Five Eyes warn AI cyber risks are rising within months

Five Eyes cyber security agencies have issued a joint statement urging business leaders to respond to cyber risks linked to artificial intelligence, warning that the risk shift is happening within months.

The cyber security heads of Australia, Canada, New Zealand, the United Kingdom and the United States said AI is changing both offensive and defensive activity and should be treated as a core business risk, not a narrow technical issue.

They said boards and senior executives should take direct responsibility for cyber resilience, focusing on whether protections can withstand a real incident rather than simply confirming that controls exist on paper.

The statement said malicious actors are using AI to shorten the time between the discovery of a vulnerability and its exploitation. That is increasing pressure on organisations to patch faster, tighten identity and access controls, and reduce the number of systems exposed to the internet.

The agencies also warned that older unsupported systems have become strategic liabilities because they are easier to target. They said breaches should be treated as inevitable and that organisations should prepare for rapid containment and recovery.

Leadership focus

A central message was that cyber security should be integrated into broader corporate strategy. The agencies said resilience supports business continuity, market confidence and long-term value, and called on leaders to understand risk, assess readiness and ensure accountability across their organisations.

They also urged executives to give cyber leaders the authority and resources needed to respond as the threat landscape changes. Secure-by-design and secure-by-default approaches, they said, should become standard practice, while defence in depth remains necessary because no single technology will be enough.

The group said new and unknown vulnerabilities, including zero-day weaknesses, will continue to emerge as AI systems develop. In that environment, they said, longstanding security trade-offs need to be reassessed.

Use of AI

The agencies also said defenders should use AI in their own operations. Organisations can use the tools to spot vulnerabilities earlier, improve software quality, monitor unusual behaviour and speed up incident response, they said.

At the same time, the statement stressed that results will not depend on adopting the most tools. The strongest outcomes, it said, will come from getting core cyber hygiene right and acting quickly when risks emerge.

For large companies, the intervention adds to growing pressure from governments and regulators for boards to engage more directly with cyber exposure. The Five Eyes warning frames that exposure not only as a technology problem, but also as an operational, financial and reputational issue.

The agencies said the pace of frontier AI development means assumptions about cyber risk can become outdated in months rather than years. That compressed timetable was one of the clearest themes in the statement, which repeatedly called for immediate action.

Joint warning

The message was endorsed by Stephanie Crowe, Head, Australian Cyber Security Centre; Rajiv Gupta, Head, Canadian Centre for Cyber Security; Catriona Robinson, Head of the National Cyber Security Centre; Richard Horne, Chief Executive Officer, National Cyber Security Centre; David Imbordino, Director, Cyber Security Directorate, National Security Agency; and Nick Andersen, Acting Director, Cybersecurity and Infrastructure Security Agency.

In the joint statement, the agency heads said: "As the leaders of the Five Eyes cyber security agencies, we are united in our call to action: the evolving landscape of artificial intelligence (AI) is rapidly transforming cyber risk, and we must act swiftly to remain ahead."

They set out a series of practical measures for leaders, including limiting unnecessary system access, challenging whether systems need to be externally exposed, isolating those that do not, and giving greater priority to security updates where long operational cycles might otherwise slow patching.

The statement also called for regular reviews of permissions on critical systems and stronger authentication requirements. It said incident response plans should be tested before an attack and that teams should be trained to handle breaches under pressure.

Another theme was the need for collective action beyond internal company measures. The agencies said cyber resilience requires a whole-of-organisation and whole-of-society response, reflecting the scale of the challenge as AI lowers barriers to entry for attackers.

The statement ended with a direct warning to industry leaders and technology vendors about the cost of delay. "Those who delay will face growing and avoidable risk," the agency heads said.