Five Eyes Agencies Warn AI Is Shrinking the Window to Stop Cyberattacks
6 min. read 
Published on
Five Eyes cyber security agencies have warned that artificial intelligence is already changing cyber risk and that organizations must respond faster, not later.
The joint statement, released on June 22, 2026, says frontier AI will transform offensive and defensive cyber capabilities in months, not years. The warning came from cyber leaders in the United States, United Kingdom, Canada, Australia, and New Zealand.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The agencies said companies, governments, and critical infrastructure operators need a whole-of-organization and whole-of-society response. The message is clear: cyber security can no longer sit only with IT teams. Boards and executives now need to treat it as a core business risk.
Five Eyes agencies say AI is accelerating cyber risk
The Five Eyes cyber security agencies statement says AI can help defenders improve detection and response, but it can also give attackers more speed, scale, and sophistication.
Frontier AI models could help threat actors find vulnerabilities faster, automate parts of an attack, and reduce the time between vulnerability discovery and exploitation. That gives organizations less time to patch, test, and contain threats.
New Zealand’s National Cyber Security Centre said its head, Catriona Robinson, joined Five Eyes counterparts in the call to action because frontier AI can help identify and exploit vulnerabilities at unprecedented speed and scale. The NCSC New Zealand announcement also said organizations should prepare now for more vulnerabilities, more incidents, and more business disruption.
Cyber risk is now a leadership issue
The warning pushes cyber security into the boardroom. The agencies said leaders should understand risk, assess readiness, define accountability, and make sure cyber teams have the authority and resources to act.
The official Five Eyes statement PDF says cyber resilience supports business continuity, market confidence, and long-term value. It also warns that organizations that delay will face growing operational and strategic disadvantages.
The agencies also said having security controls is not enough. Leaders must know whether those controls will work during a real incident, under pressure, and against faster AI-assisted attacks.
| Five Eyes recommendation | What it means for organizations |
|---|---|
| Understand cyber risk | Boards and executives should know their exposure, readiness, and accountability gaps. |
| Prioritize basic controls | Patching, identity security, access reviews, and logging need renewed urgency. |
| Reduce attack surface | Organizations should limit unnecessary internet exposure and external access. |
| Prepare for incidents | Response plans should be tested before a real breach happens. |
| Use AI defensively | Security teams should use AI to improve detection, vulnerability management, and response. |
Basic security failures remain a major concern
The Five Eyes agencies did not frame AI as a reason to abandon basic security. Instead, they said the basics have become more urgent because attackers can now move faster.
The Australian Cyber Security Centre’s published statement urges leaders to reduce attack surfaces, speed up patching, address legacy systems, strengthen identity and access controls, and prepare for incidents before they happen.
Legacy and unsupported systems received special attention. The agencies described them as strategic liabilities because attackers can identify and exploit weak systems more quickly as AI capabilities improve.
Secure-by-design practices are becoming more urgent
The agencies also said secure-by-design and secure-by-default principles should become standard practice. That means vendors and technology teams need to build security into systems from the start, rather than treating it as an add-on later.
The joint PDF statement says resilience cannot depend on one product, tool, or technology. Defense in depth remains essential because new and unknown vulnerabilities, including zero-day flaws, will continue to emerge as AI systems develop.
This is especially important for critical infrastructure, public services, financial systems, healthcare, telecoms, and software supply chains. A single weak point can create wider business disruption when attackers automate scanning and exploitation.
- Patch internet-facing systems faster.
- Remove unnecessary public exposure from sensitive systems.
- Replace or isolate unsupported legacy technology.
- Enforce strong authentication for critical access.
- Review permissions regularly and remove unused accounts.
- Test incident response plans with realistic scenarios.
- Use AI carefully to improve security operations, not only productivity.
Defenders also need to use AI
The agencies said attackers are already using AI to move faster and more effectively, so defenders need to do the same. AI can help security teams detect vulnerabilities earlier, monitor unusual behavior, improve software quality, and respond to incidents more quickly.
The New Zealand NCSC release said the agency is working with frontier AI models and providers to understand cyber risks and give guidance to organizations.
Still, the agencies warned that success will not come from buying more tools alone. Organizations need to integrate cyber security into business strategy, give security leaders enough authority, and keep updating their assumptions as AI changes the threat landscape.
What organizations should do now
Organizations should begin with a clear review of exposed systems, patching delays, identity controls, and incident response readiness. Leaders should ask whether critical systems need internet access, whether unsupported systems remain in production, and whether response teams can contain a breach quickly.
Security teams should also reassess vulnerability management. AI-assisted attackers may reduce the time available to respond after a flaw becomes public, especially in products widely used across enterprise networks.
The Five Eyes warning turns AI cyber risk into a leadership test. Organizations that act now can reduce exposure, improve resilience, and protect trust with customers, partners, and investors. Those that wait may face faster attacks, shorter response windows, and higher recovery costs.
FAQ
The Five Eyes cyber security agencies warned that artificial intelligence is rapidly changing cyber risk. They said frontier AI could transform offensive and defensive cyber capabilities in months, not years.
The warning came from cyber security leaders in the United States, United Kingdom, Canada, Australia, and New Zealand.
AI can help attackers automate tasks, find vulnerabilities faster, scale operations, and reduce the time between vulnerability discovery and exploitation. It can also help defenders detect and respond to threats more quickly.
A whole-of-organization response means cyber security is not handled only by IT teams. Boards, executives, legal teams, operations, procurement, security leaders, and employees all need clear roles in reducing risk and responding to incidents.
Organizations should reduce their attack surface, patch exposed systems faster, address legacy technology, strengthen identity and access controls, and test incident response plans before a real breach happens.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages