Skip to content
JP Stratton
Book a call
AI Readiness April 8, 2026 6 min read

The Four-Month Doubling: Why Your AI Roadmap Is Already Stale

LLM capability doubles every four months. Annual AI roadmaps are built for a world that no longer exists by execution time. Here is how to plan differently.

Roadmap horizon vs. capability doubling Your plan Actual capability growth Q1 20% 25% Q2 35% 60% Q3 50% 120% Q4 65% 220%
Exponential growth chart with two lines: 'AI capability curve' (doubling every 4 months, steep exponential) vs 'Traditional roadmap cadence' (flat annual planning cycles). The gap

Most AI roadmaps are designed like software project roadmaps: gather requirements, define capabilities, plan a 12-18 month delivery schedule, execute. This approach works when the technology landscape is stable enough that the requirements you defined in January still describe the right problem in December.

It does not work when the underlying capability doubles every four months.

Nicholas Carlini's research — summarized in his [un]prompted 2026 talk](https://www.youtube.com/watch?v=1sd26pWhfmg) — documented that LLM vulnerability-discovery capability specifically is doubling on approximately a four-month cycle. The broader capability trajectory of frontier models follows a similar curve. The model available to your organization (and to your adversaries) eight months from now will be four times more capable than today's in the relevant dimensions.

An AI roadmap built in January 2026 for delivery in January 2027 is a roadmap for a technology environment that will not exist.

What Exponential Actually Means in Practice

The word "exponential" is overused in technology marketing to the point of meaninglessness. In this context, it has a specific, concrete meaning.

Four months ago: an LLM could assist a skilled researcher in identifying potential vulnerabilities in a codebase, with significant human guidance required at each step.

Today: a Carlini-class demonstration shows autonomous identification of critical zero-days in production-quality software, from a bash script, without human direction during the discovery process.

Four months from now: the capability increment is as large as the gap between those two states. Again.

For planning purposes, this means: any assumption you are building your AI strategy around that involves "AI cannot yet do X" has a short shelf life. The question is not whether it will be able to do X — it is when. And the answer is increasingly "sooner than your roadmap assumes."

The Specific Ways Annual Roadmaps Fail

They Plan for Today's Frontier

A roadmap built today typically plans AI implementations around today's most capable commercially available models. By the time those implementations are built and deployed, the model landscape has shifted. The workflow you designed for GPT-4-class capability is now running on a GPT-5-class foundation — or your competitor built the same workflow in half the time because the newer model required less fine-tuning.

They Assume Static Competitive Dynamics

Annual roadmaps assume competitors are on a similar planning cycle. In a world where AI capability doubles every four months, an organization that started seriously deploying AI six months ago is now running on infrastructure with materially greater capability than one that starts today. The compounding advantage of early deployment is larger than it appears from a static capability comparison.

They Miss Emerging Risk Categories

The Mythos disclosure — where an AI model can autonomously discover and exploit software vulnerabilities — was not on any organization's risk roadmap 12 months ago. The EchoLeak vulnerability class was not on security roadmaps 18 months ago. Annual security planning cycles miss emerging threat categories that materialize on shorter cycles.

How to Plan for an Exponential Curve

The answer is not to stop planning — it is to plan differently.

Shorten the Horizon, Increase the Review Frequency

Replace annual AI roadmaps with rolling 90-day roadmaps reviewed quarterly. Each quarterly review explicitly asks:

  • What has changed in AI capability since last quarter?
  • Do any of our current or planned implementations need to be revised based on new capabilities or risks?
  • What new capability or risk categories need to be added to the roadmap?
  • Are any of our current AI implementations providing less value than they could with updated models?

Ninety-day horizons are short enough that your assumptions remain valid through the delivery cycle. Quarterly reviews ensure the roadmap adapts faster than the environment changes.

Build for Adaptability, Not Specific Model Versions

Architectures that hard-code specific model versions become technical debt faster than architectures that abstract the model layer. The right implementation pattern for production AI systems:

  • Model selection is a configuration parameter, not a code change
  • Evaluation suites exist to test alternative models against your specific use case
  • Model upgrades are a DevOps operation, not a development project

Organizations that built their AI workflows as tightly coupled integrations to specific model versions are spending more time on upgrades than organizations that built for model-agnostic architectures.

Treat AI Capability as a Planning Constraint, Not a Tool Choice

The most important shift in AI roadmap thinking is treating the capability curve as a planning input — the same way you plan around budget cycles, headcount availability, and regulatory timelines.

When planning a business initiative that will take 8 months to deliver, explicitly ask: what AI capabilities will exist in 8 months that do not exist today? How does that change the implementation approach? Does the timeline need to compress to capture current advantages before they are table stakes?

Separate Security Risk Planning from Capability Planning

Security AI roadmaps require a separate review track because the exponential curve applies to adversarial capability, not just helpful capability. The same models that make your organization more efficient make your adversaries more capable. Security architecture assumptions need to be reviewed at least quarterly against the current threat landscape.

The Carlini doubling curve means that your security posture against AI-enabled attacks, adequate today, may be inadequate in four months. Security investments need to be planned against a threat that will be twice as capable by the time the investment is deployed.

The Practical Starting Point

Two immediate actions for organizations with existing AI roadmaps:

Audit your current roadmap against the last four months of AI development. For each planned initiative, explicitly test whether the assumptions it was built on still hold. Where they do not, revise the approach.

Establish a standing AI landscape review. Designate someone responsible for tracking AI capability developments on an ongoing basis and briefing leadership quarterly. This is not a full-time role for most organizations — it is a few hours per week of structured attention — but it requires explicit assignment to produce reliable output.

The organizations that will succeed in the next two years are not the ones with the most ambitious AI roadmaps. They are the ones with the most adaptable AI programs.

If you want help building an AI strategy that accounts for the capability curve rather than ignoring it, Talk to JP Stratton.

Filed under AI Readiness.

Keep reading

Related insights.

AI Readiness · April 10, 2026

Now Is Not the Time to Learn AI. It's the Time to Use It.

The window for AI experimentation is closed. Organizations still learning are already behind. Here is the case for moving from AI literacy to deployment now.

Read

AI Readiness · March 15, 2026

AI Board Briefing: What Directors Must Know in 2026

50% of executives rank AI adoption as their #1 business risk. Boards that can't engage with AI risk are operating below the standard the market now requires.

Read