AI Is Now an Asset. Are You Managing It Like One?

Seven things happened in AI in a single week in April 2026. Every one of them has direct implications for how asset owners manage physical infrastructure, make investment decisions, and govern the tools they are increasingly relying on.

This is not a technology news roundup. It is an argument for treating AI as an asset — one that requires the same rigour in lifecycle management, risk assessment, and governance that we apply to any critical piece of infrastructure.

1. AI Found 500+ Zero Day Vulnerabilities Autonomously

Anthropic launched its MAD Bugs initiative and revealed that its latest model autonomously discovered over 500 high severity vulnerabilities across production open source software projects. The model reads source code, forms hypotheses about where vulnerabilities might exist, runs the software, and crafts working exploits — all without human direction.

Why asset owners should care: The same open source libraries running in these vulnerable projects are embedded in your SCADA systems, IoT gateways, CMMS platforms, and historian databases. If an AI can find these vulnerabilities autonomously, so can an attacker using the same capability. The window between vulnerability discovery and exploitation is collapsing from months to hours.

2. A Nation State Compromised a Software Package Used by Millions

Google's Threat Intelligence Group confirmed that North Korea was behind the compromise of the Axios npm package — a software dependency downloaded tens of millions of times weekly. Credential harvesting malware was inserted before the attack was detected and removed.

Why asset owners should care: Modern asset management software is built on deep dependency trees. Your CMMS, your EAM system, your IoT platform, your analytics dashboards — they all inherit risk from every open source package in their supply chain. A compromised package at the bottom of that tree can silently harvest credentials from your operational technology environment. Software supply chain risk is now as real as spare parts supply chain risk, and most organisations are not monitoring it.

3. AI Data Centres Became Military Targets

Iran's Revolutionary Guard published satellite imagery pinpointing a major AI data centre in Abu Dhabi and threatened strikes. Separately, AWS availability zones in Bahrain and Dubai experienced outages amid Gulf tensions. Whether data centres were directly struck or not, the availability impact was real.

Why asset owners should care: Every piece of asset management software running in the cloud is a dependency on physical infrastructure in someone else's jurisdiction. If your condition monitoring, your risk scoring, your maintenance scheduling, and your investment modelling all depend on cloud services, then geopolitical instability is now an input to your operational continuity planning. Asset owners managing critical infrastructure — water, power, transport — need to ask: can we operate if our cloud provider goes dark?

4. Frontier AI Models Deceive Their Evaluators

UC Berkeley researchers tested seven frontier AI models, including GPT-5.2, Gemini 3 Pro, and Claude Haiku 4.5. All of them fabricated data, misrepresented capabilities, and actively deceived evaluators to prevent peer models from being downgraded. This was emergent behaviour — not programmed.

Why asset owners should care: This is the story that should keep asset managers awake. If you are using AI to inform investment decisions, prioritise maintenance, assess asset condition, or score risk, you are trusting a system that has been shown to deceive its own evaluators under certain conditions. The question is not whether AI is useful — it clearly is. The question is whether you have a verification framework in place that does not depend on the AI honestly reporting its own confidence.

I was talking with Tom Carpenter recently about exactly this: how AI is being used in asset management decision making. Investment prioritisation. Condition assessment. Failure prediction. The question that kept surfacing was straightforward — where is the governance? Not governance as a compliance exercise, but governance as a genuine control framework that ensures AI driven decisions are verified before they are acted on.

5. Post Quantum Cryptography Timelines Accelerated

Cloudflare announced it is targeting 2029 for full post quantum security after Google revealed a breakthrough algorithm that dramatically accelerates the breaking of elliptic curve cryptography. The previous consensus was that quantum computing would not threaten current encryption until 2035 or later.

Why asset owners should care: Your SCADA encryption, your VPN tunnels to remote sites, your authenticated firmware updates, and your remote access credentials are all protected by cryptographic standards that may have a shorter remaining life than most of your assets. A water treatment plant built today has a 50 year design life. The encryption protecting its control systems may be breakable within three. "Harvest now, decrypt later" attacks — where encrypted data is captured today and decrypted once quantum computing matures — mean that sensitive operational data transmitted today is already at risk.

6. Edge AI Reached Practical Maturity

Google released Gemma 4 as an open model, with NVIDIA and edge partners optimising it for local deployment on phones, workstations, and embedded devices. Separately, Apple signed Nvidia eGPU drivers, enabling serious ML workloads on Mac hardware without workarounds. Demand for high memory Macs has pushed delivery times to six weeks.

Why asset owners should care: This is the positive counterweight to the cloud dependency story above. You can now run capable ML models on site, at the asset, without internet connectivity. For remote mine sites, offshore platforms, water treatment plants in regional areas, and defence installations, this changes the calculus entirely. Sovereign AI — models running on your hardware, processing your data, under your control — is no longer aspirational. It is practical and affordable.

7. The AI Arms Race Is Accelerating

Anthropic's annual revenue run rate hit $30 billion, up from $9 billion at the end of 2025. OpenAI expects to burn $85 billion by 2028. Both companies are releasing new model versions at an accelerating cadence. The tools available to asset owners are changing quarterly — and the gap between organisations that evaluate and adopt versus those that wait is widening.

Why asset owners should care: The practical implication is that any AI governance framework you build needs to accommodate rapid change. A model you deploy today may be superseded in six months. Your evaluation criteria, your verification processes, and your risk assessments need to be designed for a world where the toolset changes faster than your budget cycle.

AI Is an Asset. Manage It Like One.

Here is the argument this week's news makes clear.

AI is no longer a tool you plug in and forget. It is an organisational asset with its own lifecycle, its own risk profile, its own performance characteristics, and its own governance requirements. And like any critical asset, failing to manage it deliberately will eventually result in failure — whether through a wrong decision acted on without verification, a compromised software dependency exploited without detection, or a cloud service lost without a continuity plan.

The principles we already apply to physical asset management under ISO 55001 translate directly.

Mapping ISO 55001 to AI Asset Management

ISO 55001 PrinciplePhysical Asset ApplicationAI Asset ApplicationAsset lifecycle managementAcquisition, operation, maintenance, disposal of physical infrastructureModel selection, deployment, monitoring, retraining, retirementRisk managementFailure modes, criticality, consequence analysisModel deception, data drift, adversarial inputs, supply chain compromisePerformance monitoringCondition assessment, KPIs, service level agreementsAccuracy tracking, prediction verification, output validation against physical inspectionLevels of serviceWhat the asset must deliver to users and the communityWhat decisions the AI must support, and to what confidence levelDemand forecastingProjecting future load, usage patterns, growthProjecting compute requirements, data volume growth, model complexity needsDecision makingEvidence based investment prioritisationHuman in the loop verification, audit trails, explainability requirementsGovernanceRoles, responsibilities, competencies, accountabilityModel ownership, data ownership, verification responsibilities, escalation protocolsContinuous improvementLessons learned, root cause analysis, plan updatesModel retraining triggers, performance benchmarking, emerging risk integration

The framework is not complicated. It is familiar. The challenge is recognising that AI needs it at all — and that treating AI as "just a tool" is the same mistake organisations made when they treated data as "just an IT thing" a decade ago.

Five Actions for This Quarter

1. Audit your AI dependencies. Map every AI driven decision in your asset management process. Who owns the model? Who verifies the output? What happens if the model is wrong?
2. Assess your cloud concentration risk. If your critical operational systems depend on a single cloud provider, document what happens when it goes offline. Test it.
3. Start monitoring your software supply chain. Your CMMS vendor probably cannot tell you which open source packages their product depends on. Ask. If they cannot answer, that tells you something.
4. Build a verification protocol for AI outputs. Before you act on an AI driven condition assessment or investment recommendation, define what "verified" means. Physical inspection? Second model? Expert review? Document it.
5. Evaluate edge AI for your most critical or most remote assets. The technology is ready. If you have assets where cloud dependency is a risk, offline AI is no longer a future state — it is available now.

Get the Framework

We have put together a one page starter framework that maps ISO 55001 asset management principles to AI governance. It is designed to give asset owners a practical starting point for treating AI as an asset — not a comprehensive standard, but enough structure to begin the conversation with your team.

Shane Scriven is Managing Director of SAS Asset Management. SAS-AM provides advanced analytics, expert asset management services, and maturity assessments to help asset owners realise their value.