Five Eyes warn AI shrinks exploit windows to days, forcing sub-72-hour federal patches

The announcement from NSA, NCSC, CISA, ACSC, CCCS and GCSB highlights AI lowering entry barriers for state and criminal actors while accelerating both reconnaissance and payload generation. Procurement records show parallel US and UK investments in offensive AI tooling through DARPA and DSTL contracts awarded in 2024, indicating the warning tracks observed capability gains rather than speculation. CISA’s updated triage directive now mandates AI-flagged vulnerabilities be resolved in under three days for federal systems, a direct operational response absent from prior frameworks.

Original reporting underplayed the coordinated procurement signal: the same agencies are acquiring AI red-team platforms while issuing defensive guidance, revealing a dual-track posture. Unsupported legacy systems remain the highest-yield targets because they lack telemetry needed to detect AI-driven lateral movement at machine speed. The alert’s emphasis on “strategic liabilities” aligns with observed Iranian and North Korean campaigns that already chain open-source AI assistants for initial access.

Independent technical indicators include rising use of large-language-model-assisted phishing and code generation in recent ransomware incidents tracked by Mandiant and Recorded Future. Boards must now treat AI exposure testing as a quarterly requirement rather than an annual exercise, with isolation of non-essential external connectivity becoming the baseline control.

Next indicators will appear in contract modifications for CISA’s Continuous Diagnostics and Mitigation program and updated NCSC guidance on AI supply-chain risks by mid-2025.