Info Gov

The National Cyber Security has called on organisational leaders to treat cyber resilience as a core business and governance responsibility rather than a technical matter in the light of a report by the Five Eyes intelligence alliance on the "fundamental" impact of AI on the speed and scale of cyber threats.

Frontier AI models are anticipated to exceed current industry expectations within months, not years, lowering barriers for malicious actors, accelerating the exploitation of vulnerabilities, and compressing the window between vulnerability discovery and attack, the report says. It urged leaders to:

  • understand and assess risk, readiness and accountability
  • prioritise foundational cyber security practices and controls
  • empower cyber leaders with authority and resources
  • stay actively engaged as threats and guidance evolve

"A whole-of-organisation and whole-of-society response is required," the report's authors said, "Cyber risk can no longer be treated as a purely technical issue. This is a core business risk and leadership responsibility. Boards and executives should ensure cyber resilience is in place and works under pressure. It is not enough to have controls. Leaders must be confident those controls will perform during a real incident. This requires reassessing long-standing trade-offs and using AI deliberately to strengthen defence - not just improve efficiency.

The NCSC and co-signatories from the United States, Australia, Canada and New Zealand, set out a number of practical actions that organisations should use to reduce technical, operational, financial and reputational risks:

1 Reduce your attack surface: Limit unnecessary system access and external connectivity. Challenge whether systems need to be exposed at all and isolate those that do not.

2 Accelerate patching processes: AI is shortening the time between vulnerability discovery and exploitation. Delays in patching increase risk, especially for operational systems with long update cycles. Prioritise security updates accordingly to manage risks.

3 Address legacy systems: Unsupported systems are easy targets. They are not just technical debt, they are strategic liabilities.

4 Review and strengthen identity and access controls: Limit who can access critical systems. Enforce strong authentication and regularly review permissions.

5 Prepare for incidents before they happen: Test response plans, train and prepare teams, and assume breaches will occur. Focus on fast containment and recovery.

In addition to the NCSC's chief executive Richard Horne, the signatories include counterparts from the Australian Signals Directorate, Communications Security Establishment Canada, New Zealand's Government Communications Security Bureau, the US National Security Agency, and the Cybersecurity and Infrastructure Security Agency.

The full Five Eyes statement is available at www.ncsc.gov.uk/news/the-ai-shift-in-cyber-risk-why-leaders-must-act-now

Also in this section

Jul 16, 2026

Scattered Spider pair jailed over TfL hack

Two members of the Scattered Spider hacking collective have each been jailed for five and a half years at Woolwich Crown Court on 16 July over a 2024 cyber attack on Transport for London that compromised the personal data of millions of customers and cost the transport authority £39 million.
Jul 15, 2026

Government introduces mandatory data breach reporting protocol

The Cabinet Office has published a Model Action Plan setting out a single cross-government framework that all departments and arms-length bodies must follow when responding to significant personal data breaches, introducing mandatory central reporting of such incidents for the first time.
Jun 15, 2026

Government AI hackathons uncover 407 vulnerabilities across nine departments, including critical remote code execution flaw

A pilot programme using frontier AI models to scan public-sector code repositories has identified 407 security findings across nine government organisations, including a critical vulnerability that could have allowed an external attacker to execute arbitrary code on a key digital service, the Department for Science, Innovation and Technology (DSIT) and the National Cyber Security Centre (NCSC)…

InfoGov Masthead Newsletter 800