If system security has always rewarded those who run faster, 622 is the new pace record. July brought the bulkiest Patch Tuesday in Microsoft's history: 622 vulnerabilities fixed in a single cycle, more than triple the already impressive tally of June. According to the Redmond company, this leap has a specific culprit: artificial intelligence.

Behind this figure lies more than a statistical milestone; it signals a methodological shift. Internal security teams are increasingly using LLMs to analyze code, identify subtle patterns, and unearth bugs that would escape human eyes. The data point is consequential: if AI has become the engine of vulnerability discovery, the question is what happens to those who – by regulation or strategic choice – cannot send their source code to someone else's cloud service.

The paradox is immediate. Microsoft demonstrates that language models can sift through millions of lines of code with a speed and accuracy that traditional static tools cannot match. Yet a company developing proprietary software, a financial institution, or a defense agency cannot simply copy the recipe: uploading its code to a cloud endpoint would violate data residency policies, breach contractual clauses, or, in extreme cases, expose trade secrets. The effectiveness of AI-powered security thus collides with data sovereignty.

Infrastructure as the answer

From this tension emerges the push toward on-premise deployment of the AI scanning pipeline. The alternative is clear: bring the models inside the corporate perimeter. This means acquiring hardware capable of running inference on LLMs trained for code review, often models with tens of billions of parameters requiring GPUs with high VRAM and memory bandwidth. It's not just about buying cards: the entire stack – from container orchestration to managing quantized weights – must be designed to deliver acceptable latency and sustainable operational costs.

The impact on Total Cost of Ownership (TCO) becomes a decisive factor. While self-hosting eliminates the variable expense of cloud APIs, it demands an upfront investment in hardware and internal expertise. But for organizations handling sensitive intellectual property, this equation is tilting increasingly toward direct control. Microsoft's record acts as an unintended proof of concept: if your competitor uses AI to close vulnerabilities at record speed, you can't afford to fall behind – and you can't afford to give away your code's confidentiality.

It's no coincidence that interest is growing in inference frameworks optimized for local deployments, capable of squeezing models even on high-end consumer hardware or multi-GPU workstations. Quantization plays a key role: dropping from FP16 to INT8, or even 4-bit, allows a code-analysis LLM to run on a machine with 48 GB of VRAM, a threshold now achievable without setting up a dedicated datacenter. This democratization of hardware rebalances the field, making on-premise adoption plausible even for mid-sized organizations.

Beyond the patch, a structural effect

The Redmond news is not just a record-setting headline. It is accelerating a phenomenon already underway: the need to complement traditional security tools with an AI layer, but with the guarantee that data remains under lock and key. Cybersecurity vendors are already integrating local models into their appliances, and internal teams are starting to experiment with vulnerability detection pipelines based on open-source LLMs such as those from the Llama or Mistral families, run entirely on corporate servers.

Who loses in this transition? Cloud-only services that offer no on-premise counterpart risk being shut out of the most regulated sectors. And who wins? Manufacturers of accelerated inference hardware, from professional GPUs to solutions based on ARM architectures with integrated NPUs, and developers of orchestration tools that simplify putting local models into production.

The underlying message is clear: AI is redefining security, but the price of effectiveness cannot be loss of control. The number 622 does not just mark a record of fixed bugs; it marks the start of a race in which on-premise infrastructure stops being a relic of the past and becomes the condition for staying in the game.