Government ministers have urged boards to revisit cyber resilience after new official assessments found frontier AI models are becoming materially more capable at offensive cyber tasks.
In an open letter published on 15 April, science and technology secretary Liz Kendall and security minister Dan Jarvis said the country’s cyber risk model is shifting as AI systems take on work that once required rare human expertise, including identifying vulnerabilities and writing exploit code. The letter pointed to testing by the AI Security Institute showing Anthropic’s Claude Mythos Preview to be more capable at cyber offence than any model previously assessed by the institute, with frontier model capabilities now doubling every four months rather than every eight.
Ministers said boards should not treat the issue as a specialist IT matter. “This is not an issue to delegate to your IT team and forget about,” the letter said. They urged organisations to bring cyber risk back into routine board discussion, use the Cyber Governance Code of Practice, obtain Cyber Essentials, and sign up to the NCSC’s Early Warning service. The open letter also comes as the Cyber Security and Resilience Bill moves through Parliament and ahead of the government’s planned National Cyber Action Plan.
The warning follows a sharper technical assessment issued by the AI Security Institute two days earlier. Its evaluation of Mythos said the model showed continued gains in capture-the-flag tests and significant improvement on multi-step attack simulations. In one 32-step simulated corporate network attack, Mythos became the first model to complete the full chain end to end, doing so in three of ten attempts. The institute said that, in controlled tests with network access, the model could execute multi-stage attacks on vulnerable networks and discover and exploit weaknesses autonomously.
The National Cyber Security Centre added a second layer of urgency on Wednesday. In a separate note, chief executive Richard Horne wrote that “the pressure on organisations to patch systems quickly will only grow more acute”. He said AI would make it easier, faster, and cheaper to identify and exploit weaknesses that previously took more time, skill, or resource for attackers to find.
The immediate policy response is deliberately conventional. Government guidance is not arguing that businesses need an entirely new cyber doctrine. It is arguing that the baseline has to rise faster. Patch discipline, configuration management, logging, access control, supplier assurance, and incident rehearsal were already important. As model capability improves, the cost of neglecting them falls for attackers and rises for everyone else.
That creates pressure across several parts of the business at once. Software suppliers face a shorter interval between vulnerability discovery and attempted exploitation. Large companies with mixed technology estates face harder questions about older systems that are expensive to replace but easier to probe. Procurement teams are likely to face tighter security expectations in supplier contracts, while boards are being asked to treat cyber preparedness less as an annual review item and more as an operating condition.
There is also a wider strategic consequence. AI is beginning to collapse the distinction between cyber security as a defensive function and AI adoption as a business technology decision. The same model improvements that may help developers find and fix flaws faster are also reducing the skill and time required to mount an attack against poorly defended systems. That leaves companies managing a double task: adopting AI productively, while ensuring their own security posture is strong enough to withstand the capabilities AI is putting into wider circulation.
For now, ministers are placing the emphasis on execution rather than novelty. The guidance asks boards to return to the fundamentals and to do so with more urgency than before. The official assessment is that the technology is moving quickly, but the first line of defence remains familiar — leadership attention, tighter operational control, and faster response.
