AI has fundamentally broken the economics of cybersecurity and exposure management, compressing exploit windows from days to minutes and forcing organizations to rethink how they inventory, prioritize and remediate risk across an attack surface that now includes cloud infrastructure, identities and AI workloads themselves.

The traditional approach — periodic scanning followed by manual patching cycles — can no longer keep pace with threats operating at machine speed. Exposure management has emerged as the organizing framework for security teams trying to move from reactive triage to proactive risk reduction, according to Jason Merrick (pictured, right), senior vice president of product at Tenable Holdings Inc.

“Exposure management is not a product,” Merrick said. “It’s a program. It’s not just looking at traditional IT infrastructure. It’s looking at cloud … it’s looking at identities … lacing it together in context within the organization and looking at the configuration, looking at [whether] it doesn’t have known CVEs on it … and then being able to go and highlight that and then be able to reduce that risk.”

Merrick and Mayank Upadhyay (left), chief security and trust officer at Snowflake Inc., spoke with theCUBE’s Dave Vellante and Rebecca Knight at Snowflake Summit 2026, during an exclusive broadcast on theCUBE, SiliconANGLE Media’s livestreaming studio. They discussed how exposure management, data infrastructure and AI-era security practices are converging to reshape the enterprise security posture. (* Disclosure below.)

Exposure management at machine speed demands AI-native defense

As AI accelerates both attack and defense, the data foundation underpinning exposure management has become as important as the security tooling layered on top of it. Tenable chose Snowflake as its security data lake — part of its Tenable One platform — rather than build its own data pipeline, a decision driven by seven or eight acquisitions in nine years that left sprawling, siloed data estates, Merrick noted. The company’s newly launched Hexa agentic framework targets AI-driven remediation, automation and validation at the speed threats now demand.

“We’re moving to a model, from detection to preemption,” Merrick said. “We have to be able to help organizations understand the digital assets they’re responsible for across the attack surface … look for vulnerabilities, look for misconfigurations, look for toxic combinations, help with the orchestration and workflow necessary.”

Upadhyay pointed to the non-deterministic nature of agentic AI as the defining new attack surface. Agents wire their own execution sequences, making data paths fundamentally unpredictable — and uncontrollable through traditional means, he said. In response, Snowflake announced its intention to acquire Natoma, a company supporting more than 100 software-as-a-service applications, to create a managed control point — what Upadhyay called an “MCP gateway” — giving developers a paved road to AI services while giving security officers the observability they need.

“You have to use automation and AI to fight AI,” Upadhyay said. “That is the other big thing security teams have to be looking at right now.”

Here’s the complete video interview, part of SiliconANGLE’s and theCUBE’s coverage of the Snowflake Summit 2026 event:

(* Disclosure: TheCUBE is a paid media partner for Snowflake Summit. Sponsors of theCUBE’s event coverage do not have editorial control over content on theCUBE or SiliconANGLE.)

Photo: SiliconANGLE