Five eyes release statement on cyber security. A call to action

June 29, 2026 |

The Five Eyes is a grouping of the United States, Australia, United Kingdom, New Zealand and Canada which collaborates on signals and military intelligence and most recently, cyber defence. Last Friday the Five Eyes issued a statement about dealing with cyber risk.

The AI shift in cyber risk: why leaders must act now

As the leaders of the Five Eyes cyber security agencies, we are united in our call to action: the evolving landscape of artificial intelligence (AI) is rapidly transforming cyber risk, and we must act swiftly to remain ahead.

A call to action

While Al will help us improve cyber defence over time, it also accelerates the speed, scale, and sophistication of cyber threats.

Frontier Al models are anticipated to exceed current industry expectations, fundamentally transforming both offensive and defensive cyber capabilities. The timeline is not years, it is months.

In this environment, cyber resilience is integral to advancing business continuity, market confidence, and long-term value. We urge leaders to:

    • understand and assess risk, readiness and accountability
    • prioritize foundational cyber security practices and controls
    • empower cyber leaders with authority and resources
    • stay actively engaged as threats and guidance evolve

Success will come from getting the basics right, acting quickly, and integrating cyber security into core business strategy. Those that do not will face growing operational and strategic disadvantage.

The urgency is clear

AI is not a future consideration – it is already here.

It lowers barriers for malicious actors and increases the speed and complexity of attacks, shrinking the window between vulnerability discovery and exploitation ever more quickly. At the same time, AI offers powerful tools to strengthen defence.

A whole-of-organization and whole-of-society response is required

Cyber risk can no longer be treated as a purely technical issue. This is a core business risk and leadership responsibility. Boards and executives should ensure cyber resilience is in place and works under pressure. It is not enough to have controls. Leaders must be confident those controls will perform during a real incident. This requires reassessing long-standing trade-offs and using AI deliberately to strengthen defence – not just improve efficiency.

Key Actions for Leaders

Core principles:

    • Secure-by-design and secure-by-default must become standard practice – not an
    • Resilience cannot depend on a single solution or Defence in depth remains essential.
    • As AI systems evolve, new and previously unknown vulnerabilities will emerge, including zero-day vulnerabilities.

Breaches will occur. Preparedness helps you contain them quickly and prevent escalation into major operational and financial crises.

Practical actions

These actions are not new, but are now urgent to reduce not only technical risk, but also operational, financial and reputational exposure:

    1. Reduce your attack surface: Limit unnecessary system access and external Challenge whether systems need to be exposed at all and isolate those that do not.
    2. Accelerate patching processes: AI is shortening the time between vulnerability discovery and exploitation. Delays in patching increase risk, especially for operational systems with long update cycles. Prioritise security updates accordingly to manage risks.
    3. Address legacy systems: Unsupported systems are easy They are not just technical debt, they are strategic liabilities.
    4. Review and strengthen identity and access controls: Limit who can access critical Enforce strong authentication and regularly review permissions.
    5. Prepare for incidents before they happen: Test response plans, train and prepare teams, and assume breaches will occur. Focus on fast containment and recovery.

Use AI to strengthen defence

Adversaries are already using AI to move faster and more effectively. Defenders must do the same.

Organizations that integrate AI tools into their security operations can detect vulnerabilities earlier, improve software quality, monitor unusual behaviour, and respond faster to incidents – reducing both the cost and impact of incidents.

Success will not come from having the most tools. It will come from getting the basics right, acting quickly, and integrating cyber security into core business strategy.

We must act now

The rapid pace of frontier AI development means cyber risk assumptions can become outdated in months, not years. We must act before and be prepared to adapt and withstand evolving threats.

Cyber resilience is not an IT issue – it is central to operational continuity and market trust. Leaders who act now will reduce exposure, strengthen resilience, and build confidence with customers, partners, and investors. Those who delay will face growing and avoidable risk.

The above statement may be unusual and significant but the thrust of the recommendations and the concerns raised have been well known by practitioners involved with cyber security and privacy.

Frontier AI models have been identified as being adept at identifying software vulnerabilities and developing exploits on the hacking side of the ledger and with defensive activities such as patching.

The recent development of cyber-related capabilities of the latest generation of AI models, especially Anthropic’s Mythos and OpenAI’s GPT 5.4-Cyber, democratises the hacking.  Sophisticated data breaches which were previously only undertaken by skilled hackers can now to be handled by those with less expertise.

On June 2, 2026, President Trump signed an Executive Order on Promoting Advanced Artificial Intelligence Innovation and Security  to establish  a framework for secure development of frontier AI models and an “AI cybersecurity clearinghouse” to facilitate vulnerability coordination and remediation, among other initiatives. That was followed by National Security Presidential Memorandum 11, on June 5, 2026, direcdting e military, intelligence agencies, and relevant federal departments to accelerate the adoption of AI for national security applications.

It is critical to review and respond to changing cybersecurity risks. New risks and challenges will arise and organisations need to consider how to respond to and protect against threats operating at the speed and scale of advanced AI.

Notwithstanding the changing landscape fundamental governance principles and underlying controls will continue to be key risk mitigators.  That will apply even if organisations incorporate AI capabilities,including the use of agentic AI, into their cyber defenses.

In reviewing cyber defences approach the exercise methodically which means:

Determine whether existing risk management protocals align with  AI-related cyber risks: Frontier AI models accelerate and scale vulnerability discovery.  That can mean decision time frames are compressed and the scope fo threats increase.  Organisations that provide and maintain software or online services must re-evaluate their risk programs to assess whether they are appropriately calibrated for AI-enabled cyber risks. That may also require incorporating regular discussions of AI-related cyber risk at the Board level specific responsibilities by senior management. It is necessary to prioritise the identification of risks and implementation of security measures to address those risks. For agentic AI services organisations should consider the recent guidance from CISA on best practice.

Determine whether existing vulnerability management and patching processes are adequate to deal with  AI-facilitated cyber attacks: Frontier AI models will increase the volume of identified vulnerabilities while narrowing the time from identification to exploitation. That means organisations need to consider whether existing procedures for vulnerability identification, remediation, and disclosure are prepared to handle a high volume attack by AI tools. That may mean developing a viable risk-based triage approach for remediation of identified vulnerabilities and procedures for triaging vulnerabilities identified in third-party platforms and in open-source code.

Assess readiness to address third?party and supply chain cyber risks: Frontier AI models’ capabilities to rapidly identify vulnerabilities across widely used components and services raise the stakes for third-party risk management for software vendors and service providers. This requires establishing processes for escalating reports from vendors regarding critical vulnerabilities, to ensure those vulnerabilities are communicated  and remediated quickly.  It also means reviewing and removing/replacing legacy systems and hardware that are enhanced risk of exploitation.  Reviewing contracts to require third party service providers to disclose and remediate vulnerabilities in software products within appropriate timeframes based on the level of risk would be prudent.

Prepare for secure adoption of enhanced AI capabilities: In anticipation of this expansion in capabilities and deployments, organisations should coordinate discussions about when and how AI capabilities should be deployed. Deployment of AI models without sufficiently robust processes and controls, including access controls, could cause leakage of sensitive data, damage or degrade IT systems, or facilitate malicious activity by insider threats. Organisations should implement control frameworks to mitigate these risks, including an enterprise-wide AI policy, appropriate authorised-use policies, role-based trainings for employees using these systems, and procedures for restricting and monitoring access and use. These controls should be integrated into existing governance structures , such as for cybersecurity, privacy, data management, business continuity, insider threat, third-party risk management, and human resources.

Update incident response procedures to account for the speed of AI-enabled cyber incidents: Organisations should update their incident response and notification procedures to account for the speed and risk profile of AI-enabled incidents and other significant cyber events. That would include a rapid initial assessment,  accelerated containment decisions, and  internal escalation processes. Creating an AI-specific proces for AI-related cyber incidents and events would be of assistance.  It would include clear roles and responsibilities for Security, IT, Legal, and other non-technical stakeholders. AI capabilities will change impact assessments from a cyber incident

Review a communications plan and  disclosure obligations in the event of an AI-enabled cybersecurity incident: An AI-enabled cybersecurity incident, or a significant vulnerability, outage, or other form of cyber event may require an organisation to communicate quickly and accurately within the organisation and to regulators. That means reviewing a communications plan to handle such an event, including clearly defined roles and processes to decide who is authorised to speak on which topics and to ensure consistent messaging.

Conduct exercises using AI-related scenarios to assess and update crisis management capabilities: With the compressed timelines that will come with more sophisticated AI-enabled risks, testing the various plans and processes will be critically important to ensure organizations can react quickly and effectively when an AI-enabled cyber event occurs.

Leave a Reply