The cyber security agencies of the Five Eyes - the UK's National Cyber Security Centre (NCSC, part of GCHQ), plus their counterparts in the US, Canada, Australia and New Zealand - have put out a joint statement on AI and cyber risk. The message is short, and unusually blunt. AI is changing the threat landscape faster than most organisations are reacting, it's lowering the barrier for attackers, and it's shrinking the gap between a vulnerability being found and being exploited. Their line on timing: "the timeline is not years, it is months."
It’s difficult to overstate how unusual this is. Over the past 10 years intelligence agencies have collaborated ever-closer with private businesses on assessing and mitigating cyber risk, but public announcements like this are rare and a signal to pay extra attention.
The statement is aimed squarely at leaders and boards, and it implicitly calls on vendors and suppliers too. If you manage environments like Microsoft 365 for your customers, that includes you. A few things stand out.
The statement is pitched at boards and executives who can "reassess long-standing trade-offs" and back their cyber leaders with authority and resources. Most of the SMBs you look after don't have that layer. They don't have a CISO, they're not reading NCSC bulletins, and they're not going to translate a Five Eyes call to action into config changes. You are their security function, whether that's written into the contract or not.
The good news is that the five practical actions in the statement aren't new, and they're not exotic. They're the work you already know how to do:
None of that is a surprise, and it maps across to industry practices for effectively managing M365 environments at scale – whether that’s Conditional Access, securing devices with Intune, or managing security with Defender policies.
The shift the agencies are flagging is that "later" is no longer an acceptable answer. The practical move is to take that list and check it honestly against every tenant you run. Not the one you set up last month, the one you inherited eighteen months ago and haven't looked at since.
The sharpest sentence in the whole statement is this one: it's not enough to have controls, leaders must be confident those controls will actually perform during a real incident.
That's the gap that applies to MSPs specifically. A baseline you applied once and never revisited is a control on paper. Across 50 or 100 tenants, configurations drift. An exclusion gets added for a noisy app and never removed, a policy gets adjusted to fix a support ticket, a new tenant gets stood up just short of the standard. Each change is small and reasonable in the moment. Added up across a tenant estate, they're the difference between "we have MFA and conditional access everywhere" and "we have it almost everywhere, and we're not sure which ones." Under pressure, almost everywhere is where you get hurt.
So the action here isn't "buy more controls." It's to get visibility on whether the controls you've already deployed are still in place and consistent tenant to tenant, and to know when one drifts rather than finding out during an incident.
The statement is clear that AI cuts both ways. Adversaries are already using it to move faster, and defenders should use it deliberately to detect issues earlier and respond quicker, not just to shave a bit of efficiency. But it's equally clear about what wins. In the agencies' words, success "will not come from having the most tools." It comes from getting the basics right, acting quickly, and treating cyber security as core business strategy. As always – it's a combination of technology, process, and people.
For MSPs, that's a useful steer. The foundational work (attack surface minimisation, patching, identity hygiene, consistent secure-by-default baselines) is what moves the needle, and it's most of what frameworks like CIS have been asking for all along.
The thread running through the whole statement is that risk assumptions now go stale in months, not years, and the value of any capability depends on how well the environment around it is governed. That's been true of every major shift in this space; AI is just moving far faster than previous technological revolutions. The agencies' point to leaders is "act now."
For MSPs, acting now means: