The industry reacts to the Five Eyes call to action on AI security

While AI is often associated with sophisticated new threats, the bigger concern is how quickly it can help attackers identify vulnerabilities, craft convincing phishing campaigns, and exploit existing security gaps. In many cases, attackers don’t need new attack techniques. They simply need to find weaknesses faster than organisations can fix them.

That’s particularly concerning given Arctic Wolf’s recent State of the Cybersecurity Attack Surface Report found that one in three IT assets are either missing a critical security control or are misconfigured. As AI continues to accelerate the speed and scale of cyber threats, organisations need greater visibility across their environments and a strong foundation of security controls to reduce opportunities for attackers.

The fundamentals of cyber security haven’t changed, but the pace has. Organisations need to be able to identify, prioritise, and respond to threats quickly, because attackers are increasingly operating with AI on their side.

Jeremy Pell
ANZ country manager at Elastic

The Five Eyes statement is a direct message to Australian organisations: the window to act is closing, and AI is the reason why.

Australia’s own ACSC has co-signed this call to action, and that carries weight. This isn’t a theoretical risk assessment from overseas. It’s our own cyber security leadership telling boards and executives that the threat has fundamentally changed in nature and speed.

VIEW ALL

AI is collapsing the time between vulnerability discovery and exploitation to minutes or seconds. For Australian organisations navigating stretched security teams, legacy infrastructure, and fragmented environments, that pace is genuinely dangerous if you’re still relying on manual detection and response.

The agencies are right that this isn’t about having more tools. It’s about getting the fundamentals right and using AI deliberately to strengthen defence. That means moving towards an agentic security operations capability, where AI handles triage and enrichment at machine speed while human analysts focus on judgement and escalation.

Shane Fry
CTO at RunSafe Security

One of the most important messages in the Five Eyes warning is that AI is changing the economics and speed of cyber attacks. As AI enables adversaries to discover and exploit software weaknesses faster, organisations can no longer depend exclusively on patch cycles and vulnerability management. The window between discovery and exploitation is shrinking to the point where remediation alone may not keep pace.

This is particularly concerning for embedded systems, operational technology and critical infrastructure environments, where patching can take months or years and systems often remain in service for decades. The focus must shift from simply identifying vulnerabilities to making them unusable to attackers. Resilience and vulnerability mitigation need to become foundational design principles because the AI era rewards attackers that can move faster than defenders.

Australia has strong cyber security foundations. The question the ACSC is asking is whether we’re building on them fast enough.

Cornelius Mare
Chief information security officer, Australia, at Fortinet

As the threat landscape evolves, so too must the baseline required to protect critical infrastructure. It will be important to define a baseline that supports safe adoption of emerging technologies and AI, with more context-aware frameworks that help secure critical infrastructure and Australian businesses.

Gary Barlet
Public sector CTO at Illumio

The idea that the threat was somehow going to be slowed because models like Mythos weren’t broadly released was always wishful thinking. Whether it’s Mythos, Fable, or the next frontier model, it isn’t a matter of if these capabilities become widely available; it’s when. The Five Eyes warning is a wake-up call that AI is about to dramatically accelerate the speed, scale, and sophistication of cyber attacks, lowering barriers for adversaries and giving them capabilities that were once limited to highly skilled actors.

What worries me is that too many organisations still think they can patch their way out of this problem. We couldn’t keep up before AI, and we certainly won’t keep up after it. Attackers have always had the upper hand because they don’t operate under the same constraints as defenders, and that’s even more true in the age of AI. It’s time for organisations to stop treating a breach as a possibility and start treating it as an inevitability.

Martyn Beal
Federal Government Lead, ANZ at TrendAI

The Five Eyes cyber agencies have issued a rare and timely warning: AI is collapsing the time between vulnerability and exploitation from years to months. What once took years can now happen in a matter of months, fundamentally changing the risk landscape for government agencies, critical infrastructure operators and businesses alike.

Cyber security can no longer be viewed as solely an IT issue. It is now a Board-level and Executive Leadership priority because the consequences of a successful attack extend far beyond technology, impacting operations, reputation, public trust and national resilience.

The agencies’ advice is refreshingly practical: get the basics right: shrink your attack surface, patch faster, retire legacy systems, tighten identity controls, and assume breaches will happen. But they add a sharper edge: defenders must use AI as deliberately as attackers do.

There are four core principles that ground a robust AI security strategy: gaining visibility into AI usage, systems, and how agents interact across environments, understanding the context and intent behind those interactions, enforcing policy and control over usage and agent-driven actions, and introducing human oversight at critical decision points.

The organisations that will succeed are not necessarily those with the most security tools, but those that can move fastest to identify risk, respond to threats and build resilience. In the age of AI, speed has become one of the most important security controls.

Frances Zelazny
General Manager, New Market Innovations at Prove

Agentic AI and digital credentials are genuinely exciting, but the identity foundation underneath them remains dangerously inadequate. Passwords are still everywhere. OTPs are still trusted. Organisations that still cannot answer the most basic question: Do I actually know who is on the other side of this interaction?

The Five Eyes statement is the geopolitical expression of this. The single biggest leverage point to addressing the problem is identity. Who and what is accessing your systems, continuously and verifiably, is the control that either holds or collapses under AI-powered attack.

So what happens now?

Eliminate phishable credentials from your authentication stack. Passwords, OTPs, push notifications - get rid of them. These are the attack surfaces that AI is now supercharging. Privacy-preserving biometrics bound to trusted devices dramatically changes the equation. Then use intelligence and dynamic signals to augment. We need a layered, multi-signal approach.

Get serious about non-human identities. Every AI agent operating in your environment needs a governance framework that can verify who authorized it, what it is permitted to do, and whether it is still within scope. These agents should have bound tokens that can be audited and traced back to a human.

Treat identity as the control plane for everything else. Faster patching matters. Upgrading legacy systems matters. But if you cannot continuously verify the identity of the humans and machines touching your infrastructure, the rest is perimeter security against an adversary that has already learned to move inside your walls.

The Five Eyes intelligence alliance said it’s time to act now. The window to build the right foundation is narrowing faster than most organisations realise.