This blog is part of a three-part series on how Adobe is evolving its security approach in the age of frontier AI, covering security fundamentals, product and infrastructure defenses, and supply chain risk. This is part 3 of the series; in part 1, we discussed why security fundamentals are important now more than ever in the age of frontier AI. In part 2, we explored how those principles are applied across Adobe products and systems.
As organizations strengthen how they secure their products in response to the evolution of AI’s capabilities, attention must also extend to the infrastructure and the broader supply chain ecosystem that supports modern software development.
In this post, we examine how Adobe is addressing risk across infrastructure, third-party components, and open-source dependencies. As AI accelerates vulnerability discovery, managing exposure across these interconnected systems becomes an increasingly important part of building resilient security programs.
Protecting the infrastructure where we host customer services
Modern cloud infrastructure changes constantly. New services are deployed, configurations evolve, and endpoints shift continuously across environments. As a result, organizations must also evolve how they monitor and validate infrastructure exposure.
We apply AI-assisted capabilities to generate detection logic and validation patterns that help assess real-world exposure across our internet-facing environments. These capabilities help teams identify configuration drift, exposed services, and potential vulnerabilities more efficiently.
For example, these approaches can help determine whether Adobe environments may be affected by newly discovered Common Vulnerabilities and Exposures (CVEs) in hours rather than waiting for the next scheduled scan cycle.
Virtual patching and layered mitigations
Real patching takes time — even with the best engineering teams operating at full capacity. Code changes need to be tested, validated, and deployed across global infrastructure. During that window, layered mitigations become especially important.
We’re investing in layered mitigation strategies, including virtual patching approaches, layered protections, and continuous monitoring capabilities to help reduce exposure during active remediation windows.
When a critical vulnerability is confirmed, AI-assisted capabilities can help teams deploy protections designed to block known exploitation patterns while engineering teams develop, validate, and deploy longer-term fixes. This layered approach helps reduce exposure during high-priority remediation efforts.
Building resilient infrastructure at scale is an ongoing operational effort that requires continuous investment, coordination, and adaptation as environments evolve.
Visibility and ownership matter
Another important lesson from our security work is that visibility and ownership matter. Unmaintained or unknown infrastructure can create significant risk if organizations lack clear inventory, accountability, and monitoring practices.
Across the industry, an abandoned staging environment that remains internet-reachable, a decommissioned service with lingering credentials, or unmanaged infrastructure outside active inventory processes can all increase exposure risk.
For enterprise leaders, foundational disciplines like infrastructure visibility, ownership accountability, and continuous monitoring remain essential. Organizations cannot secure systems they do not know they have.
As threat landscapes evolve, Adobe continues to invest in monitoring and detection capabilities designed to strengthen visibility into suspicious activity across complex production environments
Managing third-party and open-source risk
Modern enterprise software depends on a broad ecosystem of open-source libraries, frameworks, and third-party components. As AI accelerates vulnerability discovery, software supply chain security becomes even more important.
Adobe continues to invest in dependency management, continuous monitoring, and proactive security practices across the software lifecycle to help strengthen visibility into third-party risk.
Prioritizing Risk Based on Real Exposure
AI-assisted analysis is also changing how organizations prioritize vulnerabilities. Static severity scores alone do not always reflect real-world risk. The same vulnerability may present very different levels of exposure depending on deployment architecture, internet reachability, and surrounding controls.
This is why contextual prioritization, and layered mitigations remain important as organizations adapt to AI-accelerated threat environments. The goal is not simply to remediate vulnerabilities faster, but also to focus engineering resources on the issues that present the greatest practical risk.
Defense in Depth Across the Software Lifecycle
The reality of supply chain risk is that patches are not always immediately available. Upstream maintainers may require time to develop fixes, and enterprise deployments often require validation and testing before updates can be broadly deployed.
During those windows, defense in depth truly demonstrates its value.
We’re leaning into layered protections across the software lifecycle, including dependency scanning, sandboxing approaches, malware analysis and AI-assisted detection capabilities to help identify suspicious package behavior before it reaches production environments.
As with infrastructure security, the objective is to reduce exposure while remediation efforts are underway and strengthen resilience across increasingly complex software ecosystems.
Looking ahead
Like much of the industry, Adobe is continuing to learn how best to apply AI across security workflows. As frontier models evolve, so will the opportunities and challenges associated with using them responsibly and effectively.
We believe ongoing innovation and operational investment are essential to strengthening resilience in the age of frontier AI. AI raises the speed of threat discovery, but resilience still depends on visibility, accountability, and continuous monitoring.
At Adobe, this work is ongoing. Our focus remains on continuing to strengthen resilience, improve operational readiness and evolve alongside a rapidly changing threat landscape. Ultimately, these investments serve a single purpose: earning and keeping the trust of the customers who rely on us to protect their most valuable creative work, documents, and data.
