Five Eyes warns AI could overwhelm cybersecurity within months

Five Eyes cyber agencies warned that frontier artificial intelligence models are closing in on a point where they could overwhelm existing cyber defenses for governments and businesses, turning a risk once framed as distant into a near-term operational problem. The agencies said the timeline “is not years, it is months,” a warning that lands hardest for hospitals, utilities and public agencies that still rely on basic controls to block intrusions.

The joint statement, titled “The AI shift in cyber risk: why leaders must act now,” came from Australia, Canada, New Zealand, the United Kingdom and the United States. It says AI is already lowering the barrier for malicious actors while also giving defenders new tools, but the speed of change is outpacing many organizations’ readiness. Chris Krebs, the former CISA director, called the warning “pretty alarming,” reflecting growing concern among cyber officials that the threat is accelerating faster than many had expected.

The British government had already pushed a similar message in an April 2026 open letter to business leaders, warning that a new generation of AI models is becoming capable of finding software weaknesses and writing exploit code at a speed and scale that would have been impossible even a year earlier. In May 2026, the UK’s AI Security Institute said the length of cyber tasks AI models can complete had doubled roughly every 4.7 months since late 2024. Its frontier AI trends report said models were then completing apprentice-level cyber tasks about half the time on average, and that in 2025 the institute tested the first model able to successfully complete expert-level tasks that typically require more than 10 years of human experience.

The UK’s National Cyber Security Centre has also warned that frontier AI models are already showing results in specific steps of cyber operations, including identifying zero-days in widely used software and solving cryptographic challenges. Taken together, the warnings point to a shift in how intelligence and security agencies are treating AI: not as a future problem, but as an immediate one with consequences for critical infrastructure and private-sector networks alike.

The Five Eyes statement urges leaders to assess risk and readiness, prioritize foundational cyber controls, empower cyber leaders and treat cyber resilience as a core business strategy, not only a technical issue. That message now sits at the center of a broader race to harden defenses before AI turns common attack methods into something faster, cheaper and harder to stop.