The Five Eyes cyber agencies issued their first joint statement specifically on artificial-intelligence cyber risk on 22 June 1. Five Eyes is the intelligence-sharing alliance of the UK, US, Australia, Canada, and New Zealand; here it spoke through its five national cyber bodies, the NCSC, CISA, ASD (Australian Signals Directorate), CCCS (Canadian Centre for Cyber Security), and NCSC-NZ. The statement declared that frontier AI models will fundamentally transform both offensive and defensive capabilities, and that the threat horizon is measured in months, not years 2.
A coordinated five-nation message, pitched deliberately tighter than any single agency's own forecast, tells defenders to stop banking on the weeks they once had between a flaw becoming public and mass exploitation. The planning assumption shifts from a fixed grace period to a shrinking one. That is the same premise the new US patch directive BOD 26-04 encodes when it scores exploit-automation feasibility as one of its four risk dimensions: the alliance is now naming explicitly the acceleration the directive already assumes.
The warning rests on a real capability milestone, not speculation. The first LLM (large language model) confirmed to have written a working zero-day exploit was reported only last month, when Google's threat intelligence group named four AI-augmented threat clusters . The broader AI-capability arc runs in our ai-jobs-power-money briefing; the defender and policy implications are owned here. For a security team, the message is operational: model the next disclosure as exploitable in weeks, build for it now.
