============================================================
TITLE: Five Eyes AI Cyber Security Statement | Insicon Cyber
TYPE: article
VERSION: 2
VERSION_ID: 9740c59d-25e7-4675-9ca5-f52deca2f510
GENERATED_AT: 2026-06-29T05:10:15.720Z
SUMMARY: The Five Eyes cyber security statement of 22 June 2026 explained for Australian and New Zealand boards and executives. What it says, what it requires, and how to respond.
READING TIME: 23 min
WORD COUNT: 4410
KEYWORDS: Five Eyes AI Cyber Security Statement, Insicon Cyber
SOURCE URL: https://insiconcyber.com/five-eyes-ai-cyber-security-statement
============================================================

KEY TAKEAWAYS:
  * Who signed the Five Eyes statement
  * What the Five Eyes statement says
  * The four key themes of the Five Eyes statement
  * The five practical actions the Five Eyes agencies require
  * Common questions about the Five Eyes AI cyber security statement

Five Eyes Cyber Security Statement
Five Eyes AI Cyber Security Statement: What It Means
Issued 22 June 2026  |  Source: ASD Australia →
The heads of Australia's ACSC, New Zealand's NCSC, the UK NCSC, CISA, and NSA issued a joint statement on 22 June 2026. The message to boards and executives was unambiguous: frontier AI is already transforming cyber risk, the timeline is months not years, and those who delay will face growing and avoidable risk.
See how Insicon Cyber can help

Who signed the Five Eyes statement

Stephanie Crowe
Head, Australian Cyber Security CentreAustralian Signals Directorate
Australia

Catriona Robinson
Head, National Cyber Security CentreGovernment Communications Security Bureau
New Zealand

Richard Horne
CEO, National Cyber Security CentreGovernment Communications Headquarters
United Kingdom

Rajiv Gupta
Head, Canadian Centre for Cyber SecurityCommunications Security Establishment
Canada

Nick Andersen
Acting DirectorCybersecurity and Infrastructure Security Agency (CISA)
United States

David Imbordino
Director, Cyber Security DirectorateNational Security Agency
United States

What the Five Eyes statement says
The Five Eyes cyber security agencies joint statement of 22 June 2026, titled "The AI shift in cyber risk: why leaders must act now," is a direct instruction from the intelligence and cyber security heads of Australia, New Zealand, the United Kingdom, Canada, and the United States. It is not a policy document or an advisory. It is a unified call to action addressed to boards and executives across industry.
The central argument is straightforward. Frontier AI models are anticipated to exceed current industry expectations, fundamentally transforming both offensive and defensive cyber capabilities. The timeline is not years. It is months. Adversaries are already using AI to lower the barriers to attack, automate reconnaissance, and shrink the window between vulnerability discovery and exploitation. Defenders must respond in kind.
The statement is explicit that cyber risk can no longer be treated as a purely technical issue. It is a core business risk and a leadership responsibility. Boards and executives are expected to ensure cyber resilience is in place and works under pressure. Having controls on paper is not sufficient. Leaders must be confident those controls will perform during a real incident.
For Australian and New Zealand organisations, the statement carries the authority of two signatory agencies directly: ACSC (Australian Signals Directorate) and NCSC (Government Communications Security Bureau, New Zealand). It also arrived within weeks of APRA's April 2026 AI letter and ASIC's May 2026 open letter, creating a convergent regulatory and intelligence signal that boards in both countries cannot reasonably set aside.

The four key themes of the Five Eyes statement
The statement organises its call to action around four interconnected themes. Each has direct implications for how boards in Australia and New Zealand should approach cyber governance.

Theme 01
Frontier AI is accelerating the threat timeline
Frontier AI models are expected to exceed current industry expectations and fundamentally transform both offensive and defensive cyber capabilities within months, not years. AI lowers the barriers for malicious actors, increases the speed and complexity of attacks, and shrinks the window between vulnerability discovery and exploitation. Organisations cannot afford to treat this as a future consideration.

Theme 02
Cyber risk is a board responsibility, not an IT problem
The statement is unambiguous: cyber risk is a core business risk and a leadership responsibility. Boards and executives must ensure cyber resilience is in place and will perform under real incident pressure. Having controls on paper is not enough. The statement calls for a whole-of-organisation and whole-of-society response to AI-driven cyber risk.

Theme 03
Secure-by-design must become standard practice
Secure-by-design and secure-by-default must move from aspiration to standard practice. Resilience cannot depend on a single solution or technology. Defence in depth remains essential. As AI systems evolve, new and previously unknown vulnerabilities will emerge, including zero-day vulnerabilities. Breaches will occur. Preparedness determines whether they become operational crises or contained incidents.

Theme 04
AI must be used deliberately to strengthen defence
Adversaries are already using AI to move faster and more effectively. Defenders must do the same. Organisations that integrate AI tools into their security operations can detect vulnerabilities earlier, improve software quality, monitor unusual behaviour, and respond faster to incidents. Success will not come from having the most tools. It will come from getting the basics right and integrating cyber security into core business strategy.

The five practical actions the Five Eyes agencies require
The statement sets out five specific actions described as not new, but now urgent. Each reduces not only technical risk but also operational, financial, and reputational exposure. Australian and New Zealand organisations should assess their current position against each.

1

Reduce your attack surface
Limit unnecessary system access and external connectivity. Challenge whether systems need to be exposed at all and isolate those that do not. Many Australian and New Zealand organisations have accumulated significant external exposure through digital transformation and cloud adoption without systematically reviewing whether that exposure is necessary or governed.

2

Accelerate patching processes
AI is shortening the time between vulnerability discovery and exploitation. Delays in patching increase risk, especially for operational systems with long update cycles. ASIC's May 2026 letter made the same point directly: patch systems promptly, recognising that AI is accelerating vulnerability discovery and exploitation. This is now a convergent expectation from both intelligence agencies and financial services regulators in Australia.

3

Address legacy systems
Unsupported systems are easy targets. They are not just technical debt, they are strategic liabilities. For Australian organisations in aged care, healthcare, and financial services, legacy infrastructure is often embedded in critical operational workflows. The statement is clear that the risk profile of these systems must be actively managed, not deferred.

4

Review and strengthen identity and access controls
Limit who can access critical systems. Enforce strong authentication and regularly review permissions. APRA's April 2026 letter extended this expectation specifically to non-human actors: identity and access management must now account for AI agents as well as human users. Organisations that have not yet addressed non-human identity are behind both the intelligence guidance and the prudential regulatory expectation.

5

Prepare for incidents before they happen
Test response plans, train and prepare teams, and assume breaches will occur. Focus on fast containment and recovery. ASIC's 26-092MR letter reinforced this directly: entities must actively prepare for cyber incidents, respond promptly and effectively when they occur, and recover in a way that restores critical services, minimises harm, and strengthens future resilience. Plans that have not been tested are not plans. They are documents.

Common questions about the Five Eyes AI cyber security statement

What is the Five Eyes cyber security statement of June 2026?
The Five Eyes cyber security agencies statement was issued on 22 June 2026 by the heads of the cyber security agencies of Australia, New Zealand, the United Kingdom, Canada, and the United States. It is titled "The AI shift in cyber risk: why leaders must act now." The statement is a joint call to action directed at boards and executives across industry, warning that frontier AI models are already transforming both offensive and defensive cyber capabilities and that the timeline for organisations to respond is months, not years.
Full statement: ASD/ACSC →

What does the Five Eyes statement require boards to do?
The Five Eyes statement requires boards and executives to ensure cyber resilience is in place and will perform under real incident pressure. Specifically it calls on leaders to:

Understand and assess risk, readiness, and accountability
Prioritise foundational cyber security practices and controls
Empower cyber leaders with authority and resources
Stay actively engaged as threats and guidance evolve

For Australian boards, this sits alongside APRA's April 2026 AI governance requirements and ASIC's requirement that its May 2026 letter be tabled and discussed at the ultimate board and risk governance committees of every AFS licensee.

What does the Five Eyes statement mean for New Zealand organisations?
The statement was signed by Catriona Robinson, Head of the National Cyber Security Centre at New Zealand's Government Communications Security Bureau. For New Zealand organisations, it carries direct authority from the national cyber security agency. The NCSC is the signatory and host of the PDF on ncsc.govt.nz. New Zealand organisations subject to NZISM, the NZ Privacy Act 2020, or sector-specific frameworks from the Reserve Bank should treat the statement as a direct expression of GCSB and NCSC expectations on AI-driven cyber risk management. The statement aligns with and reinforces NZISM requirements for risk-based security management and incident preparedness.

What do the Five Eyes agencies mean by frontier AI?
In the context of the Five Eyes statement, frontier AI refers to the most advanced large language models and agentic AI systems currently being developed and deployed. These are models anticipated to exceed current industry expectations in capability, fundamentally transforming both offensive and defensive cyber capabilities. The statement references these models as enabling adversaries to automate reconnaissance, generate more convincing social engineering, discover vulnerabilities faster, and execute attacks at greater scale and speed than was previously possible. APRA's April 2026 letter named specific frontier models in the same context, noting the need for a step change in cyber practices in response to their capabilities.

How does the Five Eyes statement relate to the APRA and ASIC letters of 2026?
The three instruments are complementary and convergent. APRA's letter of 30 April 2026 set explicit governance, assurance, and cyber security expectations for all APRA-regulated entities, with an enforcement signal. ASIC's letter of 8 May 2026 required tabling at every AFS licensee board and cited the FIIG Securities penalty as the baseline for what inadequate governance looks like under enforcement. The Five Eyes statement of 22 June 2026 then provided the intelligence context: the threat environment that both regulators were responding to is real, accelerating, and already here. Together the three instruments form the most significant convergent regulatory and intelligence signal on AI-driven cyber risk that Australian and New Zealand organisations have received.

APRA letter (30 April 2026): apra.gov.au →
ASIC 26-092MR (8 May 2026): asic.gov.au →
Five Eyes statement (22 June 2026): ncsc.govt.nz →

What does secure-by-design mean in the Five Eyes statement?
The Five Eyes statement calls for secure-by-design and secure-by-default to become standard practice, not an aspiration. Secure-by-design means that security controls are built into systems, products, and processes from the outset rather than added after deployment. Secure-by-default means that out-of-the-box configurations are the most secure available, rather than requiring deliberate configuration to achieve security. For Australian and New Zealand organisations this means security requirements must be embedded in procurement, development, and change management processes, not treated as a separate workstream or post-deployment audit activity. The ASD's Essential Eight and ISO 27001 provide practical frameworks for implementing secure-by-design principles across information security controls.

How should Australian and New Zealand organisations respond to the Five Eyes statement?
The statement itself provides the answer: get the basics right, act quickly, and integrate cyber security into core business strategy. In practical terms for Australian and New Zealand organisations this means:

Tabling the statement and the APRA and ASIC letters at the board, with a clear agenda item on AI-driven cyber risk
Conducting a gap assessment against the five practical actions in the statement
Reviewing identity and access management for both human and non-human actors, including AI agents
Validating that incident response plans have been tested, not just documented
Assessing whether AI is being used to strengthen defensive security operations, not just for efficiency
Ensuring AI governance frameworks are in place and independently validated, consistent with APRA's expectations

Insicon Cyber works with Australian and New Zealand organisations across all of these areas through our AI Security and Governance practice. Talk to us about your response →

The companion regulatory instruments: APRA, ASIC, and ASD
The Five Eyes statement does not stand alone. Three other instruments issued in 2026 form a converging set of expectations for Australian and New Zealand boards.

30 April 2026
APRA Letter to Industry on Artificial Intelligence
APRA Executive Board Member Therese McCarthy Hockey set explicit AI governance, cyber security, supplier risk, and assurance expectations for all APRA-regulated entities. Includes an enforcement signal. Covers $9.8 trillion in Australian prudential assets.
Read the APRA letter →

8 May 2026
ASIC Open Letter 26-092MR on Frontier AI
ASIC Commissioner Simone Constant required this letter be tabled at the board and risk governance committees of every AFS licensee and market participant. Cites the FIIG Securities $2.5 million penalty as the benchmark for inadequate governance under enforcement.
Read the ASIC letter →

Ongoing 2026
ASD Frontier AI Advisory
The Australian Signals Directorate published specific guidance on the cyber security implications of frontier AI models. Cited by both APRA and ASIC in their 2026 letters as required reading for security and risk teams across regulated entities.
Read the ASD advisory →

Active
NCSC New Zealand Cyber Guidance
The NCSC, a signatory to the Five Eyes statement, publishes current threat intelligence and practical guidance aligned with NZISM requirements. New Zealand organisations should subscribe to NCSC alerts and integrate NCSC guidance into their risk management frameworks.
Visit ncsc.govt.nz →

Ready to act on the Five Eyes statement?
Insicon Cyber helps Australian and New Zealand organisations assess their position against the Five Eyes statement, APRA's AI letter, and ASIC's 26-092MR. We work across AI governance, managed compliance, and 24/7 threat detection.
Explore our AI Security and Governance practice Contact the team

# Five Eyes AI Cyber Security Statement: What It Means

Issued 22 June 2026  |  Source: ASD Australia →

The heads of Australia's ACSC, New Zealand's NCSC, the UK NCSC, CISA, and NSA issued a joint statement on 22 June 2026. The message to boards and executives was unambiguous: frontier AI is already transforming cyber risk, the timeline is months not years, and those who delay will face growing and avoidable risk.

## Who signed the Five Eyes statement

Stephanie Crowe

Head, Australian Cyber Security CentreAustralian Signals Directorate

Catriona Robinson

Head, National Cyber Security CentreGovernment Communications Security Bureau

New Zealand

Richard Horne

CEO, National Cyber Security CentreGovernment Communications Headquarters

United Kingdom

Rajiv Gupta

Head, Canadian Centre for Cyber SecurityCommunications Security Establishment

Nick Andersen

Acting DirectorCybersecurity and Infrastructure Security Agency (CISA)

United States

David Imbordino

Director, Cyber Security DirectorateNational Security Agency

## What the Five Eyes statement says

The Five Eyes cyber security agencies joint statement of 22 June 2026, titled "The AI shift in cyber risk: why leaders must act now," is a direct instruction from the intelligence and cyber security heads of Australia, New Zealand, the United Kingdom, Canada, and the United States. It is not a policy document or an advisory. It is a unified call to action addressed to boards and executives across industry.

The central argument is straightforward. Frontier AI models are anticipated to exceed current industry expectations, fundamentally transforming both offensive and defensive cyber capabilities. The timeline is not years. It is months. Adversaries are already using AI to lower the barriers to attack, automate reconnaissance, and shrink the window between vulnerability discovery and exploitation. Defenders must respond in kind.

The statement is explicit that cyber risk can no longer be treated as a purely technical issue. It is a core business risk and a leadership responsibility. Boards and executives are expected to ensure cyber resilience is in place and works under pressure. Having controls on paper is not sufficient. Leaders must be confident those controls will perform during a real incident.

For Australian and New Zealand organisations, the statement carries the authority of two signatory agencies directly: ACSC (Australian Signals Directorate) and NCSC (Government Communications Security Bureau, New Zealand). It also arrived within weeks of APRA's April 2026 AI letter and ASIC's May 2026 open letter, creating a convergent regulatory and intelligence signal that boards in both countries cannot reasonably set aside.

## The four key themes of the Five Eyes statement

The statement organises its call to action around four interconnected themes. Each has direct implications for how boards in Australia and New Zealand should approach cyber governance.

### Frontier AI is accelerating the threat timeline

Frontier AI models are expected to exceed current industry expectations and fundamentally transform both offensive and defensive cyber capabilities within months, not years. AI lowers the barriers for malicious actors, increases the speed and complexity of attacks, and shrinks the window between vulnerability discovery and exploitation. Organisations cannot afford to treat this as a future consideration.

### Cyber risk is a board responsibility, not an IT problem

The statement is unambiguous: cyber risk is a core business risk and a leadership responsibility. Boards and executives must ensure cyber resilience is in place and will perform under real incident pressure. Having controls on paper is not enough. The statement calls for a whole-of-organisation and whole-of-society response to AI-driven cyber risk.

### Secure-by-design must become standard practice

Secure-by-design and secure-by-default must move from aspiration to standard practice. Resilience cannot depend on a single solution or technology. Defence in depth remains essential. As AI systems evolve, new and previously unknown vulnerabilities will emerge, including zero-day vulnerabilities. Breaches will occur. Preparedness determines whether they become operational crises or contained incidents.

### AI must be used deliberately to strengthen defence

Adversaries are already using AI to move faster and more effectively. Defenders must do the same. Organisations that integrate AI tools into their security operations can detect vulnerabilities earlier, improve software quality, monitor unusual behaviour, and respond faster to incidents. Success will not come from having the most tools. It will come from getting the basics right and integrating cyber security into core business strategy.

## The five practical actions the Five Eyes agencies require

The statement sets out five specific actions described as not new, but now urgent. Each reduces not only technical risk but also operational, financial, and reputational exposure. Australian and New Zealand organisations should assess their current position against each.

### Reduce your attack surface

Limit unnecessary system access and external connectivity. Challenge whether systems need to be exposed at all and isolate those that do not. Many Australian and New Zealand organisations have accumulated significant external exposure through digital transformation and cloud adoption without systematically reviewing whether that exposure is necessary or governed.

### Accelerate patching processes

AI is shortening the time between vulnerability discovery and exploitation. Delays in patching increase risk, especially for operational systems with long update cycles. ASIC's May 2026 letter made the same point directly: patch systems promptly, recognising that AI is accelerating vulnerability discovery and exploitation. This is now a convergent expectation from both intelligence agencies and financial services regulators in Australia.

### Address legacy systems

Unsupported systems are easy targets. They are not just technical debt, they are strategic liabilities. For Australian organisations in aged care, healthcare, and financial services, legacy infrastructure is often embedded in critical operational workflows. The statement is clear that the risk profile of these systems must be actively managed, not deferred.

### Review and strengthen identity and access controls

Limit who can access critical systems. Enforce strong authentication and regularly review permissions. APRA's April 2026 letter extended this expectation specifically to non-human actors: identity and access management must now account for AI agents as well as human users. Organisations that have not yet addressed non-human identity are behind both the intelligence guidance and the prudential regulatory expectation.

### Prepare for incidents before they happen

Test response plans, train and prepare teams, and assume breaches will occur. Focus on fast containment and recovery. ASIC's 26-092MR letter reinforced this directly: entities must actively prepare for cyber incidents, respond promptly and effectively when they occur, and recover in a way that restores critical services, minimises harm, and strengthens future resilience. Plans that have not been tested are not plans. They are documents.

## Common questions about the Five Eyes AI cyber security statement

### What is the Five Eyes cyber security statement of June 2026?

The Five Eyes cyber security agencies statement was issued on 22 June 2026 by the heads of the cyber security agencies of Australia, New Zealand, the United Kingdom, Canada, and the United States. It is titled "The AI shift in cyber risk: why leaders must act now." The statement is a joint call to action directed at boards and executives across industry, warning that frontier AI models are already transforming both offensive and defensive cyber capabilities and that the timeline for organisations to respond is months, not years.

Full statement: ASD/ACSC →

### What does the Five Eyes statement require boards to do?

The Five Eyes statement requires boards and executives to ensure cyber resilience is in place and will perform under real incident pressure. Specifically it calls on leaders to:

  * Understand and assess risk, readiness, and accountability
  * Prioritise foundational cyber security practices and controls
  * Empower cyber leaders with authority and resources
  * Stay actively engaged as threats and guidance evolve
For Australian boards, this sits alongside APRA's April 2026 AI governance requirements and ASIC's requirement that its May 2026 letter be tabled and discussed at the ultimate board and risk governance committees of every AFS licensee.

### What does the Five Eyes statement mean for New Zealand organisations?

The statement was signed by Catriona Robinson, Head of the National Cyber Security Centre at New Zealand's Government Communications Security Bureau. For New Zealand organisations, it carries direct authority from the national cyber security agency. The NCSC is the signatory and host of the PDF on ncsc.govt.nz. New Zealand organisations subject to NZISM, the NZ Privacy Act 2020, or sector-specific frameworks from the Reserve Bank should treat the statement as a direct expression of GCSB and NCSC expectations on AI-driven cyber risk management. The statement aligns with and reinforces NZISM requirements for risk-based security management and incident preparedness.

### What do the Five Eyes agencies mean by frontier AI?

In the context of the Five Eyes statement, frontier AI refers to the most advanced large language models and agentic AI systems currently being developed and deployed. These are models anticipated to exceed current industry expectations in capability, fundamentally transforming both offensive and defensive cyber capabilities. The statement references these models as enabling adversaries to automate reconnaissance, generate more convincing social engineering, discover vulnerabilities faster, and execute attacks at greater scale and speed than was previously possible. APRA's April 2026 letter named specific frontier models in the same context, noting the need for a step change in cyber practices in response to their capabilities.

### How does the Five Eyes statement relate to the APRA and ASIC letters of 2026?

The three instruments are complementary and convergent. APRA's letter of 30 April 2026 set explicit governance, assurance, and cyber security expectations for all APRA-regulated entities, with an enforcement signal. ASIC's letter of 8 May 2026 required tabling at every AFS licensee board and cited the FIIG Securities penalty as the baseline for what inadequate governance looks like under enforcement. The Five Eyes statement of 22 June 2026 then provided the intelligence context: the threat environment that both regulators were responding to is real, accelerating, and already here. Together the three instruments form the most significant convergent regulatory and intelligence signal on AI-driven cyber risk that Australian and New Zealand organisations have received.

  * APRA letter (30 April 2026): apra.gov.au →
  * ASIC 26-092MR (8 May 2026): asic.gov.au →
  * Five Eyes statement (22 June 2026): ncsc.govt.nz →

### What does secure-by-design mean in the Five Eyes statement?

The Five Eyes statement calls for secure-by-design and secure-by-default to become standard practice, not an aspiration. Secure-by-design means that security controls are built into systems, products, and processes from the outset rather than added after deployment. Secure-by-default means that out-of-the-box configurations are the most secure available, rather than requiring deliberate configuration to achieve security. For Australian and New Zealand organisations this means security requirements must be embedded in procurement, development, and change management processes, not treated as a separate workstream or post-deployment audit activity. The ASD's Essential Eight and ISO 27001 provide practical frameworks for implementing secure-by-design principles across information security controls.

### How should Australian and New Zealand organisations respond to the Five Eyes statement?

The statement itself provides the answer: get the basics right, act quickly, and integrate cyber security into core business strategy. In practical terms for Australian and New Zealand organisations this means:

  * Tabling the statement and the APRA and ASIC letters at the board, with a clear agenda item on AI-driven cyber risk
  * Conducting a gap assessment against the five practical actions in the statement
  * Reviewing identity and access management for both human and non-human actors, including AI agents
  * Validating that incident response plans have been tested, not just documented
  * Assessing whether AI is being used to strengthen defensive security operations, not just for efficiency
  * Ensuring AI governance frameworks are in place and independently validated, consistent with APRA's expectations
Insicon Cyber works with Australian and New Zealand organisations across all of these areas through our AI Security and Governance practice. Talk to us about your response →

## The companion regulatory instruments: APRA, ASIC, and ASD

The Five Eyes statement does not stand alone. Three other instruments issued in 2026 form a converging set of expectations for Australian and New Zealand boards.

30 April 2026

### APRA Letter to Industry on Artificial Intelligence

APRA Executive Board Member Therese McCarthy Hockey set explicit AI governance, cyber security, supplier risk, and assurance expectations for all APRA-regulated entities. Includes an enforcement signal. Covers $9.8 trillion in Australian prudential assets.

8 May 2026

### ASIC Open Letter 26-092MR on Frontier AI

ASIC Commissioner Simone Constant required this letter be tabled at the board and risk governance committees of every AFS licensee and market participant. Cites the FIIG Securities $2.5 million penalty as the benchmark for inadequate governance under enforcement.

Ongoing 2026

### ASD Frontier AI Advisory

The Australian Signals Directorate published specific guidance on the cyber security implications of frontier AI models. Cited by both APRA and ASIC in their 2026 letters as required reading for security and risk teams across regulated entities.

### NCSC New Zealand Cyber Guidance

The NCSC, a signatory to the Five Eyes statement, publishes current threat intelligence and practical guidance aligned with NZISM requirements. New Zealand organisations should subscribe to NCSC alerts and integrate NCSC guidance into their risk management frameworks.

## Ready to act on the Five Eyes statement?

Insicon Cyber helps Australian and New Zealand organisations assess their position against the Five Eyes statement, APRA's AI letter, and ASIC's 26-092MR. We work across AI governance, managed compliance, and 24/7 threat detection.


------------------------------------------------------------

FREQUENTLY ASKED QUESTIONS:

Q: What is the Five Eyes cyber security statement of June 2026?
A: The Five Eyes cyber security agencies statement was issued on 22 June 2026 by the heads of the cyber security agencies of Australia, New Zealand, the United Kingdom, Canada, and the United States. It is titled "The AI shift in cyber risk: why leaders must act now." The statement is a joint call to action directed at boards and executives across industry, warning that frontier AI models are already transforming both offensive and defensive cyber capabilities and that the timeline for organisations to respond is months, not years. Full statement: ASD/ACSC →

Q: What does the Five Eyes statement require boards to do?
A: The Five Eyes statement requires boards and executives to ensure cyber resilience is in place and will perform under real incident pressure. Specifically it calls on leaders to: For Australian boards, this sits alongside APRA's April 2026 AI governance requirements and ASIC's requirement that its May 2026 letter be tabled and discussed at the ultimate board and risk governance committees of every AFS licensee.

Q: What does the Five Eyes statement mean for New Zealand organisations?
A: The statement was signed by Catriona Robinson, Head of the National Cyber Security Centre at New Zealand's Government Communications Security Bureau. For New Zealand organisations, it carries direct authority from the national cyber security agency. The NCSC is the signatory and host of the PDF on ncsc.govt.nz. New Zealand organisations subject to NZISM, the NZ Privacy Act 2020, or sector-specific frameworks from the Reserve Bank should treat the statement as a direct expression of GCSB and NCSC expectations on AI-driven cyber risk management. The statement aligns with and reinforces NZISM requirements for risk-based security management and incident preparedness.

Q: What do the Five Eyes agencies mean by frontier AI?
A: In the context of the Five Eyes statement, frontier AI refers to the most advanced large language models and agentic AI systems currently being developed and deployed. These are models anticipated to exceed current industry expectations in capability, fundamentally transforming both offensive and defensive cyber capabilities. The statement references these models as enabling adversaries to automate reconnaissance, generate more convincing social engineering, discover vulnerabilities faster, and execute attacks at greater scale and speed than was previously possible. APRA's April 2026 letter named specific frontier models in the same context, noting the need for a step change in cyber practices in response to their capabilities.

Q: How does the Five Eyes statement relate to the APRA and ASIC letters of 2026?
A: The three instruments are complementary and convergent. APRA's letter of 30 April 2026 set explicit governance, assurance, and cyber security expectations for all APRA-regulated entities, with an enforcement signal. ASIC's letter of 8 May 2026 required tabling at every AFS licensee board and cited the FIIG Securities penalty as the baseline for what inadequate governance looks like under enforcement. The Five Eyes statement of 22 June 2026 then provided the intelligence context: the threat environment that both regulators were responding to is real, accelerating, and already here. Together the three instruments form the most significant convergent regulatory and intelligence signal on AI-driven cyber risk that Australian and New Zealand organisations have received.

Q: What does secure-by-design mean in the Five Eyes statement?
A: The Five Eyes statement calls for secure-by-design and secure-by-default to become standard practice, not an aspiration. Secure-by-design means that security controls are built into systems, products, and processes from the outset rather than added after deployment. Secure-by-default means that out-of-the-box configurations are the most secure available, rather than requiring deliberate configuration to achieve security. For Australian and New Zealand organisations this means security requirements must be embedded in procurement, development, and change management processes, not treated as a separate workstream or post-deployment audit activity. The ASD's Essential Eight and ISO 27001 provide practical frameworks for implementing secure-by-design principles across information security controls.

Q: How should Australian and New Zealand organisations respond to the Five Eyes statement?
A: The statement itself provides the answer: get the basics right, act quickly, and integrate cyber security into core business strategy. In practical terms for Australian and New Zealand organisations this means: Insicon Cyber works with Australian and New Zealand organisations across all of these areas through our AI Security and Governance practice. Talk to us about your response →

Q: Ready to act on the Five Eyes statement?
A: Insicon Cyber helps Australian and New Zealand organisations assess their position against the Five Eyes statement, APRA's AI letter, and ASIC's 26-092MR. We work across AI governance, managed compliance, and 24/7 threat detection.


------------------------------------------------------------
ABOUT THIS CONTENT
------------------------------------------------------------
Source: https://insiconcyber.com/five-eyes-ai-cyber-security-statement

This content is provided for informational purposes.
Please visit the original source for the most up-to-date information.