The cyber chiefs of the Five Eyes nations have issued a rare joint warning. Artificial intelligence is changing cyber risk faster than most organizations are ready for, they say, and leaders need to act now.
In a statement released on Jun. 22, the heads of the agencies across the US, UK, Canada, Australia, and New Zealand said frontier AI models are set to transform both offensive and defensive capabilities very quickly.
AI is lowering the barrier for attackers and, crucially, shrinking the gap between when a vulnerability is found and when it is exploited. The agencies framed this as a business risk for boards rather than a purely technical problem, urging executives to treat cyber resilience as something that must hold up under real pressure, not just exist on paper.
The practical advice given is to shrink the attack surface, patch faster, retire legacy systems, tighten identity and access controls, and rehearse incident response on the assumption that breaches will happen.
The agencies also warned that new and previously unknown flaws, including zero-day vulnerabilities, will keep emerging as these systems evolve, and pressed leaders to turn AI on defence to find weaknesses earlier and respond faster.
Why Patching Alone No Longer Holds
For Shane Fry, CTO at RunSafe Security, the warning lands hardest on the systems that are slowest to fix. He noted that organizations can no longer lean exclusively on patch cycles and vulnerability management, because AI is helping adversaries find and exploit weaknesses faster than fixes can keep up.
That gap is widest in embedded systems, operational technology, and critical infrastructure, where, as Fry put it, patching can take months or years and equipment often stays in service for decades.
His prescription echoes the agencies’ secure-by-design message: “The focus must shift from simply identifying vulnerabilities to making them unusable to attackers.”
Resilience and mitigation, he added, have to become foundational design principles, because the AI era rewards whoever moves faster.
The statement was signed by all six agency heads, including NCSC chief executive Richard Horne and acting CISA director Nick Andersen. Their closing message was blunt: organizations that adapt now will be more resilient, and those that delay face growing and avoidable risk.
