A coalition of Five Eyes intelligence agencies is telling business leaders to rewrite their cyber risk strategies because threat actors are using AI to accelerate attacks-a warning that some cybersecurity experts dismiss as too general and years too late. The joint statement, issued Monday by agencies from the US, UK, Canada, Australia and New Zealand, argues that organizations have months, not years, to adapt before offensive AI capabilities outstrip defenses.
"Frontier AI models are anticipated to exceed current industry expectations, fundamentally transforming both offensive and defensive cyber capabilities. The timeline is not years, it is months," the advisory said. It framed cyber resilience as integral to business continuity, market confidence and long-term value.
A call to act now
The Canadian Centre for Cyber Security told CSO that the statement was triggered by "real, recent shifts in how AI tools are being used, including to speed up the discovery and exploitation of vulnerabilities." It added, "as these capabilities become more accessible, the risk is no longer theoretical."
The agencies urged executives to move cyber risk out of the purely technical domain and treat it as a core business responsibility. "Boards and executives should ensure cyber resilience is in place and works under pressure," the statement said. "It is not enough to have controls. Leaders must be confident those controls will perform during a real incident."
For leaders grappling with the speed of change, the message is blunt: waiting narrows the window to respond. The advisory calls on organizations to embed secure-by-design and secure-by-default principles as standard IT practice, implement defense in depth, and prepare for an onslaught of new zero-day vulnerabilities.
What the agencies recommend
The practical actions listed are familiar: reduce attack surface, accelerate patching, address legacy systems, strengthen identity and access controls, and rehearse breach containment. "These actions are not new," the agencies acknowledged, "but are now urgent to reduce not only technical risk, but also operational, financial and reputational exposure."
Defenders are also told to use AI deliberately to strengthen enterprise defenses, not just chase efficiency gains. The overarching demand is that AI for Executives & Strategy must become a boardroom discipline-tied directly to business risk management rather than siloed in IT.
Experts push back
The advisory landed with a thud among several prominent cybersecurity experts. Joseph Steinberg, a US-based cybersecurity and AI advisor, called it "a generic statement that states the obvious, and, quite frankly, does not provide meaningful guidance about addressing AI risks." He pointed out that four of its five recommended actions don't mention AI and were best practices long before generative AI emerged. The statement, he said, should have detailed AI's transformation of social engineering, its reconnaissance power, and the data-leakage risks when employees feed sensitive information into AI tools.
Rob Enderle, head of the Enderle Group, was more measured but said the warning is "incredibly late. AI-driven threats and deepfakes have been heavily impacting corporate landscapes for some time now." Still, he credited the guidance as a "critical wake-up call" that correctly frames AI-altered threats as a top-level business continuity issue. "CSOs, CIOs, and CEOs all must be aligned and actively involved," he said.
Ilia Kolochenko, CEO of ImmuniWeb, argued the agencies should have issued the call in late 2023. "Careless implementation and imprudent use of legitimate AI systems is a much bigger threat than any misuse of AI," he said. He noted that corporate leaders, driven by fear of missing out, often deploy AI systems without informing their CSO or conducting a risk assessment, introducing "countless new attack vectors."
A CISA spokesperson, asked about complaints that the joint statement was too generic, directed reporters to the agency's artificial intelligence guidance website, which houses resources on AI data security and secure-by-design principles.
Why this matters for executives and strategy
AI is compressing attack timelines and giving criminals cheaper, faster ways to find exploitable weaknesses. For senior leaders, the takeaway is not that the checklist has changed-most recommended actions are familiar-but that the consequences of delay now register in weeks, not quarters. Treating cyber risk as a core business continuity issue, with direct oversight from the CEO and board, is the point where the Five Eyes statement and its critics converge. The risk is no longer confined to the SOC; it sits in the boardroom, connected to market confidence, brand trust and investor expectations.
Your membership also unlocks:
