Two governance and strategic risk items converge on the same structural challenge: AI agents are being integrated into SOC operations (CrowdStrike Charlotte AI and AgentWorks via the OpenAI TAC program) without established permission scoping, audit logging, and human oversight controls, while simultaneously AI-enabled adversary capabilities are accelerating exploitation timelines to near-zero, invalidating CVSS-score-based patching workflows. Neither item involves a disclosed CVE; both require architecture and process changes rather than patch application.