The United Kingdom government has issued a warning that the latest generation of artificial intelligence models is reshaping the cyber threat landscape, enabling attacks to be carried out with greater speed, scale and accessibility than previously possible.
Testing conducted by the UK AI Security Institute found that a frontier model developed by Anthropic, known as Mythos, is “substantially more capable at cyber offence than any model previously assessed”. The model forms part of the company’s wider Project Glasswing initiative and represents a step change in the application of AI to offensive security.
Officials say that AI capability is doubling roughly every four months, a pace that is outstripping the ability of many organisations to adapt. The concern is not only the sophistication of these systems, but the way in which they are altering who can carry out cyber attacks and how they are executed.
Automation is changing the nature of cyber threats
The government’s warning highlights a shift away from a threat landscape dominated by small numbers of highly skilled attackers. In its place is an emerging model in which AI systems can automate techniques that once required specialist expertise, effectively lowering the barrier to entry for cyber offence.
This transformation is placing pressure on existing defensive approaches. Traditional cybersecurity practices, often built around static assessments and periodic audits, are struggling to keep pace with systems that can continuously scan for vulnerabilities and exploit them in real time. The result is a growing imbalance between the speed of attack and the speed of defence.
Industry figures suggest that this gap is being compounded by weaknesses in data and systems architecture. Poorly governed or inconsistent data environments are particularly vulnerable, as AI-driven tools can identify and exploit these weaknesses more rapidly than manual processes. This has led to calls for a shift away from treating cybersecurity as a compliance exercise towards embedding it more deeply within organisational design.
There are also concerns about how AI tools are being integrated into day-to-day workflows. The increasing use of systems that connect directly to organisational data and infrastructure may improve productivity, but it also expands the potential attack surface, particularly where access controls and security practices are not aligned with the capabilities of these tools.
Leadership accountability moves to the forefront
In response to these developments, the government is placing greater emphasis on the role of business leadership in managing cyber risk. In an open letter, Business Secretary Liz Kendall urged boards to take a more active role in overseeing cybersecurity, including adopting frameworks such as the Cyber Governance Code of Practice and ensuring that incident response plans are in place.
National bodies including the National Cyber Security Centre and the Department for Science, Innovation and Technology are expanding guidance and resilience programmes. However, officials have made clear that these measures alone will not be sufficient without corresponding changes within organisations themselves.
The emergence of AI-driven cyber capabilities is reframing the challenge. What was once a technical issue confined to IT departments is becoming a broader organisational concern, requiring coordination across leadership, operations and technology teams. As AI continues to evolve, the ability to respond to these threats will depend not only on new tools, but on how effectively organisations rethink the systems and structures that underpin their security.
The warning from government suggests that the balance of advantage in cybersecurity is shifting. As AI lowers the barriers to attack and accelerates the pace at which vulnerabilities can be exploited, the question for businesses is no longer whether they will be targeted, but whether their existing models of defence are capable of keeping up.
