Against that backdrop, the question facing every CISO and security leadership team is not whether their organization has vulnerabilities. Every organization of meaningful scale has exposures across a modern attack surface that is expanding faster than visibility controls can keep pace with. The question is whether they can identify which exposures represent genuine, prioritized risk and whether they can act on that identification fast enough for it to matter.

Tenable just announced new AI initiatives with Anthropic that go directly at that problem. Claude-powered workflows integrated into Tenable Hexa AI the agentic engine of the Tenable One Exposure Management Platform are designed to close the gap between exposure discovery and coordinated remediation action at the speed and scale that the current threat environment actually demands. Anthropic will also participate in EXPOSURE 2026 in Boston this week, where the industry is actively working through the implications of frontier AI for both cyber risk and cyber defense.

AI Workloads Are Expanding the Attack Surface Faster Than Visibility Can Adapt

The irony at the center of the current enterprise security challenge is that the same AI adoption driving productivity across business functions is simultaneously creating the attack surface expansion that security teams are struggling to monitor and manage.

Every AI workload introduced into an enterprise environment creates new exposure vectors. AI applications connect to data sources, APIs, and infrastructure components in ways that extend the attack surface beyond the boundaries that conventional asset management was designed to track. The models, the inference infrastructure, the data pipelines feeding them, and the integration points connecting them to enterprise systems all represent exposure categories that did not exist in most organizations’ security programs three years ago and that are now expanding faster than those programs can absorb.

The scale challenge is compounding simultaneously. Security teams are not just managing a larger attack surface. They are managing a larger attack surface against a threat actor population that has incorporated AI into its own tooling enabling faster scanning, faster exploitation, and faster lateral movement than the adversary tradecraft that most security programs were designed to counter.

Mark Thurmond, Tenable’s co-CEO, described the resulting dynamic with the specificity it deserves: the volume of exposures is increasing, the time between discovery and exploit is shrinking, and security teams need a fundamentally different approach. That assessment is not hyperbole. It reflects a genuine discontinuity between the pace at which the threat environment is moving and the pace at which traditional security workflows built for a slower, more predictable threat cadence can respond.

The traditional vulnerability management model was designed around a cadence that no longer matches the threat environment. Scan. Prioritize. Ticket. Remediate. The cadence was acceptable when the exploitation window measured in weeks gave security teams time to work through that cycle. It is increasingly inadequate when that window measures in days or hours and the volume of exposures requiring prioritization exceeds what human-speed workflow coordination can process without AI augmentation.

Tenable’s response to that inadequacy is not to patch the traditional model at the margins. It is to rebuild the prioritization and remediation coordination layer around AI-native architecture where the speed of identifying, prioritizing, and orchestrating response to material exposures matches the speed at which those exposures become exploitable.

Exposure Management Is Evolving Toward AI-Native Risk Prioritization

Understanding what Tenable Hexa AI actually represents requires stepping back from the product description and examining the conceptual evolution it reflects in how exposure management works.

The exposure management discipline has been moving through a series of maturity stages that each represented a genuine advance over what came before and each of which eventually ran into the same limiting constraint: the volume of exposure data exceeds the analytical capacity of the approaches designed to process it.

First-generation vulnerability management was fundamentally a counting problem. Scan the environment. Identify CVEs. Patch them in order of CVSS score. The approach worked when attack surfaces were smaller, vulnerability databases were the primary threat intelligence source, and the gap between disclosure and exploitation gave security teams the time to work through prioritization manually.

The exposure management evolution that Tenable has been driving represents a more sophisticated framing of the same underlying problem. Exposure management recognizes that raw vulnerability counts and CVSS scores are inadequate prioritization signals in complex environments where the business context, the asset criticality, the actual exploitability in the specific environment, and the availability of compensating controls all affect which exposures represent genuine material risk. The Tenable One Exposure Management Platform combines native telemetry, third-party data, and Tenable Research insights through the Exposure Data Fabric to produce that richer prioritization context.

What Claude-powered workflows in Tenable Hexa AI add to that foundation is the agentic layer the capability to move from prioritized exposure intelligence to coordinated action without requiring human-speed workflow processing at every step of the remediation coordination chain.

Jason Clinton, Anthropic’s Deputy CISO, framed the integration objective from the AI provider’s perspective: organizations need to integrate AI into their security programs, and the application of Claude’s capabilities to help customers better understand risk, prioritize action, and respond faster reflects exactly the use case where frontier AI capability and domain-specific security expertise need to work together rather than in parallel.

The Tenable Exposure Data Fabric is the data foundation that makes Claude’s application to this problem credible rather than generic. AI-powered risk prioritization without high-quality, contextually rich exposure data produces confident-sounding outputs that do not reliably reflect the actual risk landscape of the specific environment being protected. The combination of Tenable’s proprietary exposure intelligence built from native telemetry and Tenable Research insights that represent decades of vulnerability and threat intelligence expertise with Claude’s reasoning and orchestration capability is what enables AI-native prioritization that security teams can trust and act on rather than audit and second-guess.

The Claude-fueled R&D acceleration that Thurmond referenced is the less visible but equally consequential dimension of the partnership. Beyond the immediate Hexa AI integration, applying Claude across Tenable’s research and product development functions accelerates the exposure management roadmap in ways that compound over time shortening the development cycles for new detection capabilities, new prioritization models, and new remediation coordination approaches that will define where the platform is in twelve and twenty-four months.

Security Teams Are Shifting From Reactive Vulnerability Management to Continuous AI-Assisted Exposure Governance

The third structural shift that the Tenable-Anthropic collaboration reflects is the most consequential for how security organizations are structured, staffed, and evaluated going forward: the transition from reactive vulnerability management to continuous AI-assisted exposure governance.

Reactive vulnerability management is the model that most security programs still operate under, even those that have adopted modern tooling. The fundamental rhythm is reactive: a scan identifies exposures, a team triages them, tickets are created, remediation is tracked, and the cycle repeats. The security team’s primary activity is responding to what has been found rather than maintaining continuous governance over the organization’s exposure posture.

That model has two structural limitations that become critical at the current scale and speed of the threat environment. First, it is inherently episodic the organization’s understanding of its exposure posture is current only immediately after a scan cycle and degrades continuously between cycles as new assets are deployed, new vulnerabilities are disclosed, and the environment changes in ways that the last scan did not capture. Second, it places human analysts in the critical path of every prioritization and remediation coordination decision, creating a throughput constraint that limits response velocity regardless of how capable those analysts are individually.

AI-assisted exposure governance addresses both limitations simultaneously. Continuous monitoring that maintains a current picture of the exposure posture between scan cycles eliminates the episodic nature of the reactive model. Agentic workflows that can execute prioritization, remediation coordination, and response orchestration without requiring human intervention at every step eliminate the throughput constraint that human-speed processing imposes.

The governance framing is the important shift here. Governance implies continuous oversight rather than episodic response the ongoing maintenance of an acceptable exposure posture rather than the reactive reduction of an exposure backlog. That continuous posture maintenance is what Tenable Hexa AI is designed to enable: an agentic engine that does not just identify risk but helps organizations reduce it through intelligent orchestration and automated action that operates at machine speed without sacrificing the contextual judgment that distinguishes genuine material risk from noise.

For CISOs making the case to boards and executive teams for AI-native security investment, the governance framing matters for a specific reason. Boards understand governance. They understand continuous oversight obligations. They understand the liability exposure that comes from demonstrable governance failures. Framing AI-assisted exposure management as a governance capability one that enables the continuous, documented oversight of material cyber risk that boards are increasingly expected to demonstrate connects security investment to the governance accountability framework that executive leadership already operates within.

The EXPOSURE 2026 participation by Anthropic signals that this framing is not just a product positioning choice. It reflects where the industry conversation about frontier AI and cyber risk is actually heading toward the recognition that AI is simultaneously the most significant new risk category and the most powerful new defense capability, and that organizations navigating that duality need platforms and partnerships built specifically for that reality rather than adapted from frameworks designed before it existed.

What This Means for Security Programs Operating at Enterprise Scale

The security organizations that will benefit most immediately from the Tenable-Anthropic integration are those where the gap between exposure volume and remediation coordination capacity is most acute which, in practice, means most large enterprises operating modern attack surfaces.

The exposure volume problem is not evenly distributed. Organizations with extensive cloud infrastructure, large third-party integration footprints, active M&A programs that continuously introduce new assets, and substantial AI workload adoption face an exposure management challenge that scales nonlinearly with organizational complexity. A security team that was adequately sized to manage the exposure volume of three years ago is typically understaffed relative to the current attack surface of the same organization not because the team has shrunk but because the environment has grown faster than hiring can accommodate.

Agentic workflows that handle prioritization, remediation coordination, and exposure analysis without requiring human intervention at each step are not a replacement for security expertise. They are a force multiplier that allows existing security expertise to operate at the scale the current environment demands rather than being consumed by the workflow coordination overhead that manual approaches require.

The preemptive security framing that Thurmond used strengthening preemptive security programs powered by agentic workflows reflects a genuine strategic ambition that goes beyond efficiency improvement. Preemptive security is security that reduces the exploitable exposure before adversaries act on it rather than responding after exploitation has occurred. Achieving that at meaningful scale requires AI-native prioritization that can identify the exposures most likely to be exploited before the exploitation window closes which is exactly the capability that Claude-powered workflows in Tenable Hexa AI are designed to deliver.

The threat environment is not going to slow down to accommodate security programs that have not yet made the transition from reactive vulnerability management to continuous AI-assisted exposure governance. The adversaries operating with AI-enabled tooling are not going to extend the exploitation window back to the weeks that traditional security workflows were designed for. The organizations that build the AI-native exposure management capability now while the transition is a competitive choice rather than a survival requirement are the ones that will have the institutional knowledge, the validated workflows, and the measured outcomes to demonstrate effective governance when the regulatory and board expectations around AI-assisted security mature to the point of mandate.

Research and Intelligence Sources: Tenable Holdings, Inc

To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com