The AI Shift in Cyber Risk: What the Five Eyes Call to Action Means for Your Organisation

An insights article on the joint statement issued by the Five Eyes cyber security agencies, 22 June 2026

At a glance — the 30-second brief for executives

  • All five Five Eyes cyber agencies have jointly warned that frontier AI is reshaping cyber risk now, on a timeline of months, not years.
  • AI compresses the patch-to-exploit window from weeks to days or hours, lowers the barrier for attackers, and introduces new AI-specific vulnerabilities.
  • Cyber security is reframed as a board-level business risk, not an IT function.
  • The prescription: get the fundamentals right, fast — attack surface, patching speed, legacy systems, identity controls, and incident readiness.

A rare, unified warning

On 22 June 2026, the heads of the Five Eyes cyber security agencies — from Australia, Canada, New Zealand, the United Kingdom, and the United States — issued a joint call to action on the cyber risks posed by frontier artificial intelligence. New Zealand’s voice in the statement came from Catriona Robinson, Deputy Director General Cyber Security and head of the GCSB’s National Cyber Security Centre (NCSC).

Joint statements from all five agencies are uncommon, and this one is notable for its directness. The agencies’ central message is that AI is transforming cyber risk right now, not at some point in the future, and that the timeline for frontier AI capabilities to reshape both attack and defence is measured in months rather than years.

Why the urgency?

Frontier AI models are dramatically improving the ability of attackers to identify and exploit vulnerabilities at speed and scale. The agencies highlight three compounding effects:

  • The barrier to entry is dropping: Capabilities that once required highly skilled, nation-state resourced threat actors are becoming accessible to a much wider pool of attackers. Less sophisticated actors can now mount attacks of greater speed and complexity.
  • The exploitation window is shrinking: The time between a vulnerability being disclosed and actively exploited has collapsed. Where patch cycles used to be managed monthly, AI-driven reverse-engineering of patches now allows threat actors to weaponise a flaw and mount attacks within days — sometimes hours — of an announcement. Patching cycles that were acceptable last year now leave organisations exposed for the entire duration of an active exploit campaign.
  • New threat vectors are emerging: AI is doing two distinct things here. First, it supercharges the discovery of traditional zero-day vulnerabilities — ordinary code flaws that attackers can now find first, at unprecedented speed. Second, as organisations embed AI into their workflows, it introduces entirely new AI-specific classes of vulnerability, such as prompt injection, data poisoning, and insecure model deployment.

The flip side is genuine opportunity: the same capabilities can materially strengthen defence. Organisations that integrate AI into their security operations can find vulnerabilities earlier, improve software quality, monitor for unusual behaviour, and respond to incidents faster — reducing both the cost and the impact when things go wrong.

Cyber risk is now a leadership issue

Perhaps the most significant theme in the statement is the reframing of cyber security as a core business risk and leadership responsibility rather than a technical matter delegated to IT. The agencies are explicit that boards and executives need confidence that their controls will actually perform under the pressure of a real incident — having controls on paper is no longer enough.

The leaders urge organisations to:

  1. Understand and assess risk, readiness, and accountability — know your exposure and who owns it.
  2. Prioritise foundational cyber security practices and controls — the basics matter more than ever.
  3. Empower cyber leaders with authority and resources — security teams need the mandate to act, not just the responsibility when things fail.
  4. Stay actively engaged as threats and guidance evolve — assumptions about cyber risk can become outdated within months.

Underpinning these are two principles the agencies want to see become standard practice: secure-by-design and secure-by-default as the norm rather than an aspiration, and defence in depth — resilience must never hinge on a single tool or technology.

Five practical actions

The bottom line for boards: AI hasn’t changed the fundamentals of cyber security — it has simply removed the luxury of time. To withstand AI-paced threats, leadership must audit and accelerate these five foundational areas immediately:

  1. Reduce your attack surface: Ruthlessly question whether systems need to be internet-exposed at all. If it doesn’t need to be public, take it offline or isolate it — and limit unnecessary access and external connectivity everywhere else.
  2. Accelerate patching: With exploitation timelines compressing to days or hours, shift critical internet-facing systems away from standard monthly patch cycles toward automated, rapid deployment. Pay particular attention to operational technology, where long update cycles create extended exposure.
  3. Address legacy systems: Unsupported hardware and software are easy targets. Treat them as strategic business liabilities and active security risks, not just technical debt to be managed someday.
  4. Strengthen identity and access controls: Move toward Zero-Trust architectures. Enforce robust multi-factor authentication (MFA), tightly restrict access privileges to the minimum required, and review permissions regularly.
  5. Prepare for incidents before they happen: Assume breaches will occur and shift focus from pure prevention to rapid containment and recovery. Regularly run red-team simulations and test response plans under time pressure, so an incident doesn’t escalate into an operational and financial crisis.

What the NCSC is doing in New Zealand

Alongside the joint statement, the NCSC outlined its own programme of work to manage the implications of frontier AI for New Zealand while building capability to capture the defensive opportunities. This includes:

  • Direct access to frontier AI models, working with the providers themselves to understand emerging cyber security risks and shape the NCSC’s response and guidance.
  • Collaboration with industry, including vendors that have been testing these models, to build a shared understanding of their implications.
  • Ongoing development and publication of advice and guidance for business and government.
  • Embedding security into the government’s digital roadmap, working with agencies to ensure cyber security and resilience is a foundational element of digital investment and procurement, from concept through to implementation.

The NCSC has also published dedicated guidance on managing the increased vulnerability risks from frontier AI and on cyber readiness in the frontier AI era, available on its website.

The bottom line

The message from the Five Eyes leaders is deliberately simple: success will come not from acquiring the most tools, but from getting the fundamentals right, moving quickly, and treating cyber security as integral to business strategy. Breaches will happen — preparedness is what determines whether they are contained quickly or spiral into a crisis. Organisations that act now will reduce their exposure and build confidence with customers, partners, and investors. Those that delay will carry a growing, and avoidable, level of risk.


Sources: