The federal government has told its agencies that the answer to frontier artificial intelligence (AI) compressing attack timelines from days to hours is to fix long-neglected security fundamentals.
This is clearly articulated in the Department of Home Affairs’ Protective Security Policy Framework (PSPF) advisory 001-2026, which adds that buying into frontier AI models such as the much vaunted Anthropic Claude Mythos isn’t needed for effective cyber defences.
“Australian government entities do not need access to the most advanced frontier AI models to stay protected,” the PSPF advisory said.
Instead, the PSPF points agencies to implement the recommendations in the Australian Signals Directorate’s (ASD) Essential Eight (E8) framework and its Information Security Manual (ISM).
PSPF requires government entities to achieve E8 Maturity Level Two for user application hardening, and patching of them. Australia’s National Audit Office (ANAO) has faulted agencies in that respect in past reviews.
The PSPF advisory is mandatory to follow for government entities and defines frontier AI technologies as the most cutting edge in the field.
The PSPF said frontier AI represents an anticipated step change in capability to enable much more powerful automation, reasoning and decision making than previous generations of AI.
The above compliance obligations do not represent an official blanket ban on using advanced AI for cyber defences, however.
Companion guidance issued by the ASD’s Australian Cyber Security Centre (ACSC) states that AI can be a meaningful way to reduce manual workloads, sharpen threat prioritisation, and to accelerate detection and response.
The official advice puts AI adoption on a medium-term horizon once the short-term fundamentals are in place.
Under a six-step maturity model attached to the advisory, the ASD envisions a state where “artificial intelligence is used for cyber defence and is secure, controllable, human-supervised and used in an ethical and accountable manner”.
This would only be after agencies have locked down configuration baselines, reduced attack surfaces, and dealt with legacy system debt.
At the same time, the ACSC warns that poorly implemented AI could in fact introduce additional security risk, rather than reducing it.
With the increased use of AI both in adversarial context and by security researchers, concerns are surfacing that an automated, machine-driven effort will result in a what the PSPF calls a “vulnerability storm”.
This has the potential to overwhelm cyber defences, as patching efforts can’t keep up with the amount of new vulnerabilities found, which attackers can exploit quicker than in the past.
In its advisory, the PSPF warned that frontier AI is collapsing the window between vulnerability discovery and active exploitation from days to hours.
