Five Eyes Cyber Security Leaders Warn of Growing AI-Driven Cyber Risks
While AI offers significant opportunities to improve cyber defence, the agencies caution that it is also accelerating the speed, scale and sophistication of cyber attacks. Frontier AI models are expected to significantly enhance both offensive and defensive cyber capabilities, with changes occurring over months rather than years.
The message for leaders is clear: cyber resilience must become a core business priority.
Cyber Risk is a Leadership Responsibility
The Five Eyes agencies emphasise that cyber risk can no longer be viewed solely as a technical issue. Instead, it should be treated as a strategic business risk requiring active oversight from boards, executives and senior leaders.
Organisations are encouraged to assess their cyber readiness, strengthen accountability, prioritise foundational cyber security controls and ensure cyber leaders have the authority and resources required to respond effectively to emerging threats.
Importantly, leaders should not simply assume existing controls are sufficient. They must be confident those controls will perform under real-world conditions and during a genuine cyber incident.
Why This Matters for Information Professionals
For records and information management professionals, the warning reinforces the growing connection between cyber resilience, information governance and organisational accountability.
As AI-driven threats increase, organisations will need greater confidence in the integrity, availability and authenticity of their information assets. Strong governance frameworks, reliable records, clear ownership, and defensible information management practices are critical components of cyber resilience.
The agencies note that AI is already reducing the time between the discovery of vulnerabilities and their exploitation, leaving organisations with less time to detect, respond and recover.
Key Actions for Organisations
The guidance highlights several practical actions organisations should prioritise:
- Reduce unnecessary system access and external exposure to minimise attack surfaces.
- Accelerate patching and update processes to address vulnerabilities before they can be exploited.
- Address legacy systems that present ongoing security and operational risks.
- Strengthen identity and access management controls, including multi-factor authentication and regular permission reviews.
- Regularly test incident response plans and prepare teams for cyber events before they occur.
The agencies also stress that organisations should adopt a "secure-by-design" and "secure-by-default" approach, ensuring security is embedded into systems from the outset rather than added later.
Using AI as a Defensive Tool
While attackers are increasingly leveraging AI, organisations are encouraged to use the technology to strengthen their own defences.
AI-enabled tools can assist with vulnerability detection, software quality improvement, behavioural monitoring and faster incident response. However, the agencies caution that success will not come from simply acquiring more technology. Effective cyber resilience still depends on strong governance, sound processes and getting the fundamentals right.
Acting Before Risks Escalate
The Five Eyes agencies warn that cyber risk assumptions can become outdated in a matter of months as AI capabilities continue to evolve. Organisations that delay action may face growing operational, financial and reputational risks.
For records and information professionals, the message is particularly relevant. Effective information governance, reliable records, and well-managed information assets provide a foundation for organisational resilience, helping organisations respond to incidents, demonstrate accountability and maintain trust in an increasingly AI-driven world.
As the agencies conclude, cyber resilience is no longer just an IT issue, it is fundamental to operational continuity, organisational confidence and long-term success.