Leaders of the Five Eyes cybersecurity agencies have issued a joint call for organisations to treat artificial intelligence as an immediate driver of cyber risk, warning that AI is increasing the speed, scale and sophistication of attacks while also offering defenders new capabilities.
In the statement, the agencies said frontier AI models are expected to exceed current industry expectations and “fundamentally” change both offensive and defensive cyber operations, arguing the timeframe for impact is “months”, not years.
The agencies urged business leaders to assess risk, readiness and accountability; prioritise foundational cybersecurity practices and controls; give cyber leaders sufficient authority and resources; and remain engaged as threats and guidance evolve.
“AI is not a future consideration – it is already here,” the statement said, arguing that AI can lower barriers for malicious actors and compress the time between vulnerability discovery and exploitation, while also strengthening defence if applied deliberately.
The group also framed cyber resilience as a governance and leadership issue rather than a purely technical problem, calling on boards and executives to ensure controls are effective under real incident conditions and to reassess long-standing trade-offs, including the use of AI beyond efficiency gains.
As “core principles”, the statement said secure-by-design and secure-by-default should become standard practice, that resilience should not depend on a single technology, and that new vulnerabilities—including zero-day flaws—will emerge as AI systems evolve.
It warned breaches should be expected and said preparedness is required to contain incidents and prevent escalation into wider operational and financial crises.
Among “practical actions” recommended were reducing attack surface by limiting unnecessary access and external connectivity; accelerating patching processes as exploitation timelines shorten; addressing unsupported legacy systems; strengthening identity and access controls; and testing incident response plans with a focus on containment and recovery.
The statement also encouraged organisations to use AI to strengthen defensive operations, including earlier vulnerability detection, improved software quality, monitoring for unusual behaviour, and faster incident response.
The Five Eyes statement was issued by Stephanie Crowe, head of the Australian Cyber Security Centre; Rajiv Gupta, head of the Canadian Centre for Cyber Security; Catriona Robinson, head of New Zealand’s National Cyber Security Centre; Richard Horne, CEO of the UK National Cyber Security Centre; David Imbordino, director of the Cyber Security Directorate at the US National Security Agency; and Nick Andersen, acting director of the US Cybersecurity and Infrastructure Security Agency.
