The intelligence agencies of the United States, United Kingdom, Canada, Australia and New Zealand are sounding a collective alarm: artificial intelligence is moving fast enough to fundamentally change what cyberattacks look like, and the window to prepare is closing. In a joint statement issued Monday, the Five Eyes partnership warned that frontier AI models will likely exceed current industry expectations, and that the timeline for this shift is “not years, it is months.”
The statement pulls no punches. AI lowers the bar for malicious actors, speeds up attacks, and shrinks the time between when a vulnerability is discovered and when it gets exploited. That last point is especially concerning for security teams, which already struggle to patch fast enough. With AI in the hands of attackers, that challenge gets significantly harder.
At the same time, the agencies were clear that AI can also be used defensively. The message was not that AI is purely a threat, but that organizations cannot afford to wait and see how things unfold.
The joint warning fits into a broader pattern of urgency from both government and industry. The U.S. Cybersecurity and Infrastructure Security Agency recently announced it is now requiring federal agencies to use a triage system that, in some cases, mandates patching within three days, partly based on whether a vulnerability involves AI. The Trump administration also recently moved to block Anthropic from selling its Mythos and Fable models abroad over national security concerns, though President Trump said last week he no longer considered the company a threat. An Anthropic spokesperson told Reuters the two sides were still working through the issue.
So what are the Five Eyes agencies actually asking business leaders to do? The statement lays out several concrete steps:
- Cut off system access and external connectivity when it is not needed, and pressure test what actually needs to be exposed
- Speed up patching processes, given how quickly AI is narrowing the exploitation window
- Address legacy systems, which the statement calls “not just technical debt” but “strategic liabilities”
- Tighten access controls so that as few people as possible can reach critical systems, and enforce strong authentication
- Give internal cybersecurity leaders both budget and authority
- Adopt secure-by-design and secure-by-default practices as standard, not optional
The statement also stressed that cyber resilience needs to work under pressure. Having controls in place is not enough if those controls fall apart when they are actually tested. The agencies called for genuine defense in depth, meaning organizations should not rely on any single solution or technology to keep them safe.
For businesses still treating cybersecurity as a compliance checkbox, the Five Eyes statement is a direct challenge to that approach. The threat environment is changing at a pace that demands real investment and real accountability at the board and executive level. The agencies are not suggesting that AI-fueled attacks are coming eventually. They are saying the clock is already running.