On June 22, 2026, the cyber security agencies of the Five Eyes alliance, the United States, United Kingdom, Canada, Australia, and New Zealand, took the rare step of issuing a joint statement warning that AI is transforming cyber risk on a timeline of months, not years. When five of the world's most capable cyber defense agencies speak with one voice, it is a signal that something has shifted.
To unpack what that shift looks like on the ground, Samarpita Pattnaik, volunteer host for InfoSec Relations, spoke with Alfredo Hickman, CISO at Kai. With over a decade of experience in the military and the defense establishment, Hickman secures an AI company's own environment while helping build the kind of agentic AI security platform the Five Eyes statement points to as part of the answer.
Watch the full conversation below or read the full interview.
The transcript below has been lightly edited for clarity.
When five of the world's most capable cyber defense agencies issue something jointly, that is signal, not noise. What does that acceleration actually look like in practice?
Hickman: It's really important to keep in mind that when the Five Eyes, so the United States, Canada, UK, Australia, and New Zealand, come together to make these sorts of statements, this is transcending politics. This is a joint statement that they use in this forum to really cut through the noise and cut through some of the political posturing and messaging, to warn people that from this very privileged perspective, in that the capabilities they possess are unique to that organization, we see an evolution in the risk and in the threat landscape that is really substantial. And we are at an inflection point. On the security side of the house, we've known now that this has been coming. Even as engineers, even as security professionals working on these technologies, what we have seen has been the rapid increase in the maturing, the development, and the implementation of these technologies. And we know specifically with artificial intelligence, both in generative AI and agentic AI, that just as we on the security side are using this to protect and defend and to help support innovation and economic development, threat actors, hackers, and other malicious parties will use the same technologies for malicious purposes, to hurt organizations, to hurt people. So for the Five Eyes to come together and put out this sort of joint statement is really a wake-up call that transcends any of the local politics of these nations at the time.
You said this statement marks AI moving from future risk to present operational reality. What is the most concrete evidence in your own environment that backs it up? And is the months-not-years timeline accurate, conservative, or alarmist?
Hickman: I don't think that it's alarmist at all. As a matter of fact, from my perspective, it was a little generous, in that we are already seeing AI-enabled cyberattacks happening in the wild. This is something that a lot of us who are pioneering on the bleeding edge are seeing. These capabilities currently are not developing any novel sorts of cyberattacks. What they are doing is changing the economics of these cyberattacks. They are reducing the barrier to entry, they are accelerating the velocity, they are amplifying the volume, and they are making it much more simple to execute full-scale cyberattacks from beginning to end in a much more compressed time cycle than ever before. And that is not a hypothetical. That is not something that is happening in future tense or that could happen in some future-tense reality. This is something that is happening now. What the Five Eyes organization is saying is that what we are seeing now, a wave of sophistication, an increase in maturity and complexity and impact of these cyberattacks, is the trend line that we're seeing rapidly accelerate.
You framed this as attacks becoming cheaper, faster, and more scalable rather than fundamentally new. Walk us through what that compression looks like across the attack lifecycle, and where the disclosure-to-exploitation window is shrinking fastest.
Hickman: That's a really important question, because it gets to the underlying economics of the implications of AI, and the economics impact everybody. It doesn't matter, from the wealthiest governments and nation states and organizations to everything in between, we all have budgets. I spent over a decade of my life in the military and in the defense establishment, working both on counterterrorism and insurgency, and then crossing over into cyber operations and campaigns. And I can tell you that even in the military and in the intelligence community, they all have budgets. What AI is doing is lowering the barrier of entry, making it easier to expand the resource pool of talent that can actually participate in offensive cyber campaigns and defensive cyber operations. And not only is it doing it for governments and militaries, but it's doing the same thing for these hacking organizations, these cyber criminal organizations. Whereas before you had to have highly specialized pools of top talent, and those top individuals are very expensive, they're not cheap, now you can broaden the base of the talent pool that you can work with to accomplish your goals, whether they be nation state goals, economic goals, or cyber crime goals. What is happening is that the most proficient individuals can become even more specialized. They can be leveraged even more strategically. But then it broadens the funnel of human resources that now can enter the arena of these AI-enabled cyber operations, whether they be for good purposes or ill purposes.
You are not just defending against the shift, you are doing it from inside a company built on the very technology causing it. What is the hardest part of being both the operator and the security owner of that system, and how do you think about the attack surface of AI itself?
Hickman: This is why I love this space so much, on the edge of security, of technological innovation, of entrepreneurship. As a security leader, I have to look at these technologies for what they are, which is tools, capabilities. How we leverage these capabilities from a security perspective to enable the business to deliver value to our customers is what ultimately drives the success of our business. However, my responsibility to the business is to protect the organization from the nefarious use of these technologies against us, the double-edged sword of this AI technology. It's a really interesting thing, because we as business executives have to support the organization to leverage these technologies responsibly, securely, and safely so that we can realize the value. We have to leverage these technologies internally to give us the upper hand to counter the threats. And then we have to constantly be monitoring, assessing, and learning from the external threat landscape so that we can continue to evolve ourselves and tune ourselves and make sure that we're as effective as possible. So it is quite a balancing act, but it definitely makes for very fascinating work.
The statement says success will not come from having the most tools. It will come from getting the basics right and acting quickly. How do you think about that alongside building and selling an AI platform?
Hickman: This is why at Kai we look at cyber defense from an AI-native perspective, from first principles. Because it is easy to get caught up in the rapid change of the technologies themselves. If you go and speak to the engineers developing the frontier models, they will tell you themselves, we don't know where the tech is going to be in the next 12, 24, 36 months, because it's evolving so rapidly. So we as defenders have to look at things from foundational principles, because as much as the external landscape changes, as much as the adversaries are evolving and the technology's evolving, there are certain fundamental principles that will continue to remain true. We must architect and engineer our organizations for resiliency, because attacks will happen, breaches will happen, outages will happen. We must equip our organizations with the resiliency needed to recover. We know that identity, human and non-human identity, is as critical now as it's ever been, and in AI it gets even more important. So we must solve for identity. Zero trust, zero trust network architecture. We know that AI is demanding that we implicitly trust all of these agents and systems to connect and move data and make decisions now. The big difference in agentic AI is the ability to make decisions. So how do we put in the ZTNA principles and capabilities so that we start to compartmentalize that trust and verify, and put in those guardrails? There are certain foundational security principles that were critical in the previous generation but are absolutely more critical now, and those have not changed. So if we focus on those fundamentals and apply some of these AI-native capabilities and principles to those fundamentals, I think we have a much better chance of succeeding in this new era.
You have built that accountability from scratch twice, at Obsidian and now at Kai. If a CISO came to you and said they have six months before AI-driven threats outpace their program, what are the two or three things you would tell them to do first? And what does empowering cyber leaders with authority actually look like when a board has to choose between security investment and growth speed?
Hickman: If I had to pick three, I would break it across these buckets. Training and education of the workforce. It actually really surprises me, coming from a military background. In the military, when you're not deployed and working on deployment, you are training, and you are training all the time to develop the education, the skills, the proficiency to be excellent in your work. In many organizations in the private or commercial sector, they tend to not invest in training their people. But now, as AI is fundamentally disrupting all areas of business, not just IT, not just engineering, manufacturing and HR and finance and every area you can imagine is being impacted by AI, we must educate and train our workforce to be able to leverage these capabilities effectively, efficiently, securely, and safely. The second thing is we must retool our organizations for the time, just as when there have been previous major economic evolutions. From agrarian economy to industrial economy to information economy, all of these major evolutions required retooling to match the times. From a security perspective, that means putting in the purpose-built capabilities and technologies developed to harness these capabilities effectively and deliver against those use cases, because the previous generation of tooling was built for a very different era, and we are in a new era now. And the third thing is absolute engagement and communication with the critical stakeholders throughout our organization. Security emerged from a technical discipline, but it integrates horizontally across an organization and touches every aspect of the business, so we have to be able to partner with, effectively communicate, and work with all of the critical stakeholders in our group. In the military, we called this by, with, and through, because everything we do is by, with, and through our partners from all areas of the business. And that includes not only our peers, but also our leadership and our boards of directors. Because if we can bring them on board and align them with our vision of a secure, viable organization, then we will be far more successful.
That tension between authority and resourcing is exactly where this becomes a board conversation rather than just a security team conversation.
Hickman: That's a critical point. One of the really fascinating things to me, as I engage with the various boards I participate in, is that this is one of the very rare times, at least in my lifetime, where I've seen boards of directors that have been very active and engaged in their organization's investing and procuring these technologies. Typically boards are not as engaged in technical technology decisions, but this is one of the rare times where you're hearing from the boards themselves, what are we doing in terms of investment in AI, how quickly are we getting these technologies into our organizations. And now they're seeing, and many of them understanding, that these technologies have the capabilities to make decisions on behalf of the organization that have material risk implications. So now the boards are coming to us and saying, we really care, we want to realize the value from these investments, but we also understand this is very different, and security and safety are paramount. How can we support you? We must continue to drive those conversations so that investment in technology is also matched with investment in security, so that we can enable the organization to realize that value for the long run, safely.
The statement frames cyber resilience as a board issue, not an IT issue. From what you've shared, boards are not all hearing that yet. Is it still landing as a technical memo for most of them?
Hickman: For many boards, it is landing as purely a technical issue. Unfortunately, human psychology is very much wired in a way that makes safety and security sometimes an afterthought, until individuals themselves are presented with some sort of significant incident and experience it for themselves. Then it tends to become quite real. Some boards are very different. Some really understand that this is a whole-of-business issue, that there are emerging regulatory implications now, the EU AI Act with its budget fines and so forth. Some boards are much more progressive and forward-leaning. Some are not quite there yet, and they might have to wait until they have their big incident in order to wake up.
The statement is just as clear that AI is not only a problem for defenders, it is also one of the most powerful tools they have. Five Eyes draws a distinction between using AI to strengthen defense versus simply improving efficiency. Where have you seen AI-driven defense outperform a skilled human analyst, and where have you seen it confidently get something wrong in a way that mattered?
Hickman: You allude to a very good point, which is that we're still in the very early times when it comes to AI and its effectiveness. You're probably alluding to some of the hallucinations, some of the experiences we've all had leveraging these technologies, where you can interact with them, you can question them, and sometimes they will return an output that they present to you as absolute fact, and then it turns out they just completely made it up. The development of the internet and the search engine and the digitization of much of the world's knowledge, to where we could query it at our fingertips, was a fantastic evolutionary capability. But fundamentally, we still had to read and process this information. We had to make sense of it and extract knowledge from this data. With generative AI in particular, we now have a technology that not only can query much of the world's data and information, but will also do the thinking for you, and that has very significant implications if we do not have quality assurance checks on this data to make sure that what we are consuming is not biased, is not intentionally poisoned, as we've seen with some of the Chinese models, where if you ask them questions about certain pieces of history, they will intentionally return data that is misleading. And conversely, from a business and commerce perspective, if we are looking to take action on that data as humans, let alone as agents, we have to make sure we have those quality assurance checks, because there are going to be very real implications. We've read about them in the news. We've seen cases in finance where organizations have made large investments with information generated by AI, and then it turns out the information was completely wrong. So we must not check our brains, as it were. We must exercise critical thought, and from an organizational perspective, we have to develop the quality assurance and quality check fabric to make sure the data and information we're using to fuel decisions, whether human or autonomous, is good.
If the statement holds and the timeline really is months, what does the cybersecurity industry look like a year from now that it doesn't look like today?
Hickman: As I mentioned at the beginning, I actually think the statement from the Five Eyes was quite generous. I don't think we're talking about months. I think we're seeing some of these sophisticated kill chains, some of these sophisticated orchestrated operations, already happening now. So for us as defenders, as security leaders and executives, this is something we have to start dealing with today. Very few organizations in the world are in a relatively mature position when it comes to their AI-native security strategy. Most organizations are somewhere from having not started, to just starting, to barely getting traction. So no matter where we are in our journey, we really need to assess our organizations, what kind of business we are engaged in, our verticals, what are the material risk implications presented by the rapid discovery of vulnerabilities, the rapid exploitation of these vulnerabilities, the supply chain implications, because the supply chain is absolutely critical. And how do we start to enable our organizations, via training and education, via investment in retooling for AI-native capabilities, and via governance in terms of process and policy, so that we can do two things: securely enable the investments of our business to leverage these capabilities, and defend our organizations and that value from those AI-native threats that are happening today, and will only continue to evolve tomorrow.
What is the one thing you wish more CISOs understood right now that they don't yet?
Hickman: I'll share a story. I was on a call in a very prominent CISO forum, and there were almost 100 CISOs from around the world representing many different industries, government, manufacturing, education, healthcare, sciences, energy. All industries were represented. And it was almost halfway split. About half of the security leaders were saying, this is inevitable, this is coming, we need to be proactive, we need to start really assessing our organizations and getting the investments in place and starting to enable the companies. And about half the other group was saying, we are going to try to delay this as much as possible, I still have a lengthy backlog of things we haven't worked, this is just a fad, it's not catching on. The only historical parallel in my lifetime that is similar to this is when the internet first started to really take off and gain traction. Many people were saying, this is just a fad, it's going to blow over, it's not going to have global systemic implications. And the other half was saying, no, this is going to change the world. By the mid-1990s, and definitely by the late 1990s, nobody was asking these questions anymore, because the entire world had changed. We are in a very similar historical parallel right now. The world has changed, and it is changing. For those who can see it, it's obvious. And for those who can't see it yet, we will come to a time in the not-too-distant future when even they will not be able to ignore it. So we must proactively move to put our organizations in position to succeed safely in this new era, because we are there.