Five Eyes spy chiefs warn AI is shrinking the window to stop cyberattacks — and boards need to act now

The heads of five Western cybersecurity agencies say artificial intelligence is already changing how fast criminals can strike. Waiting is no longer an option, they say — and the warning is aimed squarely at company boards, not IT teams.

ThreatVectr Newsdesk· 3 min read
Aerial editorial photograph, 16:9 framing, looking down at a modern government or corporate building at dusk, its lit windows forming a geometric grid against d
Share

Key points

  • On an unspecified Monday in June 2025, cybersecurity agency heads from Australia, the United States, the United Kingdom, Canada, and New Zealand issued a rare joint statement on AI-driven cyber risk.
  • Britain's AI Security Institute found one Anthropic AI model could break into computer systems approximately 73% of the time in testing.
  • On 13 June 2025, Anthropic suspended global access to its two most powerful AI models, Fable 5 and Mythos 5, following a US export control directive.
  • The five agencies said the time between a software flaw being discovered and criminals exploiting it is shrinking, making slow patching — applying software updates that fix known security holes — more dangerous than ever.
  • Stephanie Crowe, head of the Australian Cyber Security Centre, signed the statement and said organisations that take the threat seriously are "in a really good place".

The heads of the five English-speaking Western intelligence allies — Australia, the United States, Britain, Canada, and New Zealand, known collectively as the Five Eyes — published a joint statement this week warning that artificial intelligence is reshaping cyber risk faster than most organisations have planned for.

"AI is not a future consideration — it is already here," the statement says. "It lowers barriers for malicious actors and increases the speed and complexity of attacks."

The warning is direct. Cyber risk, the chiefs say, is no longer purely a technology problem — it is a leadership problem. Boards and executives need to be confident their defences would survive a real attack, not just that boxes have been ticked on a compliance form.

How close is this threat, really?

Close enough that one AI model is already breaking into systems nearly three-quarters of the time in controlled tests. Britain's AI Security Institute tested an Anthropic model and found it succeeded in around 73% of intrusion attempts — what Queen Mary University of London academic Gina Neff called "a step change in capability."

Then, on 13 June 2025, the US government issued an export control directive — a rule restricting where sensitive technology can be sent — that prompted Anthropic to suspend worldwide access to its two most powerful models, Fable 5 and Mythos 5. Australian users lost access without warning. The incident, first reported by SMH Technology, illustrated how quickly the AI landscape can shift under organisations' feet.

The agencies' core concern is timing. Patching — applying official fixes to known software flaws — has always lagged behind discovery. AI shortens that gap further. Criminals can now scan for and exploit unpatched flaws faster than many organisations update their systems, particularly older operational systems that run on long update cycles.

The practical steps the agencies set out are unsexy but specific: reduce the number of systems exposed to the open internet, patch known flaws faster, retire old software that manufacturers no longer support, and tighten controls over who can reach critical networks.

They also pressed organisations to use AI on the defensive side. Built into security operations, it can spot unusual behaviour earlier and contain incidents before they become financial crises. The statement is clear that buying more tools is not the point. Getting the basics right, fast, is.

Stephanie Crowe, head of the Australian Cyber Security Centre at the Australian Signals Directorate, struck a measured note. "I'm actually really positive that we have the tools and we have the capabilities," she said. "If we all take action ... then we're in a really good place."

What affected organisations should do now

Review which of your systems are visible to the open internet and close off anything that does not need to be there. Apply outstanding security patches — especially on operational or industrial systems. Test your incident response plan before you need it. And treat cyber risk as a standing item in board meetings, not a quarterly IT update.

© 2026 Threat Vectr