(Credit stock.adobe.com)

In a joint statement published, the authorities said the cyber capabilities of current frontier AI models already exceed what a skilled human practitioner can achieve, and operate at significantly greater speed, scale and lower cost. Used maliciously, these capabilities amplify risks to firms’ safety and soundness, to customers, to market integrity and to wider financial stability.

The regulatory bodies warned that exposure will grow as more advanced models emerge, and that firms which have underinvested in cyber security fundamentals are likely to become progressively more vulnerable.

The statement makes clear that, under existing operational resilience rules, regulated firms and financial market infrastructures must take active steps to plan for and mitigate the risks posed by frontier AI-driven attacks, which are expected to be faster and more disruptive than those seen to date.

Boards and senior management are expected to have a sufficient grasp of frontier AI risks to set strategic direction and oversee control functions, with investment, resourcing and insurance arrangements reflecting the emerging threat. Particular attention should be paid to exposure created by end-of-life systems or technology no longer supported by vendors.

The regulators also expect firms to be able to triage, prioritise, assess and remediate vulnerabilities more rapidly, more frequently and at scale, using automation where appropriate, given that frontier AI can identify and exploit weaknesses across a technology estate at pace. Third-party and supply chain risk, including from open-source software, should be actively monitored, and firms should be ready to address vulnerabilities flagged externally at scale.

On protection, the authorities pointed to access management, network security and data protection as means of reducing the attack surface available to a frontier AI model, and encouraged firms to consider automated and AI-enabled defences capable of operating at comparable speed to AI-driven attacks.

Firms were also directed back to the effective practices on cyber resilience published by the Bank, PRA and FCA in October 2025 when planning response and recovery.

The UK government and financial authorities said they would continue to monitor developments in frontier AI and engage with industry through the Cross Market Operational Resilience Group (CMORG).