Five Eyes spy agencies warn AI will outpace cybersecurity defences within months

The intelligence alliance that links the US, UK, Australia, Canada and New Zealand says AI-powered attacks are arriving faster than most organisations can adapt — and breaches are now a question of when, not if.

ThreatVectr Newsdesk· 3 min read
Photoreal news-editorial style, 16:9 framing, full-frame edge-to-edge composition
Share

Key points

  • The Five Eyes intelligence alliance — the security agencies of the United States, Britain, Australia, Canada and New Zealand — issued a joint advisory on Monday warning that AI is accelerating cyber attacks faster than existing defences can keep up.
  • The advisory states that "cyber risk assumptions can become outdated in months, not years" as frontier AI — meaning the most powerful, cutting-edge AI systems — develops rapidly.
  • AI startup Anthropic in April said its Mythos model family showed unprecedented ability to find vulnerabilities, meaning weaknesses, in software.
  • Anthropic was ordered by the US government in June 2026 to block all foreign nationals from accessing its Mythos 5 and Fable 5 models.
  • Former US Cybersecurity and Infrastructure Security Agency (CISA) director Chris Krebs warned of a coming "vulnerability tsunami" driven by AI falling into the wrong hands.

For years, cybersecurity has run on a simple assumption: attackers and defenders move at roughly the same pace. That assumption is now breaking down.

The Five Eyes alliance — the intelligence partnership spanning the US, UK, Australia, Canada, and New Zealand — published a joint advisory this week saying the most powerful AI systems are evolving fast enough to make today's security playbooks obsolete in months. Not years. Months.

In practice, that matters because finding a flaw in software has historically required real expertise. It takes time and skill. AI changes that equation by scanning systems at machine speed and spotting weaknesses a human analyst might miss entirely.

Should ordinary people be worried?

Yes, in a practical sense — though not in a way that requires panic. The advisory is aimed squarely at governments and businesses, because those are the targets. But when companies get hit, customers feel it: stolen account details, disrupted services, leaked personal data.

Chris Krebs, who ran the US Cybersecurity and Infrastructure Security Agency — the federal body responsible for protecting critical infrastructure like power grids and hospitals — told CBS News the past few months have been "a bit of a whirlwind." He described what is coming as a "vulnerability tsunami" driven by AI tools reaching criminals and hostile governments.

The advisory does not pretend breaches can be stopped entirely. "Breaches will occur," it says flatly. The goal is containing them before they turn into disasters.

The Five Eyes agencies recommend four broad steps: use AI tools inside your own security teams, retire old systems that can no longer be patched securely, tightly restrict who can access critical systems, and plan for the moment something goes wrong — because it will.

The AI company Anthropic sits near the centre of this story. Its Mythos model family, released in April 2026, reportedly showed an unusual ability to find software vulnerabilities automatically. Days after publicly releasing a version called Fable 5, Anthropic received a US government order banning foreign nationals from accessing both Mythos 5 and Fable 5. The intervention is notable: the current White House has generally pushed to reduce AI regulation, including blocking individual US states from writing their own rules.

The failure mode here is organisational complacency. Most companies update their threat models annually. The Five Eyes advisory is saying the annual review cycle is already too slow.

If you are a customer of any large organisation — a bank, a hospital, a retailer — watch for phishing emails, which are fake messages designed to trick you into handing over passwords, in the weeks after major AI announcements. Attackers move fast when new tools arrive.

Operational takeaway: Treat your threat model like a live document, not a quarterly filing.

© 2026 Threat Vectr