On June 22, 2026, the cybersecurity agencies of the United States (CISA), the United Kingdom (NCSC), Australia (ASD's ACSC), Canada (CCCS), and New Zealand (NCSC-NZ) published a joint statement titled Five Eyes Cyber Security Agencies Statement. The statement is advisory in character, representing a formal coordinated government assessment that constitutes regulatory guidance to critical infrastructure operators and senior organizational leadership.
The statement assesses that the timeline for AI-driven cyber threat escalation is measured in months, not years. Frontier AI models are anticipated to exceed current industry-standard defensive assumptions and to alter both offensive and defensive cyber capabilities. The agencies direct organizations to take three actions: assess AI-driven cyber risk at board and executive level; prioritize foundational controls including patching, identity management, and incident response; and empower chief information security officers with authority and resources commensurate with the threat environment.
Critical infrastructure operators, financial institutions, telecommunications providers, and AI deployers are the primary addressees of the statement. Organizations in those sectors should treat this Five Eyes guidance as a signal of forthcoming regulatory expectations. Joint advisories from CISA, the NCSC, and peer agencies have in prior supervisory cycles preceded enforceable obligations, and the explicit urgency language in this statement amplifies that risk.
The statement does not impose specific mandatory controls or direct legal obligations. Its regulatory significance is forward-looking: all five jurisdictions' regulators are expected to scrutinize AI cyber risk governance and cyber resilience investment in forthcoming supervisory cycles. The NCSC published a companion piece, The AI shift in cyber risk: why leaders must act now, concurrently, elaborating on the technical threat assessment underlying the joint statement.
We may advise on cyber regulatory positioning across the Five Eyes jurisdictions and have a partner network with specialist counsel. Organizations reviewing their AI cyber risk posture are invited to contact us. Work we undertake includes cyber regulatory advisory, AI security governance, critical infrastructure compliance, and board-level cyber risk briefings.
Source: Five Eyes Cyber Security Agencies Statement, CISA, June 22, 2026