Cyber security agencies in Australia, Canada, New Zealand, Britain and the United States are stepping up their awareness campaign around artificial intelligence (AI) being used by threat actors to accelerate attacks.
The 'Five Eyes' intelligence agencies warned that AI is already here, with the timeline to act being months, not years.
"[AI] lowers barriers for malicious actors and increases the speed and complexity of attacks, shrinking the window between vulnerability discovery and exploitation ever more quickly," a joint statement from the agencies said.
"At the same time, AI offers powerful tools to strengthen defence.
"Cyber risk can no longer be treated as a purely technical issue."
Instead, it should be seen as a core business risk, and leadership responsibility, the agencies said.
Simply having security controls is not enough, and boards and executives must be confident that those will perform during real incidents.
Prior to the joint statement, the Australian Signals Directorate (ASD) updated its Information Security Manual (ISM) which is mandatory for government agencies to follow.
Among the directives in the ISM is the core principle that secure by design becomes standard practice, along with secure by default.
In practical terms, the 'Five Eyes' agencies said a number of current actions have become urgent, so as to reduce technical risk, along with operational, financial and reputational exposure.
Organisations should reduce their attack surfaces through exposed systems, and to accelerate patching; the latter is important as AI abbreviates the time between vulnerability discovery and exploitation of flaws.
Legacy systems are easy targets and strategic liabilities, the cyber security agencies said.
Reviewing and strengthening identity and access controls to critical systems, with strong authentication being enforced and regular evaluation of permissions are other actions organisations should take.
Assuming that breaches will occur and being ready for them with tested response plans, training and prepared teams is a must, with a focus on fast containment and recovery.
"I'm actually really positive that we have the tools and we have the capabilities," the Australian Cyber Security Centre head Stephanie Crowe said in a statement,
"If we all take action and we actually take the time to look at our cyber risk management plans, and the priorities we place on the things that we need to do to defend ourselves, then we're in a really good place.
"It’s even better if we can learn from new technologies emerging in the environment, like AI, on how we can use these new technologies defensively, because our adversaries are using them and we all need to use them to defend our networks."
The joint statement was published by the ACSC/ASD, the Canadian Centre for Cyber Security (CCCS), NZ and UK's National Cyber Security Centres (NCSC), and their American counterparts, the National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA).
It comes after the US government imposed export controls on AI vendor Anthropic's latest large language model (LLM) Fable 5, requiring a licence for non-Americans to access it.
In response to the export control directive, Anthropic fully withdrew Fable 5, which uses the same LLM as the restricted Mythos 5, with the former having strong safeguards and classifiers for public use.
Security experts protested in an open letter that the official decision to limit access to Fable 5 disadvantaged defenders, particularly since adversaries had models that are nearly as capable and are catching up technologically.
.jpg&h=140&w=231&c=1&s=0)
.jpg&h=140&w=231&c=1&s=0)
.jpg&h=140&w=231&c=1&s=0)
iTnews State of Data & AI Breakfast
Forrester's AI Forum Sydney
The 2026 iAwards
.jpg&w=120&c=1&s=0)
Integrate 2026
Security Exhibition & Conference
_(1).jpg&h=140&w=231&c=1&s=0)
