Yesterday, the heads of the cyber security agencies of Australia, New Zealand, the United States, the United Kingdom, and Canada signed a joint statement on AI. Not a discussion paper. Not a consultation. A call to action, addressed directly to business leaders.
Their message was unambiguous:
"The evolving landscape of artificial intelligence is rapidly transforming cyber risk, and we must act swiftly to remain ahead. The timeline is not years, it is months."
When five allied governments speak with one voice, and that voice includes Stephanie Crowe from the Australian Signals Directorate and Catriona Robinson from New Zealand's NCSC, boards and executives should pay attention. This is not a technical advisory. It is a leadership directive.
I've been having a lot of conversations about AI governance lately. More than at any point in the last three years. Boards want to know what the rules are. CEOs want to know what their competitors are doing. Legal teams want to know whether they're exposed. Yesterday's Five Eyes statement makes those conversations more urgent, not less. But to understand what it requires of you, you also need to understand the regulatory landscape it sits inside. Because that landscape looks very different depending on which direction you're facing.
What the Five Eyes are actually saying
The joint statement is direct about the threat: AI lowers barriers for malicious actors and increases the speed and complexity of attacks, shrinking the window between vulnerability discovery and exploitation ever more quickly.
Frontier AI models are anticipated to exceed current industry expectations, fundamentally transforming both offensive and defensive cyber capabilities.
That last sentence deserves to sit with you for a moment. The heads of the most capable signals intelligence agencies in the world are telling you that what you're seeing today from AI-accelerated threats is not the ceiling. It is the floor.
The statement is equally direct about what leaders must do. Cyber risk can no longer be treated as a purely technical issue. This is a core business risk and leadership responsibility. Boards and executives should ensure cyber resilience is in place and works under pressure. It is not enough to have controls. Leaders must be confident those controls will perform during a real incident.
The practical actions called out are not exotic. Reduce your attack surface. Accelerate patching. Address legacy systems. Strengthen identity and access controls. Prepare for incidents before they happen. And use AI deliberately to strengthen defence, not just improve efficiency.
I want to be direct about something: none of this is new. These are the same conversations we have been having with boards across Australia and New Zealand for years. What is new is who is saying it, and how loudly. When the collective heads of Five Eyes intelligence agencies publish a joint statement addressed to business leaders, the days of treating AI risk as an IT team problem are over.
While Australia and New Zealand have been consulting and considering, the EU moved. The EU AI Act (Regulation EU 2024/1689) is the most comprehensive AI governance framework in the world, and its high-risk AI obligations are fully active as of 2 August 2026. That is weeks away.
It is not voluntary. It is not guidance. It is law, with penalties of up to EUR 35 million or 7% of global annual turnover for the most serious violations. That exceeds GDPR.
The framework is risk-based. Prohibited practices, including social scoring and real-time biometric surveillance in public spaces, have been illegal since February 2025. General-purpose AI models have been subject to binding obligations since August 2025. High-risk AI systems covering employment decisions, credit assessments, critical infrastructure, healthcare, and education face full compliance requirements this month.
High-risk AI compliance requires a documented risk management system, data governance controls, technical documentation, mandatory human oversight, transparency to users, and record keeping sufficient for third-party review. For the highest-risk categories, independent conformity assessment is required.
There is also extraterritorial reach. The Act applies to any provider placing AI systems on the EU market, regardless of where that provider is established. An ANZ software company with European customers is in scope. Geographic distance does not create regulatory distance.
The honest summary: a lot of consultation, a voluntary standard, and a decision not to legislate.
In September 2024, the government released a Voluntary AI Safety Standard with ten guardrails covering governance accountability, risk management, data integrity, testing, human oversight, user transparency, contestability, supply chain transparency, and record keeping. They were sensible. They mapped closely to what the EU AI Act requires.
Then the mandatory element was shelved. In December 2025, the National AI Plan confirmed the government would not proceed with mandatory guardrails. Instead, it would rely on existing technology-neutral laws, incrementally amend the Privacy Act and Australian Consumer Law as needed, and establish an AI Safety Institute (AISI) with $29.9 million in funding and an advisory mandate.
The AISI does not have enforcement powers. The existing regulators, the OAIC, ACCC, and eSafety Commissioner, retain those under existing legislation.
So Australia has good guidance. It does not yet have an enforceable AI-specific regime.
Despite the difference in enforceability, the underlying governance principles of the EU AI Act, Australia's voluntary framework, and the Five Eyes statement are substantively identical.
All three require risk management processes. All three require meaningful human oversight. All three require data governance and data quality controls. All three require transparency to affected individuals. All three require documentation sufficient for independent review.
The Five Eyes statement adds one principle the regulatory frameworks haven't fully addressed yet: organisations that integrate AI tools into their security operations can detect vulnerabilities earlier, improve software quality, monitor unusual behaviour, and respond faster to incidents.
Success will not come from having the most tools. It will come from getting the basics right, acting quickly, and integrating cyber security into core business strategy.
That convergence across regulators and intelligence agencies is not coincidental. It reflects a genuine consensus about what responsible AI governance requires. The question is not what the right answer looks like. Everyone agrees on that. The question is whether you have built it yet.
I'll tell you what I tell boards when this comes up.
First, if you have any EU market exposure, or if your technology vendors do, you are dealing with binding obligations today. Australian domestic guidance does not discharge EU obligations.
Second, if you operate purely in Australia and New Zealand, the voluntary floor is not the risk floor. APRA's April 2026 letter on AI and ASIC's May 2026 letter on frontier AI make clear that financial services organisations already face mandatory expectations through their existing prudential and market conduct frameworks. Yesterday's Five Eyes statement, which explicitly includes the Australian Signals Directorate and New Zealand's NCSC as signatories, signals that the intelligence community is now aligned with the regulatory direction. The gap between voluntary and mandatory is narrowing, sector by sector, agency by agency.
Third, the Five Eyes are explicit that breaches will occur. The goal is preparedness that contains them quickly and prevents escalation into major operational and financial crises. That is not a counsel of despair. It is a prompt to ask whether your incident response plan has been tested under realistic conditions recently. Whether your backup restoration has been validated under time pressure. Whether your AI systems have been red-teamed against adversarial inputs. If the answer to any of those is no, you have work to do before August, not after.
Build your AI governance posture to the EU standard, not the Australian floor. Not because regulators are about to knock on your door in Sydney or Auckland tomorrow, but because five allied governments told you yesterday that the threat timeline is months, not years, and because the direction of domestic regulation is clear.
ISO 42001 is the international management system standard for AI governance. It maps directly to the risk management, data governance, human oversight, and transparency requirements that the EU AI Act, Australia's voluntary guardrails, and the Five Eyes statement all share. Organisations that implement it now are not doing extra work. They are doing the right work once, in a way that stands up under scrutiny from any direction.
The Five Eyes agencies have now said publicly what we have been saying in boardrooms across Australia and New Zealand for the past eighteen months. AI governance is not optional. The organisations that act now will reduce exposure, strengthen resilience, and build confidence with customers, partners, and investors.
Those who delay will face growing and avoidable risk.
Those are not my words. They are the words of the heads of the ASD, NCSC NZ, NCSC UK, CISA, and NSA, in a joint statement published 22 June 2026.
That is a clear enough signal.
Matt Miller is co-founder, CEO and Fractional CISO of Insicon Cyber, a trans-Tasman cybersecurity advisory and managed security services firm headquartered in North Sydney. Insicon Cyber's AI Security and Governance practice provides ISO 42001 implementation, managed AI compliance, and AI assurance services across Australia and New Zealand. To discuss your organisation's AI governance posture, contact the team at info@insiconcyber.com or visit insiconcyber.com
Sources referenced: