IBM and Red Hat Move Project Lightwell to Commercial Launch, Warning AI Security Risks are a “Wake Up Call” for CX Leaders

Project Lightwell’s commercial launch reflects a new enterprise CX security reality as frontier AI accelerates vulnerabilities, attacks and remediation pressure

8
Security, Privacy & ComplianceInterview

Published: July 13, 2026

Nicole Willing

When Red Hat and IBM first introduced Project Lightwell in late May, it was framed as a response to a fast-changing AI security landscape. Just weeks later, the initiative has moved from concept to commercial availability, a rapid expansion that reflects how quickly frontier AI risks are reshaping enterprise security priorities.

The initiative, which the companies announced on May 28, was launched commercially on July 8 and has early customers using the service.

Brian Gracely, Senior Director of Portfolio Strategy at Red Hat, told CX Today in an interview that the pace is not accidental. As AI accelerates software development and threat activity, security programs that once evolved over quarters or years now need to move in weeks.

“The service has moved very quickly,” Gracely said. “We’ve gotten a lot of really good input from the market in terms of the nuances of how content is handled, how embargoes work.”

For enterprises, and particularly for customer experience leaders increasingly responsible for AI-powered customer journeys, the launch is a signal that security can no longer sit at the edge of digital transformation.

As AI becomes embedded in contact centers, self-service, automation, analytics and customer data environments, the risk profile around CX technology is expanding just as quickly.

The Enterprise Security Model Has to Change

The first requirement for enterprises is acceptance that AI has changed the operating environment, regardless of whether organizations feel ready, Gracely said.

“The reality is attackers don’t really care about your opinion, your emotions around it. They’re looking at it as ‘this makes my life easier, this makes my life faster in terms of being able to break into things or steal things or create situations that are advantageous to them.”

Enterprises need to recognize the seriousness of the shift, Gracely added.

“This is very much a moment that the enterprise needs to look at themselves and say, ‘I need to recognize this is this is a problem. This is the new world that we live in.”

The second step is a hard assessment of current response times. Even when patches for vulnerabilities are available, enterprise security cycles need to adjust to the speed with which AI can move. Gracely described the challenge enterprises face, as many organizations cannot deploy fixes quickly enough.

“The reality for most enterprise customers is the amount of time it takes them to get from getting that patch to getting it into their systems that are live, oftentimes takes quite a long time, 40 days, 50 days, 90 days,” Gracely noted. “When the volume of of vulnerabilities is growing, obviously because of AI tools and the amount of software being written, and the velocity of them is growing, now we run into a bottleneck in which we can get customers fixes and patches, but if they’re not able to get them put into their systems fast enough, they leave themselves with the same vulnerabilities.”

That lag is becoming more dangerous in an AI-driven environment. The central commercial and operational pressure behind Project Lightwell’s launch is that AI is compressing timelines. Enterprises cannot assume that security processes designed for a slower software era will be sufficient.

That makes the “patch to production challenge” gap that Gracely described a customer trust problem.

“The marketplace isn’t going to say, ‘Well, I’m sure you’re trying really hard, but you know we’ll get there,’” Gracely added.

For CX teams, that bottleneck poses a substantial risk. Customer-facing systems often sit across complex technology stacks incorporating CRM platforms, contact center software, chatbots, identity tools, payment systems, analytics platforms and integrations with third-party applications. A vulnerability in one area can have consequences across the customer journey.

A CX Wake-Up Call on Technical Debt

Project Lightwell’s AI-driven automation pipeline combines frontier and open-source AI models with human engineering expertise that is designed to help enterprises identify patch and remediate vulnerabilities embedded deep within open-source software. The launch comes as tools powered by frontier AI models are increasing both the volume of code being created and the speed at which vulnerabilities can be exploited.

The initiative delivers automated vulnerability remediation through two offerings: Lightwell Network and Lightwell Clearinghouse Premier. Available now, Lightwell Network gives enterprises access to a launch catalog of more than 6,500 remediated, digitally signed and certified application-layer dependencies across major ecosystems, including Java and Python. Lightwell Clearinghouse Premier has entered limited availability, serving as an intermediary for secured patch embargoes and vertical threat coordination.

One of the strongest messages from the Lightwell launch is that traditional enterprise upgrade cycles may no longer be compatible with AI-era risk. Many customer experience environments have accumulated technical debt over time. Legacy contact center infrastructure, customized CRM workflows, ageing integrations and manually managed systems can all slow down response times when vulnerabilities emerge.

There is a sense of frustration among security professionals that the warnings they have been sounding for several years have gone unheeded.

“This is something that vendors and security companies have been talking about for a long time,” Gracely said. “It’s technical debt that has been accruing… the bill on your technical debt is coming due.”

However, AI is turning that long-standing issue into an immediate concern.

“This is becoming very much a wake-up call for companies that have ignored that or felt like they don’t really need to do those things.”

Customer experience teams have often prioritized speed, convenience and personalization, sometimes layering new tools on top of old infrastructure to deliver better digital journeys. But as AI increases the pace of attack, slow-moving back-end systems can undermine front-end innovation.

Gracely stressed that this is part of a broader shift in how enterprises must think about AI risk, adding that the urgency “isn’t specific to Lightwell. It’s the nature of the give and take of Al.”

AI can improve productivity and help enterprises respond faster, but attackers have access to the same acceleration.

“It can be a really powerful tool in terms of helping them,” Gracely said. “But at the same time, where they’re playing defense, the people playing offense against them also have those tools.”

That dynamic is changing the expectations around enterprise CX. If an AI-powered customer platform can be deployed quickly, then the security model around it must be able to adapt just as quickly. Enterprises “have to be conscious” of the new threat in the marketplace,” Gracely warned.

While the release of frontier models like Anthropic’s Mythos and Fable are drawing attention to the potential threats posed by advanced AI capabilities, Gracely pointed out that AI poses a broader risk.

“Hackers have been using the pre-Mythos, the pre-OpenAl tools to do this anyway,” Gracely said. “Mythos has been the headline that has woken everybody up.”

AI is already being used to automate parts of the attack chain and enterprises need to assume that customer-facing systems will be tested by faster, cheaper and more scalable adversarial activity.

Project Lightwell Expands Through Partners to Address the Scale of AI Security Challenges

The commercial launch of Project Lightwell is supported by a growing partner ecosystem, including systems integrators and technology partners. Gracely said partners fall into several categories, beginning with design partners helping shape the service.

Systems integrator partners, including Deloitte, are expected to play a major role in helping enterprises close the operational gap between receiving a fix and deploying it. These partners may help organizations assess security processes, automate manual steps, and improve deployment readiness. According to Gracely, the opportunity is not only technical but operational.

“Whether they do security assessments with companies, whether they look at process and figure out, okay, are we automating enough? Are we looking at the steps that are in place to do that?”

Technology partners also have a role to play, particularly when enterprises cannot immediately change application code. Gracely pointed to Palo Alto Networks as an example of how network-level mitigations may help organizations reduce exposure while they work through internal deployment cycles.

“There will be a number of other companies like that,” he said. “What their role really becomes is in that same vein that we can provide a patch, but we still have to get it into production.”

In some cases, enterprises may face business freezes, seasonal lockdowns or complex dependencies that prevent fast software changes.

“This is where companies like Palo Alto, and there will be others, can do things at the network level,” Gracely explained. “They can make changes to firewalls and access lists and other mitigations that don’t involve touching the application or the application code, but still provide a level of protection for those customers.”

Gracely said Project Lightwell has taken a lesson from the collaborative approach taken by the financial services industry:

“The idea that any single entity isn’t going to be able to defend themselves against these new tools that are cheaper and can be highly automated.”

That is why Lightwell’s clearinghouse approach is central to its proposition.

“Not only does it bring together knowledge from end customers as early detection systems, but it allows us to scale our ability to fix them quickly.”

Competition, Consolidation, and the Emerging AI Security Marketplace

Project Lightwell is not launching in isolation. Other initiatives are also emerging to tackle AI-related cybersecurity challenges. Gracely welcomed that competition, arguing that it can ultimately improve outcomes for customers.

“Competition in the marketplace is always good,” Gracely said. “It leads to better outcomes for customers.”

Gracely acknowledged that the growing number of initiatives may create some short-term confusion for enterprises evaluating their options. However, the market will likely mature over time.

“We expect that the marketplace will go through its normal sorts of consolidation,” Gracely said. “Whether that’s groups working together or some groups realizing they don’t have the size and scale to offer something efficient in the market.”

The scale that Red Hat and IBM bring to Project Lightwell is a core part of the pitch. Gracely said the companies believe they have the expertise, ecosystem and open-source relationships needed to make the initiative effective. “This is very adjacent to things that we do today.”

Gracely also emphasized the importance of strengthening open-source foundations, rather than simply offering a commercial service on top.

“[Customers] like the fact that we’re not just providing them a service, but we’re also reinforcing the underlying open-source projects,” Gracely said. “Everything that we find is going back into open source. That makes the foundation stronger.”

Gracely described AI as a market inflection point that should prompt enterprises to rethink how they operate. “The way that we got here wasn’t necessarily dictated by Al, but Al’s here.”

Executives and technical teams alike are pushing for change.

“We’re seeing both top-down executive importance being placed on this, we’re seeing bottom-up technicians, technical staff, operations teams saying, you know, we need solutions for this right away,” Gracely added.

For CX organizations, that means security must become part of customer experience strategy, especially as AI becomes more deeply embedded in customer interactions.

As Gracely put it, the first step is “acceptance of this new reality.”

“The things that we’ve done in the past aren’t necessarily going to be efficient or effective in the going forward,” he said. “Some new thinking is very much going to be needed in the space.”

AI AgentsArtificial IntelligenceSecurity and Compliance
Featured

Share This Post