Five Eyes chiefs put AI cyber threat timeline in 'months,' as OpenAI logs 189× agent growth

A rare joint statement from CISA, NSA, NCSC and Commonwealth counterparts lands the same week OpenAI documents agentic Codex use scaling exponentially inside enterprises.

The heads of six Five Eyes cyber agencies signed a joint statement on June 22 putting the timeline for AI to “fundamentally transform both offensive and defensive cyber capabilities” in months rather than years. The signatories, CISA’s Nick Andersen, the NSA Cyber Directorate’s David Imbordino, UK NCSC’s Richard Horne, CCCS’s Rajiv Gupta, ASD/ACSC’s Stephanie Crowe, and GCSB/NCSC’s Catriona Robinson, framed AI as a force that “shrinks the window between vulnerability discovery and exploitation ever more quickly.”

The document, titled “The AI shift in cyber risk: why leaders must act now,” is unusual in two ways. First, it pushes the question up to boards rather than CISOs, arguing “it is not enough to have controls” and that systems must “work under pressure.” Second, it names operational fixes: reduce attack surface, accelerate patching, retire legacy systems, harden identity, rehearse incident response. The Record’s Suzanne Smalley noted that CISA is already requiring federal agencies to triage some vulnerabilities in under three days, with AI-relevance one input into that prioritization.

The structural read becomes clearer when you set the alert next to data OpenAI published the same week. Codex telemetry shows median per-organization use, since November 2025, rising 56× in Research, 32× in Customer Support, 27× in Engineering, and 13× in Legal by June 2026. Non-developer organizational users of the agent are up 189-fold since August 2025.

The work being delegated isn’t trivial. By May 2026, 80.6% of sampled individual users had filed at least one Codex request estimated at more than 30 minutes of human work; 25.6% filed requests exceeding eight hours. Ninety-ninth-percentile internal users generate more than 60 hours of agent runtime per day across parallel sessions.

That’s the attack surface the Five Eyes are describing in the abstract, already scaling inside the buyers they’re addressing. The agencies didn’t have to forecast the threat environment. They had to describe a deployment curve their constituents are signing purchase orders for.