Skip to main content

Five Eyes warn of the “AI shift” in cyber risk — what public sector leaders must do next

The Five Eyes cyber security agencies have issued a rare, aligned warning: AI is accelerating the scale, speed and accessibility of cyber threats, and leaders must respond now.

Author avatar
Ross Ashman 24 June 2026 · 5 min read
Like Comment
Five Eyes warn of the “AI shift” in cyber risk — what public sector leaders must do next


The Five Eyes cyber security agencies don’t issue joint statements lightly. When they align publicly, it’s a signal that the threat environment has shifted in a way that can’t be handled by incremental change or business-as-usual controls.

Their latest message - “The AI shift in cyber risk: why leaders must act now” - is exactly that kind of signal. AI is accelerating cyber risk in three ways that matter to leaders: it increases the speed of attacks, the scale of targeting, and the accessibility of sophisticated techniques. In plain terms: more adversaries can do more damage, faster, with less effort.

For government leaders, this isn’t a call to chase novelty. It is a call to raise the baseline and to treat cyber resilience as an executive accountability issue. The organisations that will succeed in the AI era won’t be the ones that “adopt AI” first. They will be the ones that can prove their foundations are strong enough to withstand AI-enabled threats.


Why this statement matters (and why it matters now)

Every year brings a new cyber headline. That volume can create “trend fatigue” - a sense that the answer must be yet another product, or that the problem is too big to meaningfully shift.

A Five Eyes statement cuts through that noise because it represents a rare alignment across multiple national agencies and operating environments. It is, effectively, an agreed view from the most cyber-exposed governments in the world on what is changing and what must be prioritised.

The message is also clear about what AI does and doesn’t change:

  • AI does not replace good cyber fundamentals. If identity is weak, if patching is inconsistent, if incident response is untested, AI-enabled attackers will exploit those gaps at higher speed.
  • AI does raise the bar on operational maturity. The pace of modern attacks means response time, decision-making, and coordination become the decisive factors - not just policy, and not just tools.


What PSN sees across Five Eyes: strategies differ, but the control agenda converges


At PSN, we work across NAM and ANZ markets and spend every week in rooms with public-sector leaders - from agency security teams to critical infrastructure operators and whole-of-government coordination bodies.

When we compare what leaders are experiencing with what national strategies are demanding across the UK, US, Canada, Australia and New Zealand, the pattern is consistent: different jurisdictions have different governance models and regulatory posture, but they converge on a shared control agenda.

Across Five Eyes, five themes repeatedly surface as the outcomes governments will be measured on:

  1. AI in cyber (offence and defence). Governments increasingly treat AI as both an adversary accelerator and a defensive capability — which means executive oversight must keep pace with operational reality.
  2. Identity, supply chain, and legacy technology. These remain the primary control surfaces. AI simply increases the rate at which weaknesses are discovered and exploited.
  3. Critical infrastructure and operational technology (OT). The focus on essential services is intensifying, and “resilience” is becoming a requirement, not an aspiration.
  4. Post-quantum readiness. The long-dated nature of the risk is no excuse for delay. “Harvest now, decrypt later” is a board-level data protection issue, not a cryptography niche.
  5. Workforce, skills and resilience culture. Every strategy includes a talent pillar for a reason: sustainable security performance is built through people, operating rhythm and accountability.


The commercially important split: one story, two market talk tracks

Five Eyes alignment does not mean uniform market posture.

One of the most important insights for leaders and suppliers operating across markets is that the US is moving in a different direction to ANZ/Canada/UK on regulation and compliance posture. The US framing leans toward risk-based approaches and reducing burdensome compliance, paired with a stronger sovereignty and “secure the technology stack” agenda. In ANZ, Canada and the UK, the direction is toward rising obligation, critical-infrastructure regulation, and compliance deadlines that create urgency.

For public-sector leaders, the implication is straightforward: the “why” is consistent (AI accelerates risk), but the how you operationalise cyber uplift will vary depending on your market’s obligation model, procurement mechanisms and assurance requirements.

For technology and services partners, it means one narrative will not land everywhere. The most credible organisations will tailor their messaging to local accountability: assurance and obligations in ANZ/Canada/UK; agility and risk-based outcomes in the US.


What leaders should do next: a practical 90-day agenda

The Five Eyes statement is urgent, but it can still be translated into a clear near-term agenda. Here is the practical version: what should a CEO, Deputy Secretary, CIO, CISO or agency head expect to see progress on in the next 90 days?


1) Treat identity as the front door

If attackers can obtain credentials and escalate privileges, they can move faster than any response team. Identity is now the primary battleground in the AI era.

Leaders should ask for:

  • A clear plan for privileged access management and administrative account reduction
  • Strong conditional access controls and MFA enforcement for high-risk pathways
  • A tested identity recovery capability (because resilience is not just prevention)


2) Prove operational resilience, not just policy compliance

AI-enabled attacks reward speed. That means incident response cannot be theoretical.

Leaders should ask for:

  • Evidence of recent incident rehearsal (tabletop and technical)
  • Confirmation that backups and recovery processes are tested, not assumed
  • Clear metrics: time to detect, time to contain, time to recover


3) Make “secure-by-design procurement” real

Cyber outcomes are increasingly shaped by what governments buy, how they buy it, and how suppliers are held accountable.

Leaders should ask for:

  • A short list of enforceable security requirements embedded into procurement templates
  • Supply-chain and third-party risk checks that are proportionate, consistent and auditable
  • A focus on reducing the attack surface, not expanding the compliance artefacts


4) Start post-quantum preparedness now

Post-quantum cryptography is a transition program, not a single product decision. Waiting until a deadline appears will create a costly and risky scramble.

Leaders should ask for:

  • An inventory of cryptographic dependencies across critical systems and vendors
  • A staged migration pathway aligned to criticality and data sensitivity
  • A policy position on long-lived sensitive data (what must remain confidential for 10+ years)


5) Strengthen the “human firewall” for AI-era social engineering

Phishing and social engineering remain the most persistent threats - and AI makes them more convincing, targeted and scalable.

Leaders should ask for:

  • Training that explicitly covers deepfakes, AI-driven impersonation and high-trust fraud
  • A “report-first” culture and safe escalation pathways
  • Clear controls for payments, approvals and sensitive data release


What PSN hears in the room: the signal is consistent

Across PSN’s event intelligence and polling, a consistent set of constraints appears:

  • Leaders recognise AI as the dominant accelerant, but they still prioritise foundational uplift because that is what determines outcomes.
  • Ransomware remains the disruptive threat most leaders fear operationally - not because it is new, but because it tests resilience, governance and continuity under pressure.
  • Funding and people constraints are persistent. The winning strategy is staged uplift with measurable progress, not large transformation programs that never land.

The implication is important: a credible AI-era cyber posture is built through operating rhythm - what gets reviewed, measured, rehearsed and improved continuously - not a one-off technology refresh.

If there is one takeaway for public-sector executives, it is this:

AI will amplify whatever foundations you already have. Strengthen those foundations now - and you will be ready for what comes next.


Join the Cyber Security Community HERE.

Communities

Data, Analytics and AI

Regions

Australia Australia Canada Canada New Zealand New Zealand United Kingdom United Kingdom United States United States

Published by

Ross Ashman CEO, Public Sector Network
Essential

We use cookies to keep you signed in. Optional cookies help us improve the site. Privacy policy

Preferences saved.