China’s AI zero-day push exposes U.S. testing gap
The hard part is no longer finding old bugs; it is making someone pay to fix them before deployment.
TL;DR
A Federal News Network commentary argues China-linked groups are pursuing AI-driven vulnerability discovery while the U.S. still lacks a pre-deployment security testing mandate for software running critical infrastructure. The piece cites Google Threat Intelligence Group’s reported disruption of an AI-assisted mass exploitation effort, an IDC projection of China’s AI cybersecurity market reaching $8.7 billion by 2030, and pressure on CISA staffing and funding. Treat the sourcing carefully: this is an argument for policy, not a new rule.
Federal News Network’s commentary is useful because it names the compliance gap more clearly than most AI policy coverage does: export controls and model access rules do not answer what happens when AI makes vulnerability discovery cheap, fast and continuous. The piece says Google Threat Intelligence Group reported an AI-assisted attempt to plan mass exploitation, and that China- and North Korea-linked groups are pursuing AI for vulnerability discovery. It also cites IDC’s projection that China’s AI cybersecurity market will reach $8.7 billion by 2030, a 37-fold increase from 2025.
For compliance teams, the operational point is narrower and more uncomfortable. The article argues the United States has no requirement for pre-deployment security testing of software running critical infrastructure, and that common regimes such as SOC 2 and FedRAMP test the existence of controls rather than whether deployed code can be exploited. That is partly the eternal compliance problem: paperwork can prove a process existed, but it cannot patch FreeBSD, FFmpeg or a Linux kernel bug.
CISA has been publishing AI security guidance, including a 2025 Joint Cyber Defense Collaborative playbook for voluntary AI incident and vulnerability sharing and a May 2026 joint guide on secure adoption of agentic AI systems, according to CISA releases at https://www.cisa.gov/news-events/news/cisa-jcdc-government-and-industry-partners-publish-ai-cybersecurity-collaboration-playbook and https://www.cisa.gov/news-events/news/cisa-us-and-international-partners-release-guide-secure-adoption-agentic-ai. Those are not nothing. They are also not a funded, mandatory mechanism for testing critical software before deployment and remediating the vulnerabilities AI tools surface afterward.
So the Monday-morning read is not “buy AI security.” It is inventory the software that cannot be patched quickly, decide whether any pre-deployment exploitability testing exists outside vendor assertion, and stop treating AI vulnerability discovery as a future risk. If the commentary’s premise is right, the discovery curve has already moved. The remediation machinery has not.
Published ·Deep Fathom