US officials are considering reducing the mandatory deadline for patching actively exploited vulnerabilities from two-to-three weeks to three days, according to sources reported May 1. AI-assisted tools have compressed exploitation timelines from months to hours in some cases. CISA applied a three-day patch window in February for a critical BeyondTrust flaw, treating it as a precedent. Industry experts caution a blanket three-day standard is operationally infeasible for many organizations.