Your DMS Doesn't Have a Plan. Your Customers Already Do.

What Every Car Dealer Needs to Demand from Their Software Providers Right Now

Your customer pulled up to the lot last Saturday knowing more about your vehicle than your salesperson did. They didn't read the window sticker. They asked an AI.

That's not a hypothetical. That's Tuesday.

The way customers shop for cars has fundamentally changed, and most dealerships are not just behind on it. They are actively blocking it. Meanwhile, the software your dealership runs on, your DMS, your CRM, your website platform, is sitting on decades of accumulated code that a brand-new AI called Mythos can now tear through like a search engine tears through a web page.

The internet is entering a period of significant turbulence. Vulnerabilities that have existed for twenty-plus years are being uncovered by AI at a pace no human security team can match. Software patches are being rushed out under pressure, and some of them are introducing new instability. The companies managing your most sensitive dealership data, customer records, deal structures, credit applications, bank schedules, are going to be affected by this whether they admit it or not.

Here's what's happening, why it matters specifically to your store, and what questions you should be asking your software providers before they're forced to answer them publicly.

What Mythos Is and Why Your DMS Provider Should Be Losing Sleep

On April 7, 2026, Anthropic released a new AI model called Mythos, and then immediately announced it was too dangerous to release publicly.

Mythos is the most capable vulnerability-finding system ever built. In its first few weeks of testing, it identified thousands of zero-day security flaws across every major operating system and web browser. It found a 27-year-old bug in one of the most security-hardened operating systems on the planet. It found a 16-year-old flaw in video software that survived five million automated testing attempts.

What makes this directly relevant to your dealership: Mythos can analyze software without needing access to the original source code. It can read compiled, binary code, the kind that runs in legacy systems that haven't been actively maintained in years.

Now think about your DMS.

Reynolds & Reynolds. CDK Global. Dealertrack. RouteOne. These are not startup companies running modern cloud-native infrastructure. They are decades-old platforms carrying enormous technical debt. CDK alone suffered a catastrophic cyberattack in June 2024 that took down dealership operations across North America for weeks, costing dealers an estimated $1 billion in losses. That attack happened before Mythos existed.

Mythos will reach these platforms. Not if, when. Either Anthropic's Project Glasswing partners (which now include Microsoft, Google, Amazon, CrowdStrike, and JPMorgan) scan it defensively as part of their coordinated vulnerability disclosure program, or eventually someone outside the coalition finds the same vulnerabilities on their own.

The question is not whether your DMS has security vulnerabilities. Every legacy software platform does. The question is whether your provider has a plan for what happens when those vulnerabilities are found and disclosed at machine speed.

The Questions Every Dealer Should Be Asking Their Software Providers Right Now

You don't need to understand the technical details to ask the right questions. Here are five that every dealer, and every dealer 20-group, dealer association, and OEM vendor performance manager, should be demanding answers to.

1. What is your patch deployment process when a critical vulnerability is disclosed?

This is not a hypothetical scenario anymore. Vulnerabilities are being found at unprecedented speed. The time between discovery and active exploitation has collapsed from nearly two years to single-digit hours in some cases. Your DMS provider needs to be able to tell you, specifically: when a critical patch is ready, how fast does it go out, who approves it, and how do they test it before it touches your live data?

If the answer is vague, "we follow industry best practices", push harder. After AI-assisted code changes caused multiple outages at Amazon in late 2025 and early 2026 (including a six-hour shutdown of Amazon.com itself), the lesson is clear: rushing patches without proper oversight creates a new category of failure. Your provider should have a documented answer to this question, not a PR response.

2. Do you use AI-assisted development tools? What oversight exists?

Every serious development team on the planet is now using AI to write code. Microsoft says AI writes 30% of their code. Amazon has an 80% AI tool usage mandate for their engineers. This is not a concern in itself. AI-assisted development can produce better, more secure software when done correctly.

The concern is oversight. Amazon's outages happened specifically because AI coding tools were given authority to make changes without sufficient human review. Ask your DMS and CRM providers directly: are your engineers using AI coding tools? What approval process exists before AI-generated code reaches production? What rollback procedures are in place when something goes wrong?

A provider who can't answer this clearly is either not using AI (and will fall behind on security and development speed) or using it without adequate guardrails (and is a liability waiting to materialize in your deals folder).

3. How are you preparing for the Mythos era specifically?

This is the forward-looking question. Project Glasswing, Anthropic's coordinated effort to use Mythos defensively, is scanning critical software infrastructure right now. The findings will generate patches. Those patches will need to be deployed across every layer of software dealers depend on: operating systems, browsers, middleware, the DMS platform itself.

Ask your provider: are you engaged with any of the Project Glasswing partner organizations? Do you have a security audit scheduled for 2026? What is your plan when the OS your platform runs on requires an emergency patch? Have you done a penetration test in the last 12 months?

Providers who are ahead of this will be able to tell you what they're doing. Providers who are behind will change the subject.

4. What is your incident response plan, and when did you last test it?

This is the basic question that most dealers never ask until they need the answer. The CDK attack of 2024 was a brutal lesson in what happens when a major dealer software provider has no functional incident response capability. Dealers couldn't write deals. Finance couldn't structure contracts. Service couldn't look up repair orders. Some stores were effectively closed for weeks.

With Mythos-class vulnerability discovery becoming available, and eventually available to bad actors as well as defenders, the probability of another major incident at a dealer-software provider in the next 24 months is not low. Your provider should have a documented incident response plan, it should have been tested in the last 12 months, and you should be able to get a summary of it.

5. What data do you hold, and what are your breach notification protocols?

Your DMS holds more sensitive customer financial data than most banks handle for a comparable-sized customer base. Credit applications, bank schedules, deal structures, social security numbers, income documentation. If Mythos-enabled vulnerabilities are found and exploited before they're patched, this data is the target.

Ask your provider: exactly what customer data do you store, where is it stored, how is it encrypted, and what is the notification protocol if there is a breach? State breach notification laws are accelerating, and your liability exposure as a dealer for your software provider's security practices is real.

Your Customer Is Already Using AI to Shop. Are You Letting It In?

While all of this is happening on the infrastructure and security side, there's a parallel transformation happening at the very top of your sales funnel, and most dealers are actively working against themselves.

Your customers are using AI to shop for cars. Not some customers. Not tech-savvy customers. Regular customers, every day, asking ChatGPT, Claude, Gemini, and Perplexity things like:

• "What's the best deal on a 2026 Silverado 1500 near me?"
• "Which Chevy dealer in Burlington has the best reviews and the most inventory?"
• "Is the Toyota RAV4 Hybrid or the Ford Escape Hybrid a better value right now?"

These AI tools answer by reading the web. They crawl your website, your inventory feeds, your reviews, your specials pages. They synthesize what they find and deliver an answer, one answer, to the customer. No search results page. No browsing. One answer, and then a decision.

This is Generative Engine Optimization (GEO), and it is not coming. It is here.

Here's where the dealership industry has a specific, measurable, self-inflicted problem: 48% of dealer websites actively block AI crawlers.

Almost half of all dealer websites have configurations that tell AI tools "do not read this." When a customer asks ChatGPT to recommend a Chevy dealer in their market, those dealers are invisible. They don't appear. They don't get considered. The AI makes its recommendation from the dealers whose sites are accessible.

This wasn't always intentional. Much of it is legacy configuration, robots.txt files set years ago by website providers who were trying to manage server load from scrapers, or who simply never updated their defaults to account for the AI crawler era. The result, however, is the same: your competition is getting found and you are not.

Some website providers have made this even worse by taking an active philosophical stance against AI access, restricting crawlers to a specific whitelist of approved bots while blocking everything else. This approach protects the provider's infrastructure at the direct expense of the dealer's visibility to AI-powered shoppers. The dealer pays the bill. The provider makes the call. The customer never finds the store.

What Good Looks Like: What Your Website and Marketing Providers Should Be Doing

On the AI shopping side, your digital partners should be able to demonstrate the following:

Your website is open to legitimate AI crawlers. This means your robots.txt file allows, not just tolerates, AI search crawlers from OpenAI, Google, Anthropic, Perplexity, and others. It means your inventory data is structured in a way AI can read and interpret correctly, not just humans. It means your specials, your pricing, your finance offers, and your dealership details are machine-readable and current.

Your content is written for AI answers, not just Google rankings. This is the GEO shift. A page that ranks #3 on Google for "Chevy Silverado Burlington NJ" is valuable. A page that answers the specific question a customer asks an AI tool, completely, accurately, and in a format the AI can relay, is essential. These require different writing strategies, different structures, and different thinking about what "optimization" means.

Your provider can measure AI referral traffic separately. Most dealer analytics setups bundle all non-human traffic together or discard it as bot noise. A forward-thinking provider should be able to show you what percentage of your traffic comes from AI crawlers, what those crawlers are accessing, and whether your content is being consumed by the tools your customers are using.

Your inventory feed is AI-legible. Vehicle listing data, pricing, packages, availability, incentives, needs to be structured so an AI agent can read it without ambiguity. Vague pricing like "call for price" or inventory descriptions loaded with dealer jargon are invisible to AI summarization. Structured, clear, accurate data gets surfaced. Everything else gets skipped.

The Opportunity Inside the Chaos

The dealers who come out of this period ahead of the market will be the ones who treated the turbulence as a signal, not just noise.

The Mythos era means the software industry is being forced to clean up decades of deferred security work, rapidly, under pressure, at scale. Some of that cleanup will cause short-term disruption. Providers who are ahead of it will handle it professionally and transparently. Providers who are behind it will go quiet and hope nothing happens on their watch.

The AI shopping era means the entire top of the funnel is being reorganized around who the AI can find and trust. Dealers whose digital infrastructure is accessible, accurate, and AI-legible will get recommended. Dealers whose providers are still blocking crawlers, serving stale inventory data, and building for a Google-only world will lose customers they never knew were looking.

The good news: both of these are solvable. Neither requires exotic technology or massive budget. They require asking the right questions of the right people, and being willing to change partners if the answers aren't good enough.

The customer already has a plan. The AI already has a preference. The only question is whether you're in the conversation.

---

Adam Gillrie is the founder of Savvy Dealer, a 13-year automotive digital marketing and website platform, and BiFrost Strategies, an AI consulting firm specializing in Generative Engine Optimization for dealerships. His AI Compatibility Analyzer has scanned over 700 dealer websites and found that 84% fail basic AI visibility standards.