Apple’s iOS update cycle overhaul: How security teams should react
Apple’s more rapid approach to patch releases follows a wider industry trend. What can security leaders do to keep up?
At the end of June, Apple released the iOS 26.5.2 update, containing a long list of security fixes. The timing of the update differed from Apple’s typical approach, which sees the iPhone maker issue mid-cycle patches for emergency security fixes or urgent bugs only.
Yet when iOS 26.5.2 was released, Apple told Reuters the move was part of an overhaul of its strategy as AI tools find vulnerabilities at scale. Indeed, some of the flaws patched in its update were found using AI, painting a clear picture of what security teams can expect in the future.
Apple is not the only vendor to supercharge its patch release cycle fuelled by AI-enabled vulnerability discovery. This June was Microsoft’s biggest Patch Tuesday ever, fixing over 200 bugs, while a recent Google Chrome patch fixed 400 issues in the browser.
As ITPro has already reported, patching velocity must increase as Anthropic’s frontier AI model Claude Mythos and others like it start to find flaws en masse.
But Apple’s accelerated release schedule highlights the impact on mobile devices – especially when part of a bring your own device (BYOD) policy. What can security leaders do to regain control?
Shrinking attack windows
Experts say shrinking attack windows are making patch management an urgent problem. The time between a flaw being discovered and weaponized is “falling dramatically” as AI tools “accelerate both research and exploitation”, says Tristan Shortland, CTO at Infinity Group.
“Traditional patch cycles that measured response times in weeks are increasingly at odds with a threat environment that moves in hours.”
Sign up today and you will receive a free copy of our Future Focus 2026 report - the leading resource for IT decision-maker insight on priorities and investment areas in AI, security and more.
With this in mind, most industry commentators see the move towards accelerated patch releases as positive. “From a risk perspective, I'd much rather see organizations patch quickly and in a controlled way than wait for monthly cycles and leave vulnerabilities sitting there, waiting to be exploited,” says Nathan Davies-Webb, principal consultant at Acumen Cyber.
Yet rapid patch release cycles add pressure in scenarios where employees use personal devices to access corporate networks. “Apple, Google and Microsoft can remind users to update, but they don’t always enforce it,” points out Jake Moore, global cybersecurity advisor at ESET.
For those that run BYOD policies, the impact of late patching could be vast, agrees Sriram Kakalara, chief product officer at Scalefusion. “Personal iPhones and iPads often access corporate apps and data from outside the IT team's direct control,” he warns.
More updates, less warning
Another challenge is the sheer number of mobile fleets to be updated. The trend towards increasing numbers of mobile device patches could be a problem for larger distributed organizations such as retailers, according to Kakalara.
“These might have thousands of devices running on iOS, and every accelerated release means pushing updates more often and with less warning,” he says.
He points out that many organizations “fail to scale their patching and access strategies as their endpoint estate expands, leaving known vulnerabilities unresolved”.
The onus is now on organizations to operate “faster and more efficiently”, he says.
Beyond simply deploying updates more rapidly, the challenge will be ensuring every endpoint has received them, adds Andy Ward, SVP International at Absolute Security.
“The rise of hybrid working over the last decade has made this increasingly difficult. Remote work and BYOD leave organizations with gaps in visibility that attackers can easily exploit. Every day a critical patch is delayed extends the window of opportunity for cybercriminals.”
While there’s no doubt AI can be beneficial in vulnerability discovery, the pressure on patching as a result of the constant flurry of security fixes is only going to get worse.
Shortland expects more vendors will follow Apple's lead, issuing patches more rapidly in line with vulnerability discovery. “AI is exposing vulnerabilities at a scale we've not seen before, which means the industry will have to move towards more continuous patching and risk-based remediation models, rather than relying on predictable release cadences.”
Security teams should treat Apple's move as “the new normal”, agrees Kakalara. “The precedent means patches can now arrive unexpectedly and without notice, so waiting for a scheduled maintenance window is no longer a viable strategy. Teams need to be on permanent alert, ready to test and deploy at speed.”
No more patch day
It might seem complex, but there are some simple steps security leaders can take to ensure fixes are applied as soon as they’re released, including to BYOD devices.
Rather than banning BYOD, Moore thinks the solution is implementing conditional access controls to ensure outdated devices can’t access company systems. “This means it becomes nearly impossible to have devices running outdated software.”
But at the same time, companies need to avoid treating every new flaw as an emergency. Instead, the focus should be on “what is actually being exploited – rather than what is possible”, Moore advises.
Ian Thornton-Trump, CISO at Inversion6, believes security leaders must make themselves aware of the size of their company’s attack surface, and be able to identify legacy devices “either properly supported by vendors, or unsupported”.
In tandem, Thornton-Trump outlines the importance of firms testing their own defences. “Prioritize red teaming and penetration testing to try and find weaknesses before bad guys do, and before security researchers encourage firms to respond.”
Moore recommends automated patching as an ideal scenario. “Long gone are the days where Tuesday was the patch day,” he says. “Manual processes were built for a far slower time, but as we shift into the AI era, we are going to have to adapt and evolve as quickly as the technology does.”
Davies-Webb concurs. He thinks the point has been reached where not using automatic patching “is becoming harder to justify”.
“There was a time when concerns around stability and functionality made organizations cautious about patching too quickly, but for most, the risk now sits firmly on the other side of the equation,” says Davies-Webb.
“AI is accelerating how quickly vulnerabilities are discovered and weaponized, which means organizations need to be reducing exposure as quickly as they can."
Kate O'Flaherty is a freelance journalist with well over a decade's experience covering cyber security and privacy for publications including Wired, Forbes, the Guardian, the Observer, Infosecurity Magazine and the Times. Within cyber security and privacy, her specialist areas include critical national infrastructure security, cyber warfare, application security and regulation in the UK and the US amid increasing data collection by big tech firms such as Facebook and Google. You can follow Kate on Twitter.
-
Jitterbit eyes global growth under new CRO Chris StoddardNews The former New Relic executive will lead the vendor’s worldwide go-to-market strategy and revenue growth plans
-
This one cyber crime group accounted for nearly a fifth of all ransomware attacks in JuneNews The Gentlemen, a ransomware a service operator, now accounts for 17% of published attacks