On June 22, 2026, the intelligence alliance known as Five Eyes released a statement warning that frontier AI models will fundamentally transform offensive and defensive cyber capabilities, and that the timeline for this transformation is measured in months, not years.
Five Eyes is an intelligence alliance comprising Australia, Canada, New Zealand, the United Kingdom, and the United States. The alliance’s cyber security agencies, including the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the UK’s National Cyber Security Centre (NCSC), and their counterpart agencies, coordinate on cyber threat intelligence sharing and issue joint guidance to protect critical infrastructure and private sector organizations across member nations.
Five Eyes emphasized that AI is “not a future consideration—it is already here.” They warned that AI lowers barriers for malicious actors, increases the speed and complexity of attacks, and shrinks the window between vulnerability discovery and exploitation. However, at the same time, Five Eyes acknowledged that AI offers powerful tools to strengthen defense, including detecting vulnerabilities earlier, improving software quality, responding faster to security incidents, and monitoring unusual behavior.
The warning arrives against a backdrop of growing unease over frontier AI models like Anthropic’s Mythos, which have demonstrated the ability to carry out intricate cyber operations at remarkable speed. Just weeks before the Five Eyes statement, Anthropic disabled its Mythos 5 and Fable 5 AI models after U.S. officials directed the company to block foreign-national access, citing national security considerations.
The statement outlines several practical actions for organizations to implement immediately:
- Reduce your attack surface: Restrict system access and external connectivity to only what is genuinely necessary.
- Accelerate patching processes: Because AI tools are shrinking the gap between when a flaw is discovered and when it is exploited, organizations must prioritize security updates to manage risk.
- Address legacy systems: Unsupported technology presents an attractive target for attackers and should be viewed as a strategic liability.
- Review and strengthen identity and access controls: Restrict permissions to critical systems, require robust authentication, and regularly review user access permissions.
- Prepare for incidents before they happen: Test incident response plans and operate under the assumption that a security incident will happen. Emphasis should be placed on rapid containment and recovery.
For additional information on the challenges frontier AI models present for general counsel, see our recent post here: 5 Risks GCs Should Know About Frontier AI.
