The heads of the U.S. National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), and their counterparts in the United Kingdom, Canada, Australia, and New Zealand issued a rare joint statement warning that frontier AI models will “fundamentally transform both offensive and defensive cyber capabilities” — on a timeline measured in months, not years.
The Five Eyes agencies urge CEOs, boards, and insurance buyers to treat AI-accelerated cyber risk as a core business issue, not a purely technical IT concern. The statement lands as insurers report rising claim severity, growing AI-assisted business email compromise (BEC), and policy-language uncertainty around autonomous attack tools.
Read the official Five Eyes statement (PDF):
https://www.ncsc.gov.uk/sites/default/files/2026-06/Five-Eyes-cyber-security-agencies-statement-ai-shift.pdf
Coverage: ProgramBusiness · CNN · CyberScoop
What the Five Eyes Agencies Said
Signed by leaders including NSA Cybersecurity Directorate chief David Imbordino, acting CISA Director Nick Andersen, and NCSC CEO Richard Horne, the June 2026 statement titled “The AI shift in cyber risk: why leaders must act now” makes four central points:
- Frontier AI exceeds expectations — Advanced models will reshape both attacker and defender capabilities faster than most organizations have planned for.
- The exploitation window is shrinking — AI lowers barriers for malicious actors and accelerates the path from vulnerability discovery to exploitation.
- Cyber resilience is a business imperative — Operational continuity, market confidence, and long-term value depend on leadership-owned risk decisions.
- Foundational controls still matter most — Rapid patching, attack-surface reduction, access control, legacy modernization, and tested incident response remain the baseline — AI amplifies the cost of neglecting them.
The agencies did not cite classified sources in the public document, but CyberScoop notes the warning aligns with visible trends: open-source models trailing frontier labs by roughly 6–8 months, and restricted models such as Anthropic’s Fable 5 and Mythos 5 being pulled from broad access after U.S. national-security review.
Insurance and Claims Context
Industry reporting cited by ProgramBusiness highlights why the Five Eyes message matters to policyholders — not just security teams:
| Metric | Source / context |
|---|---|
| ~11% average cyber premium decline expected in 2026 | SentinelOne market outlook |
| 38% increase in cyber and technology E&O incidents (prior year) | Aon |
| ~$713,000 average global ransomware claim | Industry reporting |
| 37% rise in AI-assisted BEC with cloned executive voices | FBI IC3 2025 report |
| 40%+ of cyber claims denied | SentinelOne — mostly missing controls and notification failures, not exclusions |
Brokers note emerging policy questions: whether a “hacker” defined as a person covers AI-driven attacks, and whether insurers revisit widespread vulnerability exclusions similar to Chubb’s former language. Affirmative AI coverage is increasingly recommended even where AI-specific exclusions have not yet appeared.
Priority Actions for Leaders
The Five Eyes statement asks organizations to:
- Assess risk, readiness, and accountability at the executive level — not only in SOC dashboards.
- Prioritize foundational practices — patch velocity, MFA, least privilege, and secure-by-design procurement.
- Empower cyber leaders with budget and authority to act before incidents force reactive spending.
- Reduce attack surface — retire exposed legacy systems and limit standing admin access.
- Test incident response regularly, including ransomware and BEC playbooks with legal and communications teams.
- Integrate defensive AI carefully — threat detection, code review, and anomaly monitoring can help, but only atop solid baselines.
- Review cyber insurance — document controls insurers expect (MFA, offline backups, IR retainers) before renewal.
Attack Scenarios Accelerated by AI
The stories below are illustrative composites — not reports of a single named breach — but they reflect attack patterns the Five Eyes agencies and FBI data warn are speeding up with generative AI and frontier models.
Scenario 1: The CEO voice on a Friday wire call

A controller at a regional law firm receives a Teams message from the managing partner: “On a call — can’t talk. CFO will send wire instructions for a settlement escrow. Time-sensitive.”
Minutes later, the CFO joins a conference line. The voice, cadence, and background noise match the real CFO. The caller cites a matter number the controller recognizes — likely scraped from a prior leaked inbox or LinkedIn post.
This is AI-assisted BEC: cloned executive voice plus contextual social engineering. The FBI’s IC3 2025 report recorded a 37% increase in AI-assisted BEC incidents involving synthetic voice.
Vectors: voice cloning · executive impersonation · wire fraud · urgency bypass of callback procedures
Mitigation: out-of-band verification for every payment change, MFA on financial workflows, and DMARC-enforced mail so fake @firm.com lures fail earlier.
Scenario 2: From zero-day chatter to exploitation overnight

A managed service provider monitors CVE feeds for a popular edge appliance. Historically, they had weeks between public disclosure and mass exploitation.
With frontier AI tooling, a threat actor generates a working exploit chain, tests it against the MSP’s misconfigured customer fleet, and deploys ransomware within hours of patch Tuesday — before change windows run.
The Five Eyes statement warns AI shrinks the discovery-to-exploitation window. Defenders who patch on 30-day cycles face structural disadvantage.
Vectors: accelerated exploit development · mass scanning · ransomware · MSP supply-chain blast radius
Mitigation: critical patch SLAs measured in days, asset inventory with owner accountability, and EDR coverage on every internet-facing system.
Scenario 3: Cyber risk in the boardroom, not the server closet

A Texas auto dealer group treats cyber insurance renewal as a finance-only exercise. Premiums fell 11% industry-wide, so the CFO reduces MFA rollout funding.
After a vendor portal breach, the insurer denies portions of the claim citing missing MFA on remote admin and late breach notification — patterns SentinelOne links to 40%+ claim denials.
The Five Eyes agencies explicitly state cyber risk “can no longer be treated as a purely technical issue.” Boards that defer to IT without resourcing basics inherit operational and strategic disadvantage.
Vectors: under-resourced controls · notification failures · insurance coverage gaps
Mitigation: map insurer control questionnaires to funded projects; brief the board quarterly on AI threat velocity, not just last quarter’s ticket count.
Scenario 4: Basics beat buzzwords

An accounting firm buys an AI threat-intelligence feed but still runs unpatched VPN appliances, shared admin passwords on tax servers, and an incident response plan last tested in 2023.
When AI-driven phishing targets staff during busy season, the fancy dashboard alerts after credentials are sold. Recovery costs dwarf the AI subscription.
Five Eyes guidance is explicit: “Success will come from getting the basics right, acting quickly, and integrating cyber security into core business strategy.” Defensive AI helps only when patching, access control, and IR testing are current.
Vectors: shadow IT · stale IR plans · misconfigured remote access · credential theft
Mitigation: enforce MFA everywhere, automate patch reporting to leadership, run tabletop exercises that include wire-fraud and ransomware scenarios.
Why Texas Businesses Should Care
Law firms, CPAs, insurers, and dealerships already face BEC, ransomware, and vendor impersonation — patterns we track in WhatsApp RMM malware, FBI Kali365 OAuth theft, and Texas OAG breach reports. AI does not create new motives; it compresses timelines and lowers skill floors for attackers.
Under Texas SB 2610, documented security programs and incident readiness are increasingly tied to client trust and regulatory scrutiny — not optional IT projects.
Independent Cybersecurity Audit
We audited Five Eyes agency domains and related public infrastructure on June 23, 2026:
| Organization (Domain) | Overall | Risk Level |
|---|---|---|
| NCSC UK (ncsc.gov.uk) | 73% | Good |
| CISA (cisa.gov) | 72% | Good |
| Canadian Centre for Cyber Security (cyber.gc.ca) | 70% | Good |
| Australian Cyber Security Centre (cyber.gov.au) | 68% | High Risk |
| NSA (nsa.gov) | 60% | High Risk |
Government advisory domains score reasonably on public email authentication — separate from whether your firm enforces MFA, patching SLAs, or IR testing against AI-accelerated threats.
Audit links:
Related trackers
- Texas OAG YTD dashboard
- Healthcare AG breach tracker
- Law firm breach tracker
- Financial services tracker
- Monitoring guide
- Washington healthcare breaches (2026)
- Washington law firm breaches (2026)
- CA June roundup
- TX July roundup
- WA May roundup
- TX Parks breach
- Have I Been Pwned
- HIBP July roundup
- All trackers
Protect your organization.
Run a free Instant Cybersecurity Audit at audit.emailmenow.com — and contact EmailMeNow IT Consulting for SB 2610-aligned security programs, MFA rollouts, and incident response planning.
Sources: Five Eyes statement PDF · ProgramBusiness · CNN · CyberScoop · EmailMeNow audits — cisa.gov