is actually a people thing.’”
From controlled cycles to continuous onslaught
Traditional patch management has operated on a predictable rhythm: identify vulnerabilities, create a fix, deploy, move on. That rhythm is breaking down. Greig Arnold, a cybersecurity partner at KPMG Canada, notes that where a zero-day vulnerability once took months before widespread exploitation, the window has collapsed to days or less.
“What Mythos and frontier AI is doing is changing that rapidity,” says Arnold. “We have to fundamentally shift how we think of responding, not what we respond to.”
Daphne Lucas, National Leader for Cyber Security at Deloitte Canada, zeroes in on what that shift demands operationally. Organizations will need to AI-enable their own processes to reduce human handling time, clarify decision authority so people can act without waiting for sign-off, and establish clear escalation paths for critical events, she says. “Figuring out what are the roles and responsibilities, who has the authority, and what the escalation path is when something needs to be done very quickly – those would be my top three,” says Lucas.
The burnout risk hiding inside the patch backlog
IT departments were already stretched before Mythos entered the conversation. Carlie Bell, Director of Consulting at Citation Canada, works primarily with small and mid-sized businesses and has a front-row seat to how tech teams are straining.
“Most IT departments are really overloaded, and it's just coming at them faster and faster now as companies are trying to learn how to use AI and leaning very heavily on the IT experts for access, governance, and problem solving," Bell says. “They're already overwhelmed with just the day-to-day stuff, and then all of this AI moving at an incredible pace of change.”
The organizations most vulnerable are those leaning on one or two key people who carry irreplaceable institutional knowledge, according to Bell. “You lose that organizational knowledge, then you've got a real problem," she says.
Arnold believes that HR is faced with an operational risk from IT burnout, as security teams that have always been capable of a 24-to-48-hour sprint for a critical patch are potentially looking “a continuous 24-7 onslaught, and people will not be able to sustain that,” he says.
For HR leaders grappling with workforce planning in high-pressure environments, the implication is that patch readiness must be treated as a retention and capacity issue, not merely a technical checklist, says Arnold.
Building the workforce that can handle the surge
The IT function can no longer be treated as a self-managing back-office unit, says Bell. “IT really does become an executive-level issue where we need to really think about workforce planning," she says, urging HR to proactively assess whether teams are overloaded and whether the organization needs to hire for AI-enabled cybersecurity skills specifically.
Curley advocates for a structural rethink common in HR transformation work across Canada: cross-functional pods for rapid response, pre-approved decision frameworks, and governance models that give teams genuine autonomy. “There's a lot of challenges with workforce burnout through lack of autonomy, where I've got to go through 17 layers of approval and it's really hard to get my job done – that just drags people down,” says Curley. “It doesn't mean people can all make their own decisions, but having a rethought governance model would be helpful.”
Curley also sees the value of building a broader capacity bench, where people in lower-urgency roles can be drawn in during a surge.
Lucas agrees that drawing on internal capacity and temporary contractors can help clear backlogs. “Make sure that you're really prepared for the big wave that might be coming to all of us,” she says.
Jodi Baker Calamai, National Managing Partner for Human Capital and Consulting at Deloitte Canada, stresses that communication can’t be an afterthought. She says that HR and IT leaders need a clear communication track, while operating models require explicit updates: “Clarifying roles, defining what work the human is accountable for, defining what tools are available, and examining process steps as well as crossing out steps that no longer exist because the work is now augmented through various tools,” says Calamai.
The sourcing question is particularly weighty in Canada, where privacy legislation means data protection responsibility cannot be delegated, says Bell. “You cannot as an organization outsource that responsibility, as it’s still the organization’s," she says.
The question CHROs and CIOs should be asking
The skills required to navigate AI-driven cybersecurity are evolving faster than most training programs can keep pace with. Baker Calamai frames the fundamental HR challenge around strategic workforce planning: understanding what skills the organization values in humans today, identifying where gaps exist, and building a credible plan to close them. "This concept of strategic workforce planning is not new, but the current realities are exposing just how important it is to have a real handle on the inventory of talent skills and how we continue to evolve them,” she says.
Bell advocates making continuous learning a funded, scheduled part of the job – not an afterthought. "This stuff is changing so fast that a degree that you earned at school five years ago is completely irrelevant today, so you actually make that part of the job requirement.”
The emerging link between cybersecurity resilience and people strategy also gives HR a compelling entry point into the C-suite conversation, and CHROs need to work closely with Chief Information Officers now, according to Curley. “As much as accountability might sit with a CIO, they're going to need support from fellow executives and the teams behind them,” he says.
Lucas distills it to a single question she believes those two leaders should be asking each other: “How can we better collaborate across HR, technology, cyber, and our leaders to appropriately accelerate our processes, but collectively use the skills and expertise at our disposal to get to a place where we think we're making the right risk decisions?”
The coming influx of patches from Claude Anthropic will be challenging for managing IT workforces, but Arnold believes it isn’t a doomsday scenario. “We can control it and we can get ahead of it,” he says. “But it's a new adaptation to new technology, so embrace the change and move forward, because it's not going away.”
