NCSC chief urges UK organisations to raise cyber baselines for AI era

TL;DR

  • NCSC CEO Richard Horne warned on 15 April that frontier AI will expose organisations lacking basic cyber hygiene, as attackers use AI to find and exploit vulnerabilities faster than ever
  • His core prescription: reduce unnecessary exposure, apply security updates rapidly, and treat cyber risk as board-level business risk — not a specialist IT concern
  • The blog was originally published as a Financial Times letter the same day Mythos was discussed as a major cyber concern across UK, US, ECB and Canadian regulators

Richard Horne, chief executive of the National Cyber Security Centre, has put UK boards on notice. In a blog post — adapted from a Financial Times letter published 15 April — Horne argued that the step-change in frontier AI capability to find software vulnerabilities will, in the immediate term, “increasingly expose those organisations that have not taken appropriate steps to safeguard their cyber security.” His message lands as UK Technology Secretary Liz Kendall and Security Minister Dan Jarvis wrote to businesses warning that Anthropic’s Mythos model is “substantially more capable at cyber offence” than anything previously tested by the AI Security Institute.

The shift from capability to consequence

Horne’s framing moves the conversation from “what can frontier AI do” to “who is exposed when it does.” AI now makes vulnerability discovery and exploitation faster, cheaper and less skill-dependent. That compresses the window between patch availability and active exploitation — a window UK organisations already struggle to close. NCSC’s response is practical rather than technical: follow established guidance, reduce unnecessary attack surface, monitor and respond to malicious activity, and ensure board members own cyber risk as business risk.

The NCSC reiterated its Cyber Essentials certification as the baseline and positioned technology suppliers as having both a new threat and a new opportunity — AI will also let defenders find and patch flaws throughout product lifecycles. But the transition is the hard part.

Cross-regulator alignment on Mythos

Horne’s intervention fits a pattern this week of UK, US, European and Canadian regulators all converging on the same AI-cyber concern. The ECB is preparing to quiz Eurozone banks about Mythos preparedness; the St. Louis Fed said it is re-evaluating bank cyber resilience; Bank of England Governor Andrew Bailey urged regulators to understand the implications quickly; and Canadian financial officials met with bank executives to discuss the threat. This is unusual: regulators rarely coordinate this openly on an AI capability concern within a week of its disclosure.

Looking forward

UK firms that run on unpatched legacy systems — which in practice is most of them — have the clearest exposure. Expect NCSC guidance to harden over coming weeks, Cyber Essentials requirements to tighten, and procurement clauses to start demanding explicit AI-cyber readiness evidence. Boards should assume the question “what’s our exposure to AI-accelerated exploitation” will be asked in the next audit cycle, and should have an answer that goes beyond “we have an AI policy.”