identity securityversionlesszero-daySaaScybersecurityAISailPoint

The Clock Is Ticking: Why Versionless Identity Security Is No Longer Optional

AI is collapsing the window to patch from five days to five minutes. In an era of AI-powered zero-days and supply chain attacks, your identity security vendor's update cadence is no longer a product detail — it's a risk decision.

Jeff Purrington ·

There is a quiet crisis unfolding in enterprise security, and most organizations are not moving fast enough to confront it.

On April 8, 2026, CrowdStrike Co-Founder and CEO George Kurtz sat down with Jim Cramer on CNBC’s Mad Money and delivered a warning that every CISO and C-suite executive should take personally: AI is now being used to find vulnerabilities at a scale and speed that has never existed before — and the window organizations have to respond is collapsing in real time. Where it once took an adversary roughly five days to build a working exploit after a vulnerability was disclosed, Kurtz warned that AI could compress that window to as little as five minutes.

Read that again. Five minutes.

That is not a future risk. That is the threat environment your organization is operating in today.

Zero-Days Are Not Edge Cases Anymore

Trend Micro’s Q1 2026 threat intelligence report, U.S. Public Sector Under Siege, underscores just how real this dynamic has become. The report documents a zero-day exploit for CVE-2026-21513 that appeared in the wild on January 30, 2026. Microsoft’s corresponding patch was not released until February 10 — eleven days later. Eleven days during which any organization running the affected software was fully exposed, regardless of how mature their security posture was, regardless of how diligent their security team. The vulnerability existed. The exploit existed. The patch did not.

The report makes something else clear: the threat landscape is not just getting more dangerous, it is getting more automated and more targeted. Ransomware groups are deploying AI-enhanced campaigns against government agencies, school districts, and critical infrastructure with a precision and velocity that human-operated attacks simply cannot match. The U.S. accounted for 130 of 251 global ransomware attacks against educational institutions in 2025 alone — a 27% increase year-over-year, with 3.9 million records exposed. The first quarter of 2026, per Trend Micro, represents “the most hostile cyber threat environment ever recorded.”

And critically: the risk is not limited to your own code. According to Chainguard’s supply chain security research, 91% of organizations surveyed reported experiencing software supply chain attacks in the previous 12 months — with 41% of those attacks originating from zero-day vulnerabilities in third-party code. The software your solution depends on is just as much an attack surface as the solution itself. This is the backdrop against which your identity security vendor’s update cadence either becomes your greatest asset or your most dangerous liability.

The Patch Queue Problem

Here is the hard question every security leader needs to ask of their identity security vendor right now: When a critical vulnerability is discovered — in your platform, or in a foundational technology your platform depends on — how fast can you get a fix to every customer?

For organizations running versioned, on-premises, or single-tenant software, the answer is almost always: not fast enough. Customers are queued. Upgrades require planning, testing, and downtime windows. IT teams are stretched. Some customers are three or four versions behind because the business simply could not absorb the disruption of an upgrade cycle. Meanwhile, the adversary is already in. And with 41% of supply chain attacks now exploiting zero-days in third-party dependencies, a vendor’s ability to rapidly patch not just their own codebase but their entire dependency stack is non-negotiable.

This is not a hypothetical failure mode — it is the structural reality of versioned software in a world where AI-powered attackers can go from vulnerability discovery to active exploitation in the time it takes your team to finish a morning standup.

Why Versionless Changes Everything

As I wrote in my recent piece on SailPoint’s blog, the shift to versionless, multi-tenant identity security architecture is not a feature — it is a fundamentally different relationship between a vendor and its customers in a crisis.

In a true versionless model, there is no version fragmentation. Every customer runs on a single, continuously evolving codebase. When a critical security fix is developed — whether it addresses the vendor’s own code or a third-party component buried in the dependency chain — it is deployed to every customer simultaneously, automatically, without requiring anyone to schedule an upgrade, open a ticket, or wait in line. The attack surface closes for the entire customer base at once.

Chainguard frames this well: resilience comes from preparation — minimal, hardened components, automated patching, and shortened exposure windows. Versionless architecture is precisely how an identity security vendor operationalizes that principle at scale, across thousands of enterprise customers, in real time.

Consider Log4Shell as the proof of concept. CVE-2021-44228, disclosed publicly on December 9, 2021, was a critical vulnerability in Apache Log4j 2 — a Java logging library embedded in hundreds of millions of systems worldwide, including components deep inside enterprise software stacks that organizations didn’t even know contained it. Rated a perfect 10.0 on the CVSS severity scale, the maximum possible score, Log4Shell enabled unauthenticated remote code execution: an attacker could take complete control of an affected system simply by triggering a log message. It had existed undetected since 2013. When it surfaced, the question wasn’t whether organizations were affected — virtually everyone running Java-based enterprise software was. The question was how fast their vendors could respond.

SailPoint answered that question in under six hours. Because of its versionless, multi-tenant architecture, SailPoint remediated Log4Shell across its entire customer base — more than 1,500 organizations — in less than six hours, with no customer action required. No upgrade tickets. No patch queues. No waiting.

Now consider what that same moment looked like for organizations running versioned software that had bundled Log4j. Apache itself released three successive patches in rapid sequence — 2.15.0, then 2.16.0, then 2.17.0 — as each fix revealed additional bypass vectors. But getting any of those patches applied wasn’t simply a matter of downloading a file. Enterprise software vendors first had to identify which versions of their own products contained which versions of Log4j, build and test a patch for each supported release branch, then publish it. Customers on older or out-of-support versions were effectively at the back of the line — or had no line at all. And even for customers whose vendor moved quickly, the patch still had to enter the organization’s change management process: assessment, testing, scheduling a maintenance window, coordinating a deployment. That is the queue. And while organizations worked their way through it, the exposure window stayed open. Adversaries did not wait.

That is the difference versionless architecture makes — not just in speed, but in the fundamental elimination of that queue entirely. That is what it means to respond with alacrity. Not a patch released on a quarterly cadence. Not a hotfix that requires customer coordination. A continuous, automatic, and immediate response to an always-evolving threat landscape — delivered at the speed the threat environment now demands.

Identity is the perimeter. It is the control plane for everything else in the enterprise — access, privilege, governance, compliance. A breach of your identity layer is not a recoverable incident you manage in the morning briefing. It is a systemic compromise. Which means your identity security solution cannot afford to be the slowest-moving piece of your security stack.

The Stakes Have Never Been Higher

George Kurtz is right. AI is going to find vulnerabilities that human researchers never would have found, and it is going to do it faster than any organization can reasonably track. Zero-days will happen. They will affect your software, or software your software depends on. That is not a question of if — it is a question of when, and more critically, how your vendor responds when it does.

The organizations that will be best positioned are not necessarily the ones with the biggest security budgets or the most sophisticated SOC teams. They are the ones whose vendors can move at machine speed — pushing fixes to every customer before the adversary has time to weaponize what they found.

Versionless identity security is not a luxury differentiator. In 2026, it is table stakes.

Ready to learn how SailPoint’s versionless, multi-tenant architecture keeps your organization protected at the speed today’s threat landscape demands? Explore SailPoint Identity Security Cloud or contact us for a demo.

Sources:

About the author

Jeff Purrington

Identity Strategist

25+ years in IT audit, cybersecurity controls, and identity governance. Practitioner perspectives on the controls, frameworks, and identity decisions that manage enterprise risk.