What happened
The heads of the Five Eyes cybersecurity agencies (NCSC/UK, CISA/US, ASD/Australia, CSE/Canada, GCSB/New Zealand) issued a joint public statement on 22 June 2026, signed by all five directors. The statement declares AI is already transforming cyber risk — accelerating attack speed, lowering barriers for malicious actors, and shortening the vulnerability-to-exploit window — and calls on organisational leaders to act now. Key directives: reduce attack surface, accelerate patching, address legacy systems, strengthen identity and access controls, and actively integrate AI into defensive operations. A companion PDF was published on the NCSC website.
Why it matters
This is the highest-authority collective statement on AI-driven cyber risk issued to date, co-signed by the acting director of CISA and the NSA Cyber Directorate head. It formally elevates AI risk to a board-level leadership responsibility — not an IT matter — and signals that Five Eyes agencies are aligned on the urgency and the practical controls required. The statement warns that frontier AI timelines are 'months, not years' and calls secure-by-design a requirement, not aspiration.
Action needed
Boards and executives should review the five practical actions in the statement immediately: reduce attack surface, accelerate patching, remediate legacy systems, strengthen identity/access controls, and prepare incident response. Integrate AI-enabled defensive tools into security operations.