Rapidly evolving AI is an urgent cybersecurity threat that business leaders must immediately address, members of the Five Eyes intelligence collaborative warned Monday.

Frontier AI models will likely “exceed current industry expectations, fundamentally transforming both offensive and defensive cyber capabilities. The timeline is not years, it is months,”  said an announcement from the intelligence services of the U.S., U.K. Canada, Australia and New Zealand. 

“It lowers barriers for malicious actors and increases the speed and complexity of attacks, shrinking the window between vulnerability discovery and exploitation ever more quickly.”

AI can also be used to strengthen defense, the announcement noted, urging business leaders to take immediate action to bolster their defensive postures.

Boards and executives should ensure cyber resilience “works under pressure,” the announcement said, adding that it is “not enough to have controls.”

The call from the Five Eyes partners reflects a larger environment in which government and industry leaders are contending with and speaking up about the serious threat posed by AI-fueled cyberattacks.

The U.S. Cybersecurity and Infrastructure Security Agency recently said it is now requiring federal agencies to use a prioritization triage system to determine whether some vulnerabilities must be patched in less than three days, in part based on whether they use AI.

The Trump administration also recently barred Anthropic from selling the powerful Mythos and Fable models abroad, citing national security concerns. President Trump said late last week that he no longer viewed the company as a security threat. An Anthropic spokesperson told Reuters that the two sides were still working on the issue.

Leaders must urgently reduce their attack surface by cutting off system access and external connectivity when it is not necessary, the Five Eyes announcement said. They must also pressure test whether systems need to be exposed and isolate those that do not. Patching processes must be speeded up, the announcement said, because AI is shrinking the window between vulnerability discovery and exploitation.

It is imperative that legacy systems are addressed since “unsupported systems are easy targets,” the announcement said. “They are not just technical debt, they are strategic liabilities.”

Access controls should be studied and made stronger and as few people as possible should have access to critical systems. Tough authentication methods are a must, according to the announcement.

Cyber resilience is essential in the face of the threat, according to the announcement, which recommended business leaders understand and analyze risk and give internal cyber leaders money and authority and ensure they are using “foundational cyber security practices and controls.” They also must pay close attention to evolving threats and guidance, the announcement said.

Secure-by-design and secure-by-default should become standard, according to the announcement. Leaders also can’t rely on a single solution or technology for resilience, it said.

“Defense in depth remains essential,” the announcement said.