The Knowledge Distance Problem described a gap with a price tag attached to one side of it. An organization that could not close the distance between what AI can do and what the organization can actually absorb forfeited the upside — degraded output, stalled pilots, the value that never materialized. The cost of the gap was opportunity. You paid it in things that didn't happen.
That was the gap in peacetime. The environment has since changed, and the gap changed sign with it. The same distance that once cost an organization its upside now decides whether it is the soft target. An unready organization is no longer merely leaving value on the table. It is standing in the open.
This is not a new gap. It is the readiness gap observed under adversarial conditions — and under those conditions the thing that determines outcomes is not how advanced your tools are. It is whether the organization around them can stay standing when something goes wrong. The constraint was never technical. It is about to stop being a thesis about value and become a thesis about survival.
The conversation is stuck on the wrong letter
Information security has a three-part definition that predates all of this: confidentiality, integrity, availability. The breach — data stolen, secrets exposed — is a failure of confidentiality, and it is the one the entire public conversation fixates on. It is the dramatic letter. It is also, for most organizations, not the one that takes them down.
The measured impact tells a different story. In its review of more than five hundred major incidents in 2024, Palo Alto Networks' Unit 42 found that 86% involved business disruption — operational downtime, halted services, or both. The thing that actually happened to most victims was not that a secret got out. It was that the lights went off. That is availability, the quiet third letter, and it is where the real exposure lives.
The people closest to the consequences already talk this way. John Riggi, who advises the hospital sector on cybersecurity, describes the discipline as staying up: defend where you can, and recover quickly with minimal impact. He notes the brutal detail that attackers now deliberately locate and encrypt the backups first, specifically to destroy the ability to recover and force the ransom. The target is not the secret. The target is the recovery.
And availability fails even when there is no attacker at all. In October 2025, a fifteen-hour outage at a single Amazon Web Services region — not a breach, but a software race condition — propagated through shared dependencies and disrupted thousands of organizations, among them a major bank and a national tax authority. No adversary, no stolen data. Just brittle software, and the lights went off for everyone downstream of it. Reframe the imperative accordingly: the task was never only to keep secrets in. It is to keep the system up — against a hacker, against a flood of traffic, and against your own fragile code.
Two curves, crossing
Here is the mechanism the title names. Picture two lines on the same axis of time.
The first is the time it takes an attacker to turn a newly disclosed weakness into a working exploit. That line is falling, fast, and AI is what bent it down. Moody's Ratings named the cause directly in April 2026:
"AI shorten[s] the gap between vulnerability disclosure and active misuse" — and the likelihood of unpatched systems being compromised rises with it.
The average time-to-exploit, which sat in the hundreds of days only a few years ago, has collapsed toward forty-four — and researchers expect minutes within a few years.
The second line is the time it takes an organization to patch. That line is flat, or rising. In 2025, close to 40% of organizations carried a known, actively-exploited vulnerability on their networks for at least forty-five days; more than a quarter carried one unpatched for over a year. Set the two numbers beside each other — exploited in forty-four days, patched in more than forty-five — and you have the entire thesis in a single comparison. The attacker's line dropped below the defender's line. Where the curves cross, an organization is exposed not because it was targeted but because it was slow. Exposure became the default state.
The surface grows as fast as you patch it
It would be survivable if the set of weaknesses were fixed — a finite pile to be worked through. It is not. The pile is being added to faster than it is cleared, and AI is doing the adding from two directions at once.
The first is sheer volume of new debt. The catalog of disclosed vulnerabilities passed 320,000 entries by early 2026, with roughly forty-eight thousand added in 2025 alone — about four thousand a month. Much of that new debt is now self-inflicted. In Palo Alto Networks' 2025 cloud survey, 99% of teams reported using AI-assisted "vibe coding," which generates insecure code faster than anyone can review it. The arithmetic is the exposure curve in miniature: 52% of teams ship code weekly, but only 18% can fix vulnerabilities at that pace. Code goes out four times faster than it gets made safe. The gap between those two rates is new attack surface, manufactured continuously.
The second direction is subtler. The AI systems being woven into production are themselves a new and largely untested attack surface. Seventy-five percent of organizations now run AI in production, and 99% reported at least one attack on those AI systems within the year. The tool meant to close the gap is also opening a category of exposure that did not exist before it arrived.
MITRE CVE, 2026
Palo Alto Networks, 2025
Palo Alto Networks, 2025
This is the wall from the Knowledge Distance Problem, running in production. The original finding was that when the distance between a system and the people working it grows too large, output degrades — the distant operator can't tell good from bad and ships the bad. Point that same mechanism at code shipped without anyone able to evaluate its security, and the degraded output is no longer a weak analysis. It is an open door. Knowledge distance stopped degrading quality and started degrading uptime.
Why it pools where it pools
The damage is not distributed evenly, and where it concentrates is exactly where the readiness gap was already widest. It pools in the organizations that are not web-native — the ones running clunky legacy systems, under-resourced, often with the person who wrote the core software long retired or gone. A power plant. A municipal agency. A credit union. A community hospital.
This is not a claim about one industry. The U.S. cyber-defense authority, CISA, has a name for the pattern across sectors: "target-rich, cyber-poor." The organizations holding the most valuable data and running the most critical functions — hospitals, water utilities, school districts, the small and mid-sized vendors threaded through everyone else's supply chains — are precisely the ones with the fewest resources to defend it. The constraint, as their own director has put it, is that these providers do not have the resources to build a comprehensive program. It is worth hearing that as a description of capacity rather than will. The binding constraint is not enthusiasm. It is resources and capabilities — and the time and people to apply them.
That is the HOT framework read from the security side. The Human and Organizational layers — not the Technology layer — are where the exposure concentrates, in precisely the proportion the diagnostic already weights them. And it locates the Knowledge Distance score exactly where the risk is: the distance between an organization's legacy code and anyone still able to defend it is the exposure. Maximum knowledge distance — the retired author, the system no one fully understands anymore — is maximum vulnerability. The gap the diagnostic measures and the gap an attacker exploits are the same gap.
American Hospital Association
Moody's RMS, Oct 2025
Moody's Ratings, 2026
The retiring practitioner is not a cost to be removed. It is the institutional knowledge that keeps a critical system defensible — and the distance between that knowledge and the people who remain is now a security exposure with consequences attached.
The window, with a clock and an adversary
The Knowledge Distance Problem closed on a window that was already shutting — closing because models keep improving and because the practitioners who hold the institutional knowledge keep retiring. Both of those are still true. What adversarial conditions add is a third reason the window is closing, and a faster clock: the cost of being late changed sign. Late used to mean forfeited upside. Late now means standing exposed while the attacker's curve drops underneath yours.
The response is not a tool you can buy in a quarter, because the exposure is not, at root, a tooling problem — it is a capacity problem, and capacity compounds slowly. The organization that does the patient work — encoding its practitioners' knowledge into governed, monitored, recoverable systems while that knowledge still lives in people who can explain it — is building the same moat the Knowledge Distance Problem described. The difference is that the moat is now load-bearing against stress, not just a path to value.
So the imperative resolves into something plainer than the security industry's catalog of products. You will not out-patch a curve whose clock runs faster than your remediation cycle, and you cannot buy your way past a gap that is fundamentally about whether your organization can absorb a failure and recover. The durable posture is not perfect prevention. It is resilience — the capacity to take the hit, stay up, and recover with minimal impact. The question stops being whether you will be attacked and becomes how prepared you are when you are.
The real constraint is coordination
So name the problem plainly, because its shape is why no product solves it. The issue is coordination — whether the people who hold the knowledge, the way the organization is built to act, and the technology meant to serve it move as one, or run as disconnected projects that were never designed to work together. And that is the word that matters: designed. Coordination is not what happens when you assemble good parts. It is a thing you build on purpose, or do not have at all. Call the cost of not building it the coordination tax — the hidden charge on every element added to a system that was never reoriented, compounding with each new piece and every increase in speed.
The attacker already understands this. The fragmentation a defender experiences as complexity is, from the other side of the wire, the opening. Unit 42's Sam Rubin says it without euphemism — and the data backs him: 87% of attacks in 2025 struck across multiple surfaces at once.
"Enterprise complexity has become the adversary's greatest advantage."
This is not a new problem. It is the same coordination gap that quietly costs an organization everywhere it operates — between teams, between strategy and execution, between the organization and its technology. What changes here is the stakes. Everywhere else, poor coordination is an inefficiency: costly, recoverable. In security, under an adversary and a clock, the same failure is the building coming down. An organization whose internal speed has fallen below the speed of the threat outside it is already losing — it simply hasn't felt it yet.
And the problem is orphaned. It is organizational, but the person it is usually handed to — the security lead — does not have the authority to fix it. They can run a defense. They cannot reorient a company; that takes the technology chief, the operations chief, the chief executive, the board, moving as one. Even the analysts who write to security leaders concede the point: Gartner's 2026 guidance is that the CISO must "lead through influence, not unchecked task ownership" and coordinate across the rest of the C-suite. Which is an admission that the problem lives above the role it is assigned to. It falls into the space between the C-suite chairs, owned in fragments by people who each control a piece and none of whom controls the whole. The coordination tax goes unpaid not because no one is responsible, but because the only people who could pay it have not yet understood that it is theirs.
Which is why standing still is not the neutral choice it feels like. The distance between the organization that designed for this and the one still waiting widens with every pass of the curve. The companies sitting still have already chosen to be slower, more exposed, further behind. They simply haven't admitted it was a choice.
That is why the constraint was never technical. In peacetime, that was an argument about the value an organization could create. Under adversarial conditions, it becomes an argument about whether it is still standing tomorrow. Same gap. Same structure. The difference is only what the failure costs — and the cost is no longer measured in value left on the table.
Everywhere else, coordination makes an organization better.In security, it is what keeps it alive.