AI-assisted vulnerability discovery (exemplified by Anthropic's Mythos finding decades-old bugs in OpenBSD and FFmpeg) is compressing the patch window that traditional security programs depend on. The core assumption breaking down is credential portability: any secret a host can hold can be exfiltrated and replayed. The solution is hardware-bound identity using TPMs and Secure Enclaves, ACME Device Attestation, and short-lived certificates that rotate automatically. This shifts the security model from periodic trust (long-lived credentials) to continuous trust (certificates issued minutes ago against keys that never leave hardware). Hardware-bound identity doesn't prevent endpoint compromise but eliminates the portability that makes credential theft profitable at scale. The pieces exist — most enterprise fleets have TPMs, most Macs have Secure Enclaves — but the issuance and rotation infrastructure connecting them is typically missing.
Table of contents
The CVE feed was always a lagging indicatorThe assumption that breaks firstWhat anchors when software does notContinuous trust, not periodic trustWhat this does not solveWhat this looks like in practiceSort: