Australia tells agencies to fix security basics before buying into frontier AI
The Department of Home Affairs has warned agencies that frontier AI could shrink cyber attack timelines from days to hours. A mandatory PSPF advisory says entities do not need the most advanced AI models to stay protected. Agencies are being directed first to Essential Eight and Information Security Manual controls before wider AI use in cyber defence.
The impact is on trust, verification and operational risk. Readers should watch whether the affected organisation changes controls, disclosure practices or security requirements after the incident.
The federal government has told agencies to prioritise long-neglected cyber security fundamentals before turning to frontier artificial intelligence for defence against faster attacks.
The direction is set out in the Department of Home Affairs' Protective Security Policy Framework advisory 001-2026, which warns of an expected "vulnerability storm" as AI is used by adversaries and security researchers to find flaws at machine speed.
Fundamentals before frontier models
The PSPF advisory says frontier AI could compress the time between vulnerability discovery and active exploitation from days to hours, increasing pressure on patching and response teams.
But the advisory also states that buying access to the most advanced models, including Anthropic Claude Mythos, is not required for effective protection.
"Australian government entities do not need access to the most advanced frontier AI models to stay protected," the PSPF advisory said.
Instead, agencies are being pointed to the Australian Signals Directorate's Essential Eight framework and Information Security Manual.
The PSPF requires government entities to reach Essential Eight Maturity Level Two for user application hardening and patching of user applications.
The Australian National Audit Office has previously faulted agencies on those areas in reviews.
The advisory is mandatory for government entities and defines frontier AI technologies as the most cutting edge in the field.
It describes frontier AI as an expected step change in capability, with more powerful automation, reasoning and decision-making than earlier generations of AI.
AI use is not ruled out
The compliance obligations do not amount to an official blanket ban on using advanced AI for cyber defence.
Companion guidance from ASD's Australian Cyber Security Centre says AI can help reduce manual workloads, improve threat prioritisation, and accelerate detection and response.
However, the official advice places AI adoption on a medium-term horizon, after short-term controls are in place.
A six-step maturity model attached to the advisory describes a future state where "artificial intelligence is used for cyber defence and is secure, controllable, human-supervised and used in an ethical and accountable manner".
Legacy debt remains a blocker
That future stage would come only after agencies have locked down configuration baselines, reduced attack surfaces, and addressed legacy system debt.
The ACSC also warns that poorly implemented AI could add security risk rather than reduce it.
The PSPF's central message is that agencies facing faster AI-driven exploitation should first improve patching, hardening and core control maturity before relying on frontier tools.
