Key takeaway
JPMorganChase's Global Technology Leadership published "Fortifying the enterprise: 10 actions to take now for AI-ready cyber resilience" on April 17, 2026. It's a CISO mandate for every large enterprise. Snyk directly addresses 8 of those 10 actions — out of the box, in the developer workflow, with one platform.
Why this directive landed with a thud
When JPMorgan's global technology leadership publishes a public cyber checklist, security teams at large enterprises take notice. JPMorgan spends roughly $15 billion a year on technology and runs one of the most battle-tested security programs on the planet. When they say "do these 10 things," it lands less like advice and more like a preview of what regulators and boards will soon require.
The timing is no accident. AI is rapidly narrowing the window between a vulnerability's discovery and exploitation. Processes designed for quarterly release cycles are now a liability. The JPMC directive acknowledges this directly — as does Anthropic's companion security post from April 10, which describes AI models as increasingly effective at chaining known bugs into working exploits.
"Adversaries are scaling attacks, compressing the time from vulnerability discovery to exploitation, and increasing the volume of threats that enterprises face each day."
— JPMorganChase Global Technology Leadership, April 17, 2026
All 10 actions, explained simply
Here's what JPMorgan said, what it means in practice, and where Snyk fits.
1. Run the latest software versions
✅ Snyk helps
JPMC requirements: Stop using outdated open source packages and end-of-life libraries. Only use current, well-maintained releases from trusted repositories.
How Snyk helps: Snyk SCA continuously scans every open source dependency, flags outdated or vulnerable packages, and opens automated fix pull requests — at every commit, before anything ships.
2. Manage assets and software components
✅ Snyk helps
JPMC requirements: Know exactly what's in every application. Build a Software Bill of Materials (SBOM) for each one, enriched with who owns it and how critical it is.
How Snyk helps: Snyk generates SPDX and CycloneDX SBOMs for every application and container, maps all open source dependencies, and integrates with tools like ServiceNow and Jira for ownership tracking.
3. Build a robust vulnerability management program
✅ Snyk helps
JPMC requirements: Fix known vulnerabilities in priority order — internet-facing systems first. Scan continuously, not quarterly. Factor in real-world exploit availability and CISA's Known Exploited Vulnerabilities (KEV) list.
How Snyk helps: Snyk scans every PR and build, prioritizes based on reachability and exploit maturity, natively ingests CISA KEV data, and uses Agent Fix to auto-generate remediation PRs that developers can accept with one click.
4. Stress-test incident response plans
⚠️ Foundational
JPMC requirements: Run tabletop exercises and live simulations. Test backup and recovery. Include legal, comms, and business leaders — and close the gaps you find.
How Snyk helps: IR planning is a program function, not a code scanner's job. Snyk supports post-incident reviews through audit trails, exception tracking, SBOM lineage, and compliance reporting. Pair with a dedicated IR platform for the exercises themselves.
5. Know your SaaS and outsourced dependencies
✅ Snyk helps
JPMC requirements: Maintain a current register of every third-party service your critical systems depend on. Assess their security posture. Have an exit plan.
How Snyk helps: Snyk Evo AI-SPM inventories AI models, third-party AI services, agent frameworks, and MCP servers, extending supply chain visibility into the AI layer that most security teams still can't see. Discovery data shows 28% of enterprises already run agentic AI in production, most of it invisible to their security teams.
6. Speed up change management
✅ Snyk helps
JPMC requirements: Know how long it takes a patch to reach production. Automate testing and staged rollouts. Make security scanning a built-in quality gate — not a separate bottleneck.
How Snyk helps: This is the core Snyk use case. Native integrations with GitHub, GitLab, Bitbucket, Azure DevOps, Jenkins, CircleCI, and more. Security gates run automatically at PR, build, and deploy. JPMC is describing, in their own words, the category Snyk created.
7. Aggressively filter outbound traffic
⚠️ Foundational
JPMC requirements: Default-deny outbound traffic from production environments. Only allow approved endpoints. JPMC notes that this single control would have substantially mitigated both Log4Shell and SolarWinds.
How Snyk helps: Network egress is enforced by firewalls and cloud network policy — not code scanners. However, Snyk IaC catches misconfigurations that silently weaken those controls: overly broad NAT gateways, unrestricted 0.0.0.0/0 rules in Terraform, and Kubernetes NetworkPolicy drift.
8. Remove standing privileges
✅ Snyk helps
JPMC requirements: Eliminate persistent admin access. Use just-in-time entitlement. Require MFA and session recording. Pay special attention to service accounts — they're the most targeted.
How Snyk helps: PAM tools handle the identity plane. Snyk handles the upstream of the problem: Snyk Secrets detection finds embedded credentials, API keys, cloud tokens, and SSH keys in code and containers before they ever merge — removing the most common source of standing privilege leakage.
9. Manage remote access and segment networks
✅ Snyk helps
JPMC requirements: Require MFA for all remote access. Segment environments by trust level. Authenticate every system-to-system connection. Test with red team exercises.
How Snyk helps: Snyk IaC validates zero-trust and segmentation controls as code — VPC peering, private endpoints, service mesh mTLS, network ACLs, and firewall rules. Drift between your policy-as-code and the deployed network is caught at merge time, not after a red team finds it.
10. Embed security into AI development and deployment
✅ Snyk helps
JPMC requirements: Threat-model AI systems. Treat AI models and training data as high-value assets. Validate AI-generated code the same way you'd validate human-written code. Red-team for prompt injection and data poisoning.
How Snyk helps: Snyk Evo delivers the full AI security lifecycle: Agent Scan (scan AI-generated code), Snyk Studio (secure-by-default guardrails for coding agents like Cursor, Claude Code, Copilot), AI-SPM (model and agent inventory), Agent Red Teaming (adversarial testing for prompt injection), and MCP/agent supply chain security.
Why this is more urgent than it looks
The JPMC directive wasn't written in a vacuum. It's a direct response to AI changing the economics of cyberattacks. “We need to know that we can release it safely, and it’s not exactly clear how we can do that with full confidence,” said Logan Graham, the head of Anthropic’s Frontier Red Team, which evaluates AI for risks.
Both documents land on the same conclusion: defenders must use AI at the code level, continuously, at the speed of change. Quarterly scans and manual triage simply won't keep pace with automated exploitation at scale.
External research reinforces the stakes: BaxBench (ETH Zurich, UC Berkeley, 2025) found that 62% of frontier LLM-generated backend code is incorrect or insecure. As teams lean more heavily on coding agents, the volume of security issues entering codebases is rising — without automated scanning designed to detect AI-generated patterns.
How to operationalize this in 90 days
If you're a security team that needs to demonstrate progress against the JPMC 10, here's a practical phased approach:
| Days 1–30 | Close the most urgent code gapsDeploy Snyk Open Source, Snyk Code, and Snyk Secrets across your top 25 revenue-critical applications. Covers Actions 1, 2, 3, and the secrets portion of Action 8. |
| Days 31–60 | Extend to cloud infrastructure Roll out Snyk IaC across production cloud accounts. Covers Actions 6, 7 (adjacent), and 9 — catching misconfigurations before they reach runtime. |
| Days 61–90 | Secure the AI development layer Deploy Evo AI-SPM, Agent Scan, and Snyk Studio guardrails across active coding-agent deployments. Covers Actions 5 and 10. By day 90, 8 of 10 Actions are instrumented on one control plane. |
JPMorganChase published the mandate, and Anthropic published the mechanics behind why it's urgent. Snyk is the platform that operationalizes both — natively in the developer workflow, across 8 of the 10 actions — at the speed AI is now generating code.
If you're a CISO, AppSec lead, or procurement owner mapping vendors to the JPMC 10, the table above is your RFP foundation. If you're a security team preparing for an order-of-magnitude increase in vulnerability volume, Snyk is the platform already instrumented for it.
Top comments (0)