The Five Eyes intelligence alliance has issued a joint warning that the next generation of artificial intelligence is poised to supercharge offensive hacking, and that the window to prepare for it is closing fast.
In a coordinated statement, the agencies of the United States, the United Kingdom, Canada, Australia, and New Zealand said urgent action was needed, and put a strikingly short clock on the threat.
“Frontier AI models are anticipated to exceed current industry expectations, fundamentally transforming both offensive and defensive cyber capabilities,” the statement read. “The timeline is not years, it is months.”
The agencies went on to warn that AI models capable of causing serious cyber harm are themselves only “months away” from being publicly available, a compression of the usual government risk horizon into something close to the present tense.
Much of what the alliance flagged is the unglamorous machinery of how organisations get breached.
The 💜 of EU tech
The latest rumblings from the EU tech scene, a story from our wise ol' founder Boris, and some questionable AI art. It's free, every week, in your inbox. Sign up now!
The statement singled out legacy systems, slow patching cycles, unnecessary internet connectivity, weak identity and access controls, and a lack of pre-incident planning as the weaknesses that more capable AI will be quick to find and exploit.
None of these are new problems; the argument is that AI will industrialise the exploitation of them, shrinking the time between a vulnerability becoming known and an attacker reaching it from weeks to something far shorter.
A flaw that once took a skilled human team days to weaponise, the agencies suggest, could soon be turned into a working exploit by a model in a fraction of that time.
That much of the underlying advice is familiar was, in a sense, the point. The bulk of the statement restated core cybersecurity hygiene, patch quickly, do not put systems online unless you need to, lock down who can reach what, the sort of guidance defenders have heard for years.
The agencies also pressed defenders to turn the same technology back on the problem, urging organisations to use AI “to strengthen defence,” for example by finding weaknesses sooner or responding to incidents faster.
That framing mirrors a year in which the line between attacking and defending tool has grown thin: Google researchers used an AI system to surface a live zero-day exploit, and Anthropic has documented models that can uncover serious software vulnerabilities of the kind that keep banks awake.
The warning lands amid a broader scramble to organise defences before the capability gap widens. Governments and vendors have been signing cross-border cyber partnerships, and the criminal use of AI is already visible at the edges, with researchers tracking AI-assisted crypto thefts attributed to North Korean operators.
The Five Eyes statement effectively tells the rest of the field that the same tooling is about to become broadly available.
The alliance was sounding an unusually loud siren while pointing organisations back towards basic discipline, an acknowledgement that most damage still flows through doors that were left unlocked.
What the statement did not include was a fixed deadline or any regulatory mechanism, leaving the response to individual organisations and national agencies. Nor did it name particular AI labs or models, keeping the warning general rather than singling out any developer.
For defenders, the practical takeaway is uncomfortable in its simplicity: the advice has not changed, but the time to act on it, by the alliance’s own reckoning, is now measured in months rather than years.
Get the TNW newsletter
Get the most important tech news in your inbox each week.