The Government Cyber Coordination Centre (GC3) has published findings from a month-long pilot using frontier AI models to scan public code repositories across nine government organisations. The project identified 407 vulnerabilities at a cost of £13,000 in model usage, serving as an early indicator of the resource demands AI-driven cyber defence will place on public sector teams.
Manual verification bottlenecks
The report noted that every AI finding required manual verification by specialist teams from the AI Safety Institute (AISI) and the National Cyber Security Centre (NCSC). These specialists worked in-person over four weeks, an effort that many organisations would find difficult to resource independently. The GC3 described the pilot as "a test of how government can adopt new capabilities responsibly, learn quickly, and share what works."
Effective deployment strategies
Teams achieved the best results when they used frontier models as tightly scoped components rather than pointing them directly at entire codebases. One team ran repositories through a six-stage agent pipeline where each stage challenged the previous one. Another approach layered AI analysis on top of traditional scanning tools to compose individual findings into potential attack paths.
Some departments codified these methods into reusable Claude Skills, creating an audit process that is repeatable and consistent across repositories. This approach to AI for Government shows that reusable, auditable tooling is crucial for making such activities sustainable rather than a one-off drain on specialist time.
The patching gap
The GC3 was candid that finding vulnerabilities and fixing them are not the same problem. AI-assisted patch generation remains immature, meaning all findings still had to enter existing patch pipelines. An increased flow of findings risks overwhelming patch management processes that are already under pressure.
As adversaries gain access to the same frontier models, vulnerabilities in open code repositories will increasingly be identified and exploited from both sides. Keeping pace will require continuous operation, which carries significant implications for organisational capacity, skills, and budget. Professionals looking to build these specific competencies may find value in an AI Learning Path for Cybersecurity Analysts to better understand the mechanics of automated vulnerability management.
Why this matters for government professionals
Public sector security teams must prepare for continuous, AI-assisted scanning rather than periodic audits. The core challenge is no longer whether AI can find vulnerabilities, but whether agencies have the ongoing budget and personnel to verify and patch those findings before adversaries exploit them. Investing in reusable, auditable workflows is necessary to prevent specialist teams from being overwhelmed by automated alerts.
Your membership also unlocks:
