What happened
Australia's Department of Home Affairs issued PSPF Advisory 001-2026, a mandatory directive for all Australian government entities framing frontier AI as a vector that compresses vulnerability exploitation windows from days to hours. The advisory explicitly states agencies do not need frontier models like Claude Mythos to stay protected, and instead mandates ASD Essential Eight Maturity Level Two (user application hardening and patching) before AI adoption. Companion guidance from ACSC acknowledges AI can reduce manual security workloads but warns poorly implemented AI introduces additional risk.
Why it matters
This is the first mandatory government cybersecurity directive to explicitly frame frontier AI as a systemic risk multiplier — coining the term 'vulnerability storm' — while simultaneously requiring security fundamentals as a prerequisite gate. It establishes a sequenced model: secure fundamentals first, AI-assisted defence second, creating a compliance framework other APAC governments are likely to adopt.
Action needed
If advising Australian government entities, verify Essential Eight ML2 compliance — particularly user application hardening and patching — before any frontier AI adoption programme. Document the maturity pathway against the PSPF's six-step model for board-level reporting.