Responding to the Five Eyes guidance on AI and cyber risk
The latest joint statement from the Five Eyes cybersecurity agencies delivers a straightforward message. Artificial intelligence is changing the economics and speed of cyberattacks, and organizations should adjust their security programs now rather than wait for a future wave of threats.
For software development teams, the guidance reinforces something many security practitioners have been working toward for years. Secure software delivery, rapid remediation, and resilient infrastructure are becoming business requirements rather than security initiatives.
At Chainguard, we see the statement as validation of an approach that emphasizes reducing risk before software reaches production.
AI changes the timeline for defenders
The Five Eyes agencies, representing Australia, Canada, New Zealand, the United Kingdom, and the United States, warn that frontier AI models will increase the speed, scale, and sophistication of cyber attacks. The important point is not simply that attackers will become more capable. The time between vulnerability discovery and exploitation is expected to continue shrinking. Organizations will have less time to identify issues, prioritize them, and deploy fixes.
The guidance also makes clear that cyber resilience is no longer solely the responsibility of security teams. Executive leadership, engineering, operations, and software suppliers all have a role in reducing organizational risk.
This aligns closely with how modern software supply chain security has evolved. Security has to be built into development workflows instead of relying on perimeter defenses or manual reviews after deployment.
What the guidance recommends
Although the AI discussion is new, many of the recommended actions are familiar security practices that have become even more important as AI increases attackers' efficiency.
The guidance encourages organizations to:
Reduce attack surface by minimizing unnecessary software and dependencies.
Accelerate patching and vulnerability remediation.
Address legacy systems that are difficult to secure.
Strengthen identity and access management.
Use AI to improve defensive operations where appropriate.
Treat cyber resilience as a core business capability.
If you’ve spent any time in the security industry, you’ll know: these recommendations are not new, but are now urgent.
Where Chainguard fits
Many of the practical recommendations map directly to software supply chain practices that organizations can implement today.
Start with a smaller attack surface
The Five Eyes guidance specifically calls out hardened, minimal base images as a way to reduce exposure. Software that is never included cannot become another vulnerability to manage.
Chainguard Containers are built around this principle. By not building with unnecessary packages and components, organizations reduce the number of potential vulnerabilities introduced into their containers while maintaining compatibility with modern application workloads.
Reducing the amount of software in production also makes security investigations and maintenance simpler over time.
Speed matters more than ever
If AI shortens the time between disclosure and exploitation, remediation speed becomes a competitive advantage.
The Five Eyes agencies emphasize accelerating patching and reducing operational friction in vulnerability management.
Chainguard continuously rebuilds and publishes images with security updates as upstream fixes become available. Development teams can consume updated images without waiting for manual package maintenance across multiple internal repositories.
This allows engineering teams to spend more time validating and deploying updates instead of assembling them.
Build trust into the software supply chain
The guidance also recommends relying on trusted software sources and strengthening confidence throughout the development pipeline.
Chainguard's approach includes signed artifacts, verifiable provenance, SBOMs, and continuous maintenance. Together, these capabilities help organizations understand what they are deploying and provide stronger evidence for security reviews, compliance activities, and incident response.
As software supply chains become increasingly complex, visibility into the origin and maintenance of software becomes more valuable.
Make security operational
The Five Eyes statement notes that security scanning and automation should become part of normal engineering operations rather than isolated compliance exercises.
The Department of National Defence's DevSecOps Community of Practice has echoed this idea, emphasizing that SAST, DAST, SBOM generation, and secrets scanning are only valuable when organizations consistently act on the findings. Automation and outsourced CVE remediation are practical ways to improve response times.
Chainguard supports this operational model by providing continuously maintained artifacts that integrate with existing CI/CD workflows, enabling security improvements without introducing additional manual processes.
AI does not replace security fundamentals
One of the strongest themes throughout the Five Eyes guidance is that AI does not fundamentally change cybersecurity. Organizations still need sound identity controls, secure software, resilient infrastructure, and disciplined operational processes. AI simply raises the cost of falling behind.
The agencies also caution against depending on a single technology. Defense in depth remains essential because resilience comes from multiple layers working together.
That perspective aligns with Chainguard's view of software supply chain security. Secure images, trusted provenance, continuous updates, and modern development practices are not independent solutions. They are complementary controls that help reduce risk across the software lifecycle.
Looking ahead
The Five Eyes statement is less about predicting a distant future than recognizing that software development already operates in a different threat environment. AI enables defenders and attackers alike, but organizations that reduce complexity, automate remediation, and strengthen their software supply chains will be better positioned to adapt.
For many teams, the path forward does not require a complete security transformation. It requires consistently applying proven engineering practices at a pace that matches today's threat landscape. That is precisely where Chainguard is focused.
Get in touch with our team to learn more about how we can help you meet important compliance guidelines.
Share this article
Articles connexes
- sécurité
AsyncAPI supply chain compromise: npm packages backdoored via GitHub Actions "pwn request" (July 2026)
Quincy Castro, CISO
- sécurité
We're putting our security to the test, and we want your help
Quincy Castro, CISO, and Alex Burrage, Director, Product Security
- sécurité
Summer of Clearinghouses
Dan Lorenc, Co-founder and CEO
- sécurité
@mastra npm scope takeover: 143 packages backdoored via compromised contributor account
Quincy Castro, CISO
- sécurité
Miasma Phantom Gyp npm attack: 57 packages, 286 malicious versions hijack CI/CD pipelines via binding.gyp
Quincy Castro, CISO
- sécurité
Chainguard customers safe from Mini Shai-Hulud worm targeting @redhat-cloud-services npm packages with 100K+ weekly downloads
Quincy Castro, CISO