Five Eyes AI cyber warning prompts calls for faster defence

Five Eyes cybersecurity agencies have issued a joint warning about the rising cyber risks associated with artificial intelligence, targeting government and corporate leaders across Australia, the US, UK, Canada and New Zealand.

The agencies highlighted how quickly AI is reshaping both offensive and defensive cyber operations. Intelligence officials warned that attackers are already using AI systems to identify and exploit weaknesses faster than many organisations can detect or respond.

Industry experts said the warning marks a shift in tone from intelligence partners that have traditionally shared information less publicly. Vendors and security leaders described a narrowing window between the discovery of software flaws and their use in real-world attacks, alongside a widening gap between well-resourced attackers and overstretched defenders.

Gary Barlet, Public Sector Chief Technology Officer at Illumio, said the assumption that restricting access to advanced AI models would significantly slow malicious use never matched reality.

"The idea that the threat was somehow going to be slowed because models like Mythos weren't broadly released was always wishful thinking. Whether it's Mythos, Fable, or the next frontier model, it isn't a matter of if these capabilities become widely available; it's when. The Five Eyes warning is a wake-up call that AI is about to dramatically accelerate the speed, scale, and sophistication of cyberattacks, lowering barriers for adversaries and giving them capabilities that were once limited to highly skilled actors," Barlet said.

He added that many organisations remain overly dependent on patching and perimeter measures even as the pace of attacks rises.

"What worries me is that too many organisations still think they can patch their way out of this problem. We couldn't keep up before AI, and we certainly won't keep up after it. Attackers have always had the upper hand because they don't operate under the same constraints as defenders, and that's even more true in the age of AI. It's time for organisations to stop treating a breach as a possibility and start treating it as an inevitability," Barlet said.

Martyn Beal, Federal Government Lead, ANZ at TrendAI, said the latest advice from Five Eyes agencies reflects a structural change in how quickly vulnerabilities become business risks.

"The Five Eyes cyber agencies have issued a rare and timely warning: AI is collapsing the time between vulnerability and exploitation from years to months. What once took years can now happen in a matter of months, fundamentally changing the risk landscape for government agencies, critical infrastructure operators and businesses alike.

"Cybersecurity can no longer be viewed solely as an IT issue. It is now a board-level and executive leadership priority because the consequences of a successful attack extend far beyond technology, affecting operations, reputation, public trust and national resilience.

"The agencies' advice is refreshingly practical: get the basics right. Shrink your attack surface, patch faster, retire legacy systems, tighten identity controls, and assume breaches will happen. But they add a sharper edge: defenders must use AI as deliberately as attackers do.

"There are four core principles that ground a robust AI security strategy: gain visibility into AI usage and how systems and agents interact across environments; understand the context and intent behind those interactions; enforce policy and control over usage and agent-driven actions; and introduce human oversight at critical decision points.

"The organisations that will succeed are not necessarily those with the most security tools, but those that can move fastest to identify risk, respond to threats and build resilience. In the age of AI, speed has become one of the most important security controls," Beal said.

Beal's comments follow a closed-door intelligence briefing in Canberra on AI's impact on cyber defence, decision-making and resilience at national scale. Security vendors expect more prescriptive guidance from governments as regulators and boards seek assurance on how organisations manage AI-related cyber risk.

Gareth Cox, Vice President Sales APJ at Horizon3.ai, said the immediate challenge is distinguishing theoretical weaknesses from those an attacker can reliably exploit.

"Five Eyes is right: AI is compressing the time from flaw discovery to exploitation. However, the real problem is not finding more bugs; it is validating which weaknesses are actually exploitable in an IT environment. Enterprises need solutions that can continuously prove what is exploitable in their real environment, show how attacks chain across web, identity, cloud and infrastructure, and focus teams on the fixes that measurably reduce business risk. This includes continuous, production-safe autonomous pentesting across infrastructure, cloud, identity and external attack surfaces, rather than periodic assessments.

"Ultimately, Australian CISOs and security leaders require attacker-validated evidence they can stand behind with boards and auditors," Cox said.

Vendors also report rising demand for tools that bring business context into cyber decision-making. Boards and executives are asking which systems matter most and where limited resources can reduce the greatest amount of risk.

"Cybersecurity programs have been built for a world where defenders had weeks or months to assess risk and respond. Today, that timeline is shrinking dramatically, forcing organisations to make faster and more informed decisions about where to focus their resources.

"We're seeing a broader shift toward risk-based cybersecurity because visibility alone is no longer enough. Security teams need to understand which exposures are most likely to be exploited, which assets matter most to the business, and where remediation efforts will have the greatest impact.

"Initiatives like CISA's BOD 26-04 in the United States reflect this new reality and signal a growing recognition that effective cybersecurity depends on prioritisation as much as protection. Organisations that can quickly connect cyber data, threat intelligence and business context will be best positioned to stay ahead of emerging threats," said Robert Huber, Chief Security Officer, Head of Research and President of Public Sector at Tenable.