The cybersecurity agencies of the Five Eyes partnership, including the US (United States), the UK (United Kingdom), Australia, Canada, and New Zealand, have issued a joint statement urging business and government leaders to act immediately on AI-driven cyber threats.
The agencies say frontier AI models are on track to exceed current industry expectations and will fundamentally reshape both offensive and defensive cyber capabilities. Their timeline is not measured in years. It is measured in months.
The statement lands as AI adoption accelerates across industries and as threat actors increasingly use AI tools to execute faster, more sophisticated attacks. The agencies say the window between vulnerability discovery and exploitation is already shrinking. AI is narrowing it further.
A whole-of-society problem, not an IT problem
The agencies are direct about one thing: cyber risk is no longer a back-office technical concern. Boards and executives now carry direct responsibility for ensuring their organizations can withstand attacks under real conditions, not just on paper.
According to the joint statement, it is not enough to have security controls in place. Leaders must be confident that those controls will actually perform during a live incident. That requires organizations to reassess long-standing trade-offs, challenge assumptions about what systems need external exposure, and use AI deliberately to strengthen defense rather than simply improve efficiency.
The agencies describe the required response as one that demands full organizational and societal participation. Cyber resilience, they argue, is now central to business continuity, market confidence, and long-term value. Organizations that treat it as anything less will find themselves at a growing strategic and operational disadvantage.
The statement calls on leaders to understand and assess their risk readiness and accountability, prioritize foundational cybersecurity practices, empower cybersecurity leaders with real authority and adequate resources, and stay actively engaged as threats and official guidance continue to evolve.
What must leaders do right now?
The agencies outlined a set of practical actions they describe as urgent, not new but now critical given the pace of AI development.
Organizations must reduce their attack surface via reducing unnecessary access to system access as well as external connectivity. The agencies push leaders to question whether systems need exposure at all and to isolate those that do not.
They also call for faster patching processes, noting that AI is compressing the time between when a vulnerability is discovered and when it gets exploited. Delays in applying security updates, particularly for operational systems with long update cycles, carry growing risk.
The advice is seemingly reinforced by recent events. Mozilla moved quickly to patch an AI flaw in Firefox that could have leaked email verification codes, demonstrating the importance of rapid response to AI-related vulnerabilities.
Legacy systems received specific attention. The agencies describe unsupported systems not just as technical debt but as strategic liabilities. They urge leaders to address these systems as a priority rather than deferring the cost.
Set limits to critical system access, the agencies propose
Identity and access controls also featured prominently. The agencies recommend limiting who can access critical systems, enforcing strong authentication, and reviewing permissions on a regular basis.
On incident preparedness, they urged organizations to test response plans, train teams in advance, and operate under the assumption that breaches will occur. The focus should be on fast containment and recovery, not on preventing every breach outright.
The agencies also addressed AI as a defensive tool. Adversaries are already using AI to move faster and strike more precisely, they noted. Defenders must respond in kind. Organizations that embed AI systems into their security protocols can fish out vulnerabilities head-on, monitor sketchy behavior more effectively, and respond to incidents faster, reducing both the financial and operational cost of attacks.
According to the statement, success will not come from having the most tools available. It will come from getting the basics right, acting quickly, and embedding cybersecurity into core business strategy from the top down.
The agencies closed with a pointed warning for leaders considering a wait-and-see approach. Cyber risk assumptions, they said, can become outdated in months at the current pace of frontier AI development. Those who act now will reduce exposure and build confidence with customers, partners, and investors. Those who delay will inherit risks that were entirely avoidable.
