Five Eyes Warn AI Could Transform Cyber Risk Within Months

23rd Jun 2026
Five Eyes cyber security agencies have warned that frontier AI models could transform offensive and defensive cyber capabilities within months, urging boards and executive teams to treat resilience as an immediate business responsibility. The joint statement was issued on 22 June 2026 by cyber authorities in Australia, Canada, New Zealand, the United Kingdom and the United States. Its signatories were Stephanie Crowe of the Australian Cyber Security Centre, Rajiv Gupta of the Canadian Centre for Cyber Security, Catriona Robinson of New Zealand’s National Cyber Security Centre, Richard Horne of the UK National Cyber Security Centre, David Imbordino of the US National Security Agency’s Cyber Security Directorate and Nick Andersen of the Cybersecurity and Infrastructure Security Agency. Their warning centres on the speed at which AI can alter the economics of cyber attacks. More capable models can lower the expertise and resources required by malicious actors, accelerate vulnerability discovery and reduce the time available to patch systems before exploitation. The same technology can help defenders identify weaknesses, improve software quality, detect unusual behaviour and respond more quickly when an incident occurs. The agencies expect frontier AI capabilities to develop faster than many current corporate planning cycles. Cyber assumptions that appear reasonable today may be outdated within months, leaving boards exposed if security investment, incident planning and executive accountability remain tied to annual reviews. The statement calls for cyber resilience to be integrated into business strategy rather than delegated entirely to technical teams. Boards are expected to understand exposure, assess whether controls will perform under pressure and give security leaders sufficient authority and resources. Cyber oversight now sits alongside operational continuity, financial risk and corporate reputation rather than remaining a specialist IT function. Foundational controls remain central to the response. The agencies want organisations to reduce unnecessary system access, speed up patching, deal with unsupported legacy technology, strengthen identity and access management and test incident response plans before an attack occurs. Secure-by-design systems and layered defences are also emphasised as AI creates new vulnerabilities, including previously unknown flaws. The guidance challenges a common weakness in corporate AI programmes: investment often concentrates on efficiency and product development while the defensive use of AI receives less attention. Security teams can use automated tools to find vulnerabilities earlier and improve monitoring, but those capabilities still depend on sound asset management, clear accountability and practised recovery procedures. Technology vendors also face greater pressure to build security into products from the start, maintain supported software and provide customers with timely fixes as vulnerability discovery accelerates. Businesses buying AI-enabled systems will need stronger assurance over how models, data connections and third-party components are protected throughout the product lifecycle. C-Suite teams should now test whether cyber controls can withstand a faster attack cycle rather than relying on policy documents or compliance reports. That means reviewing patch times, legacy-system exposure, identity controls, incident exercises and the authority held by cyber leaders. AI can strengthen defence, but organisations that fail to raise their basic security standard may give attackers an increasingly large speed advantage. More From CEO Today: Flagright Raises $12.5m To Expand AI Compliance Platform