Commuters walking toward the underground in colorfully lit Levent station

Navigating with Confidence

Why Project Glasswing feels like a digital COVID moment

When AI moves faster than defences, plans fail. Project Glasswing shows why boards must act urgently and demand real‑time understanding of exposure.

In brief

  • Risk has not changed, speed has. AI and digital ecosystems are collapsing the time between vulnerability and impact, outpacing traditional defences and decision cycles.
  • Boards must rethink resilience to ensure organisations can withstand future shocks. It should be engineered into operations, tested in real conditions, and treated as critical to organisational and national continuity.
  • Recovery speed, system design and tested continuity now define resilience, with implications for both organisations and national stability.

Boards are not confronting an entirely new category of risk. They are confronting the speed at which risk now turns into reality. Cloud, AI and digital ecosystems are reshaping how value is created and where exposure sits. In this environment, leaders need to look beyond opportunity and understand how risk is evolving across increasingly interconnected systems.

In April 2026, Anthropic announced Project Glasswing, a controlled release of a frontier model, Claude Mythos Preview, to a limited set of critical infrastructure and technology organisations. Early signals suggest that advanced AI systems are considerably shortening the time between vulnerability discovery and exploitation — from weeks to, in some cases, hours1. This marks a change in the threat landscape, one that many existing defensive frameworks were not designed to absorb.

How EY can help

  • AI Insights

    Explore our global insights that look at how you can build confidence in AI, drive exponential value throughout your organization and deliver positive human impact. Learn more.

    Read more

When disruption tests the system, not the plan

COVID did not introduce risk, it revealed it. It showed how resilient societal systems were under stress. It exposed hidden dependencies, fragile supply chains and the speed at which disruption spreads across interconnected systems. The real lesson was not the event itself, but how systems behave when put under pressure.

 

Project Glasswing represents a similar moment in a digital context. Vulnerabilities can now be discovered and acted upon faster than organisations can respond using traditional processes2.

The question for boards is no longer whether risk exists, but whether the organisation can continue to operate when disruption arrives faster than expected. Two shifts are happening at once.

First, speed. Known weaknesses are now identified and exploited in hours, not months. Second, the nature of risk itself is changing. AI is reshaping how organisations operate, with processes once overseen by people increasingly executed by software acting on the organisation’s behalf. This creates new points of exposure, including system configuration and how data is accessed and controlled.

At the same time, organisations are becoming more dependent on a small number of large technology and AI providers, creating significant concentration risk. The challenge is no longer what organisations do not know, but what they already know and cannot address quickly enough. Risk has not fundamentally changed. Its exposure has accelerated and its impact is now immediate, consequential and societal.

 

Why this has triggered global alarm

The significance of Project Glasswing lies in what it reveals about the pace of change. When vulnerabilities can be identified and exploited at machine speed, the window between exposure and impact collapses. What once took weeks or months can now unfold in minutes or seconds.

This is not an incremental change. It is a compression of time that fundamentally challenges how systems are designed, governed and operated. As time compresses, margins for error disappear. Organisations have less time to detect threats, less time to make decisions and less time to respond. At the same time, the likelihood of simultaneous disruption across multiple systems increases, amplifying systemic risk.


This is why governments are acting.

Across Europe, regulatory expectations are moving beyond a narrow focus on cybersecurity. NIS2 tightens requirements around digital security, while the Critical Entities Resilience Directive (CERD) widens the scope to include all types of disruption: cyber, physical, environmental and geopolitical. DORA introduces similar expectations for financial services, including direct oversight of critical third‑party providers.

Taken together, these regulations reflect a clear change in emphasis. The key question is no longer “are you secure?” but “can your systems keep running when disruption is prolonged or repeated?”

In practical terms, this means designing essential services to operate under pressure, fail safely and recover quickly. This way of thinking, that emphasises building resilience into systems from the outset rather than relying on reactive continuity controls, is what we describe as Resilience Engineered for a Resilient Nation.

 

From continuity to Resilience Engineered

For decades, continuity planning was built on the assumption that disruption would be limited and recovery largely predictable. That assumption no longer holds. Project Glasswing reframes resilience as something that is engineered into everyday operations, rather than documented in contingency plans and tested occasionally.

The critical measure is recovery velocity: how quickly essential services can be restored when disruption occurs.

For boards, the issue is no longer whether a plan exists, but a single strategic question: how much downtime can we tolerate and how fast can we realistically recover?

 

What transformation now requires

If multiple zero‑day vulnerabilities emerged today across your critical systems, the real question would not be how quickly they could be patched. It would be whether the organisation could continue to operate while that work was underway.

This points to a broader reality. As systems become more interconnected, disruption is unlikely to occur in isolation. It is far more likely to affect multiple systems at the same time. In this environment, resilience is not an added control or overlay. It is part of how the organisation functions day to day.

Adopting Resilience Engineered represents a fundamental change in operating model. It moves organisations beyond compliance‑led assurance. From there, it strengthens continuity through tested scenarios. It then embeds resilience directly into how systems are designed and run.

Ultimately, it leads to Sovereign Resilience Design, where organisational resilience supports national continuity. Making this work requires clear ownership below the board. There needs to be a willingness to invest for the long term and a shared view of how quickly the organisation must restore its most critical services.

A five-point plan for board oversight

  • Assume breach, design for continuity: Ensure critical services can operate even when systems are compromised. Resilience is measured by continuity and recovery, not by the absence of incidents.
  • Understand your AI dependencies: Identify where AI systems are critical to operations, decision‑making, and automation. Define acceptable disruption thresholds and recovery expectations when those systems fail or are manipulated.
  • Reduce exposure by addressing technical debt: Legacy and unpatched systems are not just inefficient, they are active sources of exposure. Boards should require continuous reduction of technical debt, including timely patching and configuration hygiene, because resilience begins with a shrinking attack surface.
  • Map critical dependencies: Understand reliance on key suppliers, platforms, models, and infrastructure. Resilience failures increasingly propagate across ecosystems, not single organisations.
  • Continuously test resilience: Look beyond plans and documentation to see how recovery and decision‑making actually perform under real conditions, including AI‑accelerated scenarios.

Summary

At an organisational level, Resilience Engineered provides a practical approach to building confidence that disruption can be anticipated and managed. At a national level, it becomes a policy imperative. A resilient nation is not one that avoids disruption, but one that continues to function when disruption occurs.

Project Glasswing is not a digital version of COVID, but it is a clear signal. Digital risk can now evolve faster and spread further than many organisations are prepared for. Meeting this challenge requires resilience to be built into systems, demonstrated in practice and continuously proven for today’s risks and those still to come.


About this article

Photographic portrait of Puneet Kukreja
Puneet Kukreja
EY Ireland Resilient Nation Leader and Head of Cyber
Engineering resilience into the critical systems modern societies depend on.
Related topics
AI
Emerging technology
Cybersecurity
Board governance and oversight
Strategy by EY-Parthenon
Geostrategy

EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.