The UK government has issued an urgent warning to businesses across the country that advanced artificial intelligence models are rapidly becoming capable of autonomously discovering and exploiting software vulnerabilities at a scale and speed that could overwhelm traditional defences. In an open letter published on 15 April, technology secretary Liz Kendall made it clear that the nature of cyber threats is changing fundamentally and that every organisation, regardless of size or sector, must act now to prepare.
“For years, the most serious cyber attacks have relied on a small number of highly skilled criminals. That is now shifting,” Kendall wrote. “AI models are becoming capable of doing work that previously required rare expertise: finding weaknesses in software, writing the code to exploit them, and doing so at a speed and scale that would have been impossible even a year ago.”
Kendall’s letter was prompted by the recent launch of Anthropic’s frontier AI model, Mythos, and the accompanying Project Glasswing initiative, which aims to give major technology companies a head start in patching vulnerabilities that the model has identified. The UK’s AI Security Institute (AISI), part of the Department for Science, Innovation and Technology (DSIT), has been testing Mythos and found it to be “substantially more capable at cyber offence than any model we have previously assessed”.
The AISI also reported that the rate of improvement in frontier model capabilities appears to be accelerating. Capabilities are now doubling every four months, down from eight months in the recent past. This acceleration has profound implications for national security, critical infrastructure, and the broader business community. “This finding is significant both for what it means today, but also because it highlights the speed at which AI capabilities are increasing and the threats they potentially pose,” Kendall noted. She also referenced OpenAI’s expansion of its Trusted Access for Cyber programme, indicating that the trend is not limited to a single company.
The changing threat landscape
The ability of AI models to autonomously discover zero-day vulnerabilities and craft exploit code represents a paradigm shift in cybersecurity. Historically, the most dangerous cyberattacks were limited by the availability of skilled human hackers, advanced tools often required years of expertise to develop. With modern frontier AI models, that expertise can be replicated and amplified by software, allowing attackers to launch high-impact attacks at machine speed.
This development is not theoretical. The AISI’s assessment of Mythos demonstrates that these capabilities are already present and improving rapidly. Industry experts have long predicted that AI would eventually augment cybercriminals, but the speed of progress has caught many off guard. The UK government is now actively working to understand and mitigate these risks, but Kendall stressed that government action alone is insufficient.
“Every business in the UK has a part to play,” she wrote. “Criminals will not just target government systems and critical infrastructure. They will target ordinary companies, of every size, in every sector. Attackers go where defences are weakest.”
Government and industry response
The UK has already established the AISI, which Kendall described as possessing “the most advanced capabilities anywhere in the world for understanding frontier AI models”. The institute is tasked with evaluating and testing cutting-edge AI systems to identify safety risks, including cyber capabilities. In addition to the AISI, the National Cyber Security Centre (NCSC) is working on practical guidance for organisations, and the government is preparing the upcoming Cyber Security and Resilience Bill and the National Cyber Action Plan.
However, Kendall emphasised that businesses cannot afford to wait for legislation. She urged board members and senior leaders to treat cyber risk as a core business issue, not something to be delegated solely to IT teams. She recommended that organisations sign up to the Cyber Governance Code of Practice and, for smaller businesses, use the NCSC’s Cyber Action Toolkit. Incident response planning, rehearsals, and cyber insurance were also highlighted as essential steps.
The Cyber Essentials certification scheme was pointed to as a foundational measure to help organisations establish basic security policies and procedures. Additionally, Kendall encouraged businesses to take advantage of the NCSC’s Early Warning service and to consult sector-specific regulators for additional guidance.
Broader implications for the economy and society
The acceleration of AI-driven cyberattacks could have far-reaching consequences beyond individual companies. Critical national infrastructure, including energy grids, transportation networks, and healthcare systems, could become targets. The financial sector is also highly exposed, given its reliance on digital systems and large volumes of sensitive data. A major AI-orchestrated attack could disrupt entire economies and erode public trust in digital services.
Furthermore, the technology is not confined to malicious actors. The same capabilities that enable autonomous cyber offence can also be used for defensive purposes. Project Glasswing is an example of a proactive approach, where AI is leveraged to identify vulnerabilities before they can be exploited. However, as Kendall noted, the trajectory is clear: capabilities are growing fast, and both defenders and attackers are racing to adapt.
To date, most organisations have focused on incremental improvements to cybersecurity, such as deploying multi-factor authentication or updating software. While these remain important, they are no longer sufficient. The threat from frontier AI models requires a fundamental rethinking of security architecture, including the adoption of AI-powered defence systems, zero-trust frameworks, and continuous vulnerability assessment.
What businesses should do now
Kendall’s letter offers a concrete set of actions for business leaders. First, cyber risks should be a regular item on boardroom agendas, with clear accountability and oversight. Second, organisations should adopt proven frameworks like Cyber Essentials and the NCSC’s guidance. Third, incident response plans should be tested and updated to account for AI-driven attacks, which may require faster reaction times than human-led attacks. Fourth, businesses should consider cyber insurance as part of a broader risk management strategy.
Small and medium-sized enterprises (SMEs) are particularly vulnerable, as they often lack dedicated security teams. The NCSC’s Cyber Action Toolkit is designed to help them assess their posture and implement practical measures. Kendall also highlighted the availability of regulatory guidance for sectors such as finance, energy, and healthcare, which may have additional compliance obligations.
The technology secretary concluded her letter with a call to action: “We are entering a period in which the pace of technological change may test every institution in the country. The businesses that act now – that treat cyber security as an essential part of running a modern company, not an optional extra – will be the ones best placed to thrive through it and seize its advantages. We urge you to be among them.”
Kendall’s warning comes at a time when the global cybersecurity landscape is already under immense strain. Ransomware attacks, supply chain compromises, and state-sponsored espionage are at historic highs. The addition of autonomous AI-driven attacks threatens to overwhelm existing defences. In response, the UK government is investing heavily in AI safety research and expanding the AISI’s mandate. Other nations are likely to follow suit, as the implications of frontier AI for national and economic security become impossible to ignore.
The next 12 to 24 months will be critical. As frontier model capabilities continue to double every few months, the window to prepare is closing fast. Organisations that wait for a crisis to act may find themselves ill-equipped to respond. The government’s message is clear: the AI threat is real, it is accelerating, and it demands immediate attention from every business leader in the country.
Source: ComputerWeekly.com News