On 22 June 2026, the heads of the Five Eyes cyber security agencies – including our own National Cyber Security Centre (NCSC) – issued a blunt call to action: AI is transforming cyber risk faster than most organisations are prepared for.
This isn’t hype. The timeline they’re talking about is months, not years.
What’s changed?
Frontier AI models are making it easier and faster for attackers to find and exploit vulnerabilities. The gap between a vulnerability being discovered and it being weaponised is shrinking dramatically. Attackers can move quicker, at greater scale, with less skill required.
At the same time, AI gives defenders powerful new tools – if we choose to use them.
The key message for business leaders
Cyber risk is no longer just an IT problem. It’s a core business risk, and boards and executives need to treat it that way. Having controls in place isn’t enough – you need confidence they’ll hold up under pressure.
Five practical actions the Five Eyes agencies recommend:
- Limit unnecessary access and exposure – Reduce your attack surface. Challenge whether systems need to be internet-facing at all. Isolate what doesn’t need to be connected.
- Patch faster – AI shortens the time between vulnerability discovery and exploitation. Slow patching is now a much bigger risk, especially for operational systems.
- Deal with legacy systems – Unsupported systems aren’t just technical debt. They’re strategic liabilities and easy targets.
- Strengthen who can access what – Review identity and access controls. Enforce strong authentication. Limit who can reach critical systems.
- Prepare for incidents before they happen – Test your response plans. Train your teams. Assume breaches will occur and focus on fast containment and recovery.
What this means for NZ businesses
The NCSC is actively working on guidance and collaborating with industry on AI’s implications for New Zealand. But you don’t need to wait. The fundamentals matter more than ever: know your risk, get the basics right, and integrate cyber security into your business strategy – not treat it as an afterthought.
Breaches will happen. Being prepared is the difference between a contained incident and a major operational and financial crisis.
Read the NCSC’s full article here: https://www.ncsc.govt.nz/news/leaders-of-five-eyes-cyber-security-agencies-call-to-action-on-ai-preparedness/
If you’re unsure where to start, we’re here to help.
