Automated Vulnerability Governance: Integrating AI-Driven Risk Mitigation and DevSecOps in High-Scale Cloud Infrastructures

Authors

  • Kenji T. Morikawa Independent Researcher, Intelligent Threat Mitigation & Cloud Architecture Optimization, Tokyo, Japan Author

Keywords:

Vulnerability Management, DevSecOps, Cloud Security, Artificial Intelligence

Abstract

As enterprise infrastructures expand into hybrid cloud and IoT environments, traditional vulnerability management (VM) strategies struggle to maintain efficacy. The volume of assets—often exceeding 100,000 endpoints—creates a "noise" of alerts that overwhelms security operations centers.

Objective: This study aims to develop and evaluate an integrated framework, the Intelligent Vulnerability Orchestration Model (IVOM), which leverages Artificial Intelligence (AI) and DevSecOps principles to automate the lifecycle of vulnerability detection, prioritization, and remediation.

Method: We synthesized current regulatory standards, including CISA’s Secure by Design and NIST’s Secure Software Development Framework (SSDF), with advanced machine learning perspectives. The IVOM framework was designed to utilize predictive algorithms for risk scoring and automated pipelines for patch deployment.

Results: The analysis suggests that integrating AI-driven prioritization significantly reduces false positive rates compared to static scanning methods. Furthermore, embedding security testing into the CI/CD pipeline (DevSecOps) demonstrates a theoretical reduction in Mean Time to Remediate (MTTR) by bridging the operational silo between security and engineering teams.

Conclusion: The transition to automated, AI-enhanced vulnerability governance is not merely a technical upgrade but a strategic necessity for maintaining resilience in high-scale environments. Future efforts must focus on the explainability of AI decisions in compliance-heavy sectors.

Downloads

Download data is not yet available.

References

Prassanna Rao Rajgopal, Badal Bhushan and Ashish Bhatti 2025. Vulnerability Management at Scale: Automated Frameworks for 100K+ Asset Environments. Utilitas Mathematica . 122, 2 (Sep. 2025), 897–925.

CISA. Secure by Design. 2024. Available online: https://www.cisa.gov/securebydesign (accessed on 10 July 2025).

Khan, R.A.; Khan, S.U.; Khan, H.U.; Ilyas, M. Systematic literature review on security risks and its practices in secure software development. IEEE Access 2022, 10, 5456–5481.

Souppaya, M.; Scarfone, K.; Dodson, D. Secure software development framework (ssdf) version 1.1. NIST Spec. Publ. 2022, 800, 218.

Mughal, A. A. (2019). Cybersecurity Hygiene in the Era of Internet of Things (IoT): Best Practices and Challenges. Applied Research in Artificial Intelligence and Cloud Computing, 2(1), 1-31.

Rajapakse, R. N., Zahedi, M., Babar, M. A., & Shen, H. (2022). Challenges and solutions when adopting DevSecOps: A systematic review. Information and software technology, 141, 106700.

Dalalana Bertoglio, D., & Zorzo, A. F. (2017). Overview and open issues on penetration test. Journal of the Brazilian Computer Society, 23, 1-16.

Scarfone, K., Souppaya, M., Cody, A., & Orebaugh, A. (2008). Technical guide to information security testing and assessment. NIST Special Publication, 800(115), 2-25.

Awodiji, T. O. (2022). Malicious Malware Detection Using Machine Learning Perspectives. Journal of Information Engineering and Applications, 12(2), 10-17.

Seaman, J. (2020). PCI DSS: an integrated data security standard guide. Apress.

Williams, B., & Adamson, J. (2022). PCI Compliance: Understand and implement effective PCI data security standard compliance. CRC Press.

Parker, M. (2020). Healthcare Regulations, Threats, and their Impact on Cybersecurity. In Cybersecurity for Information Professionals (pp. 173-202). Auerbach Publications.

Saka, A., Taiwo, R., Saka, N., Salami, B. A., Ajayi, S., Akande, K., & Kazemi, H. (2023). GPT models in construction industry: Opportunities, limitations, and a use case validation. Developments in the Built Environment, 100300

Foster, L., & Bryant, R. (2010). AI-driven Approaches for Vulnerability Management. International Journal of Security and Privacy, 16(1), 56-67. doi:10.4018/IJSP.2010010105

Murphy, A., & Hill, P. (2012). AI Solutions for Threat Mitigation. Journal of Information Technology Research, 18(3), 123-135. doi:10.4018/jitr.2012070107

Vaka, D. K. (2020). Navigating Uncertainty: The Power of ‘Just in Time SAP for Supply Chain Dynamics. Journal of Technological Innovations, 1(2).

Shaw, H., & Andrews, D. (2018). AI-driven Vulnerability Management: Case Studies. Journal of Security Technologies, 14(4), 234-245. doi:10.1109/JST.2018.4567890

Adam Gordon, “The Hybrid Cloud Security Professional,” IEEE Cloud Computing, vol. 3, no. 1, pp. 82-86, 2016.

Gurudatt Kulkarni et al., “Cloud Security Challenges,” 2012 7th International Conference on Telecommunication Systems, Services, and Applications (TSSA), Denpasar-Bali, Indonesia, pp. 88-91, 2012.

M. Kozlovszky, “Cloud Security Monitoring and Vulnerability Management,” Critical Infrastructure Protection Research, pp. 123-139, 2016.

Muhammad Mehmood et al., “Privilege Escalation Attack Detection and Mitigation in Cloud Using Machine Learning,” IEEE Access, vol. 11, pp. 46561-46576, 2023.

Vidyasagar Parlapalli et al., “Enhancing Cybersecurity: A Deep Dive into Augmented Intelligence Through Machine Learning and Image Processing,” 2023 International Workshop on Artificial Intelligence and Image Processing (IWAIIP), Yogyakarta, Indonesia, pp. 96-100, 2023.

Ahmed El-Yahyaoui, and Mohamed Dafir Ech-Chrif El Kettani, “Data Privacy in Cloud Computing,” 2018 4th International Conference on Computer and Technology Applications (ICCTA), Istanbul, Turkey, pp. 25-28, 2018.

Abhiyan Gurung, “Data Security and Privacy in Cloud Computing Focused on Transportation Sector with the Aid of Block Chain Approach,” 2021 6th International Conference on Innovative Technology in Intelligent System and Industrial Applications (CITISIA), Sydney, Australia, pp. 1-9, 2021.

Yue Shi, “Data Security and Privacy Protection in Public Cloud,” 2018 IEEE International Conference on Big Data (Big Data), WA, USA, pp. 4812-4819, 2018.

Ali Bou Nassif et al., “Machine Learning for Cloud Security: A Systematic Review,” IEEE Access, vol. 9, pp. 20717-20735, 2021.

Downloads

Published

2025-11-27

Issue

Vol. 12 No. 11 (2025): Volume 12 Issue 11 2025

Section

Articles

License

Copyright (c) 2025 Kenji T. Morikawa (Author)

Creative Commons License

This work is licensed under a Creative Commons Attribution 4.0 International License.

How to Cite

Automated Vulnerability Governance: Integrating AI-Driven Risk Mitigation and DevSecOps in High-Scale Cloud Infrastructures. (2025). EuroLexis Research Index of International Multidisciplinary Journal for Research & Development, 12(11), 579-587. https://researchcitations.org/index.php/elriijmrd/article/view/3