The cyber security agencies of the Five Eyes intelligence alliance issued a joint statement on June 22 telling corporate boards that frontier A.I. is about to transform offensive hacking, and that “The timeline is not years, it is months.” The signatories, CISA and the NSA in Washington, the National Cyber Security Centres in London and Wellington, the Canadian Centre for Cyber Security, and the Australian Signals Directorate, rarely speak in one voice on a forward-looking technology question. When they do, it’s usually because the intelligence picture has already shifted.

“Frontier AI models are anticipated to exceed current industry expectations, fundamentally transforming both offensive and defensive cyber capabilities,” the statement reads. “Adversaries are already using AI to move faster and more effectively. Defenders must do the same.”

The five recommended actions that accompany the warning, assess risk, prioritise foundational controls, empower cyber leaders, build defence in depth, prepare for breaches, are described by the agencies themselves as “not new” but “now urgent.” The Register noted, fairly, that vendors have been telling boards roughly this for a decade. The novelty isn’t the checklist; it’s the time horizon attached to it.

The context sharpens the message. The U.S. government recently prohibited the export of Anthropic’s Claude Mythos and Fable models to foreign nationals on national-security grounds, and Anthropic subsequently withdrew Fable 5, which it had positioned as a public-facing release with stronger safeguards than the restricted Mythos 5. Security researchers responded with an open letter arguing that export controls disadvantage defenders while adversaries continue building comparable capabilities through older commercial releases, open-source forks, and black-market channels. CyberScoop’s reporting confirms the same picture from the research community: exploit-capable models are already in circulation.

That’s the structural anxiety underneath the Five Eyes language. The agencies identified the weaknesses A.I.-augmented attackers will exploit first, legacy systems, slow patching cycles, unnecessary internet exposure, weak identity controls, and an absence of pre-incident planning. None of these are exotic. They describe most Fortune 500 networks. Computer Weekly framed the deeper worry plainly: hostile states, China, Russia, Iran, and North Korea, may close the capability gap with Western laboratories and acquire offensive tools beyond anything available today.

What’s being communicated, then, is less a forecast than an admission. The defensive posture the West built around export controls assumes a capability moat. The Five Eyes statement is what it looks like when the agencies that maintain that moat stop assuming it’ll hold.

Sources