![]()
Key takeaways
✅ The National Cyber Security Centre (NCSC), alongside its Five Eyes partners, warns that AI is reshaping cyber risk in months, not years, narrowing the gap between a vulnerability appearing and being exploited.
✅ Cyber risk is now a core business risk that boards and executives own, not a technical problem to delegate and forget.
✅ The agencies name five priorities: reduce your attack surface, patch faster, retire legacy systems, strengthen identity and access controls, and rehearse incident response.
✅ AI works on defence too: it can surface vulnerabilities earlier, flag unusual behaviour, and speed up your response when an incident hits.
✅ Assume a breach will happen and test that your controls actually hold under pressure, rather than trusting that they will.
On 22 June 2026, the National Cyber Security Centre (NCSC) joined its Five Eyes counterparts in the United States, Canada, Australia and New Zealand to issue a rare joint statement on artificial intelligence and cyber risk. The message was direct. AI is accelerating the speed, scale and sophistication of cyber attacks, and the window for leaders to respond is measured in months, not years.
That framing matters. Government security agencies tend to be measured in their language. When five of them align on a single warning and use the word “now”, it is worth pausing over. This is not a prediction about a distant future. It is a statement about the environment your organisation is operating in today.
What the joint statement actually says
The core argument is that AI changes the economics of attacking an organisation. Tasks that once needed skill, time and patience can increasingly be automated. That lowers the barrier for less capable attackers and speeds up the capable ones. The practical effect is a shorter gap between a weakness becoming known and that weakness being exploited at scale.
The agencies are careful to balance the picture. AI will also strengthen cyber defence over time, and in some areas already does. But the near-term concern is the pace of change on the attacker’s side, and the risk that organisations treat this as a problem for later. The statement reads less as a forecast and more as a prompt to act while there is still room to prepare.
You can read the original on the NCSC website.
Why this is a board issue, not just an IT issue
The most significant line in the statement is not technical at all. It is the assertion that cyber risk can no longer be treated as a purely technical issue. It is a core business risk and a leadership responsibility.
This is a shift many UK organisations have been slow to make. Cyber tends to sit with the IT lead or an outsourced provider, reviewed occasionally and trusted the rest of the time. The agencies are asking boards and executives to do something harder: to be confident that the controls they have paid for will actually perform during a real incident, under real pressure.
There is a meaningful difference between having a control and knowing it works. In our experience, the gap between the two is where most organisations are exposed. A backup that has never been restored, an incident plan that has never been rehearsed, and a multi-factor policy with quiet exceptions all look fine on paper. They tend to reveal themselves only when something goes wrong, which is the worst possible moment to find out.
The five priorities leaders should be funding
The statement is unusually practical about what to do. It names five areas where leaders should be directing attention and budget. None of them are new. What is new is the urgency, because AI compresses the time you have to get them right.
- Reduce your attack surface. Challenge whether each system needs to be exposed to the internet at all, and isolate the ones that do not. Every unnecessary connection is a door an automated attacker can try.
- Patch faster. AI is shortening the time between a vulnerability being disclosed and being exploited, so a patching cycle that felt acceptable a year ago may now be too slow.
- Treat legacy systems as a strategic liability. Unsupported software is not just technical debt to manage quietly. It is a business risk that belongs on the leadership agenda, with a plan and a date attached.
- Strengthen identity and access controls. Enforce strong authentication, review who has access to what, and remove permissions that are no longer needed. Identity is where many incidents now begin.
- Prepare for incidents. Assume a breach will happen, test your response plan, train the people who would run it, and focus on containing and recovering quickly rather than hoping to keep attackers out entirely.
The through-line is resilience. The agencies are not promising that good practice will stop every attack. They are arguing that organisations which prepare will contain incidents that would otherwise become major operational and financial crises.
AI is on your side too
It would be easy to read the statement as purely a warning. It is not. The same technology that helps attackers can materially improve your defence, and the agencies encourage organisations to make use of it.
Used well, AI can detect vulnerabilities earlier, improve the quality of the software you build or buy, monitor for unusual behaviour across your environment, and help your team respond faster when something does happen. The point is not to buy a product labelled “AI security”. It is to recognise that defence is becoming faster and more automated, and that standing still while attackers speed up is its own form of risk.
This is also where ramsac’s vendor-neutral stance matters. The right tooling depends on how your business operates, what you already run, and where your genuine risks sit. The sensible question is not “which AI security tool is best”, but “where would faster detection and response actually reduce our exposure”. That answer is different for a 40-person law firm than it is for a national charity.
How this lands for UK organisations
For UK leaders, the statement does not arrive in a vacuum. It sits alongside a tightening regulatory picture. The Cyber Security and Resilience Bill (CSRB) is expected to broaden the obligations that currently fall mainly on operators of essential services, drawing in a wider range of digital service providers and technology partners. Supply-chain expectations are rising in parallel.
The regulatory clocks are already real for many sectors. A personal-data breach must be reported to the Information Commissioner’s Office (ICO) within seventy-two hours of becoming aware of it, and the clock starts at awareness, not at the moment the breach occurred. Law firms regulated by the Solicitors Regulation Authority (SRA) face a separate seven-day notification expectation. When AI shortens the time attackers need, the time you have to detect, decide and report does not get any longer. Preparation is what closes that gap.
Getting the foundations certified helps here too. Cyber Essentials remains a sensible baseline, and many UK procurement frameworks expect it as a minimum. It is a floor, not a ceiling, but it is a floor worth standing on before you build higher.
Turning the warning into a board conversation
The NCSC’s framing is the useful part to carry into your next leadership meeting. Cyber resilience is now a question leaders are expected to answer, not just sign off. The most valuable thing you can do this quarter is not to buy more tools. It is to find out, honestly, whether the controls you already have would hold under pressure.
That means rehearsing the incident plan, restoring a backup to prove it works, reviewing who can access what, and treating the five priorities above as a leadership agenda rather than an IT backlog. The organisations that come through the next phase well will be the ones that tested their assumptions before an attacker did.
Next step
If the NCSC’s warning prompts one action, make it this: confirm that your defences would actually hold. ramsac’s managed cybersecurity service and our scenario-based Cyber Resilience Certification are built to test exactly that, putting your controls, backups and incident response through real-incident scenarios rather than checklists.
👉 Book a cyber resilience review with ramsac to pressure-test your controls against the priorities the NCSC has just set out.
How can we help you?
We’d love to talk to you about your specific IT needs, and we’d be happy to offer a no obligation assessment of your current IT set up. Whether you are at a point of organisational change, unsure about security, or just want to sanity check your current IT arrangements, we’re here to help.
FAQs: AI and Cyber risk
Both. The Five Eyes agencies describe AI as already changing offensive and defensive capability, while warning that the most significant shift is arriving in months rather than years. The honest position is that the trend is here and accelerating, which is precisely why they advise acting now rather than waiting for certainty.
Not necessarily. The statement does not recommend a specific product, and neither do we. The priorities it names, such as reducing your attack surface, patching faster and rehearsing incident response, are mostly about discipline rather than new software. AI can strengthen detection and response, but the right tooling depends on how your business operates and where your real risks sit.
Find out whether your existing controls actually work under pressure. Many organisations have backups, incident plans and access policies that have never been tested. Rehearsing an incident, restoring a backup and reviewing access rights will tell you more about your true resilience than any new purchase.
The obligations themselves are unchanged, but the pressure on them increases. If AI helps attackers move faster, you have the same seventy-two hours to report a personal-data breach to the Information Commissioner’s Office, and law firms still face the Solicitors Regulation Authority’s seven-day expectation. Faster attacks make rehearsed detection and reporting more important, not less.
