Australia warns of serious frontier AI cyber risks

The advisory warns that frontier AI can strengthen cyber defence but also help malicious actors scale cyber activities.
Australian Government policy advisory on frontier AI cyber readiness, PSPF compliance, Essential Eight controls, and cyber defence

The Australian Government has issued a policy advisory urging Commonwealth entities to strengthen cybersecurity readiness for the frontier AI era.

Issued under the Protective Security Policy Framework, the advisory warns that frontier AI creates a dual-use challenge because advanced AI models can strengthen cyber defence while also being used by malicious actors to conduct cyber activities faster, cheaper, and at greater scale.

The Department of Home Affairs said frontier AI increases the risks posed by known vulnerabilities, legacy systems, and weak cyber hygiene, creating what it calls a ‘vulnerability storm’ for government entities.

The document says Australian Government entities do not need access to the most advanced frontier AI models to stay protected. Instead, effective readiness depends on applying existing cybersecurity mitigations and practices, including guidance from the Australian Signals Directorate and requirements under the Protective Security Policy Framework.

Commonwealth entities are told to prioritise compliance with the PSPF, Information Security Manual, and Essential Eight, confirm executive accountability for cybersecurity risk management, engage with ASD and Home Affairs guidance, and identify and remediate material gaps that AI-enabled threat actors could exploit.

The advisory also highlights requirements covering internet-facing systems, secure procurement and supply chains, attack surface reduction, patching, legacy technologies, zero-trust principles, gateway security, ASD’s Cyber Security Partnership Program, and the application of the Information Security Manual.

An annex from ASD says frontier AI is collapsing exploit timelines from days to hours and urges organisations to ‘lock down the fundamentals now’. It outlines actions to secure systems, reduce vulnerabilities, replace or isolate legacy IT, prepare for incidents, adopt AI for cyber defence, and modernise systems using secure-by-design and secure-by-default principles.

The advisory is aimed at accountable authorities, chief security officers, chief information security officers, procurement officers, and entity personnel.

Why does it matter?

The advisory frames frontier AI as an accelerant for existing cybersecurity weaknesses rather than a wholly new category of risk. Australia’s message to government entities is that AI-enabled threats make basic cyber hygiene more urgent: patching, reducing attack surfaces, managing legacy systems, securing supply chains, and preparing incident response plans. It also shows how governments are beginning to translate frontier AI risk into operational security requirements for public-sector organisations.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Diplo chatbot can make mistakes. Consider checking important information.