The cyber-security agencies of five English-speaking nations, the United States, Australia, the UK, New Zealand and Canada, issued a statement of concern over the evolution of artificial intelligence, both as a benefit to the security of society and as a weapon used to undermine civilized endeavor.
“As the leaders of the Five Eyes cyber security agencies, we are united in our call to action: the evolving landscape of artificial intelligence (AI) is rapidly transforming cyber risk, and we must act swiftly to remain ahead,” they said. The remainder of this article quotes from the statement.
A call to action
While Al will help improve cyber defense over time, it also accelerates the speed, scale, and sophistication of cyber threats. Frontier Al models are anticipated to exceed current industry expectations, fundamentally transforming both offensive and defensive cyber capabilities. The timeline is not years, it is months.
In this environment, cyber resilience is integral to advancing business continuity, market confidence, and long-term value. We urge leaders to:
- Understand and assess risk, readiness and accountability
- Prioritize foundational cyber security practices and controls
- Empower cyber leaders with authority and resources
- Stay actively engaged as threats and guidance evolve
Success will come from getting the basics right, acting quickly, and integrating cyber security into core business strategy. Those that do not will face growing operational and strategic disadvantage.
A whole-of-organization and whole-of-society response is required
Cyber risk can no longer be treated as a purely technical issue. This is a core business risk and leadership responsibility. Boards and executives should ensure cyber resilience is in place and works under pressure. It is not enough to have controls. Leaders must be confident those controls will perform during a real incident. This requires reassessing long-standing trade-offs and using AI deliberately to strengthen defense– not just improve efficiency.
Core principles:
- Secure-by-design and secure-by-default must become standard practice – not an aspiration.
- Resilience cannot depend on a single solution or technology. Defense in depth remains essential.
- As AI systems evolve, new and previously unknown vulnerabilities will emerge, including zero‑day vulnerabilities.
Breaches will occur. Preparedness helps you contain them quickly and prevent escalation into major operational and financial crises.
Practical actions
These actions are not new, but are now urgent to reduce not only technical risk, but also operational, financial and reputational exposure:
- Reduce your attack surface: Limit unnecessary system access and external connectivity. Challenge whether systems need to be exposed at all and isolate those that do not.
- Accelerate patching processes: AI is shortening the time between vulnerability discovery and exploitation. Delays in patching increase risk, especially for operational systems with long update cycles. Prioritize security updates accordingly to manage risks.
- Address legacy systems: Unsupported systems are easy targets. They are not just technical debt, they are strategic liabilities.
- Review and strengthen identity and access controls: Limit who can access critical systems. Enforce strong authentication and regularly review permissions.
- Prepare for incidents before they happen: Test response plans, train and prepare teams, and assume breaches will occur. Focus on fast containment and recovery.
Use AI to strengthen defense
Adversaries are already using AI to move faster and more effectively. Defenders must do the same.
Organizations that integrate AI tools into their security operations can detect vulnerabilities earlier, improve software quality, monitor unusual behavior, and respond faster to incidents – reducing both the cost and impact of incidents.
Success will not come from having the most tools. It will come from getting the basics right, acting quickly, and integrating cyber security into core business strategy.
The agencies’ representatives were:
- Stephanie Crowe – Head Australian Cyber Security Centre, Australian Signals Directorate
- Rajiv Gupta – Head Canadian Centre for Cyber Security, Communications Security Establishment
- Catriona Robinson – Head of the National Cyber Security Centre, Government Communications Security Bureau
- Richard Horne – Chief Executive Officer, National Cyber Security Centre
- David Imbordino – Cybersecurity Director, National Security Agency, and,
- Nick Andersen – Acting Director, Cybersecurity and Infrastructure Security Agency
Why it matters
“The urgency is clear: AI is not a future consideration – it is already here,” said the Five Eyes release.
AI lowers barriers for malicious actors and increases the speed and complexity of attacks, shrinking the window between vulnerability discovery and exploitation ever more quickly. At the same time, AI offers powerful tools to strengthen defense.
But the statements with the same spirit, if not the same words, have been made in association with virtually all piracy-related concerns over the years. Consider the media & entertainment industry, professional sports, the electrical grid; and virtually the entire vendor community that serves them.
This does not dimish the importance of the Five Eyes statement, but it does place it in better context.
Source
Five Eyes cyber security agencies statement. Press release. June 22, 2026. US National Security Agency (NSA)
