Artificial intelligence (AI) models have now gained enough autonomy and reasoning capabilities to uncover security vulnerabilities, highlighting the urgent need for organisations operating a nation’s major networks to do what is required to safeguard their systems.
Singapore last month urged organisations to bolster their cyberdefence as advancements in frontier AI models pose significant risks to digital systems, in particular, critical information infrastructures (CIIs).
Described as the most advanced AI systems, frontier AI models are highly autonomous and capable of multi-step logic. They often are deployed to run complex software codes and advanced analysis.
They also can cut the time needed to identify vulnerabilities and create exploits, enabling threat actors to potentially launch critical attacks in mere hours.
“Frontier AI is accelerating at a rate where current assumptions in cyber risk management, on which your controls, measures, and incident response plans were designed, may no longer be valid,” noted David Koh, chief executive of Cyber Security Agency (CSA) and Singapore’s Commissioner of Cybersecurity.
Vulnerability discovery is becoming faster and cheaper, while social engineering is becoming more convincing and more personalised.
“Multi-stage attack chains can increasingly run without human intervention. Suppliers and interconnected systems face similarly heightened pressure,” Koh wrote in an open letter. “The window between vulnerability disclosure to system owners and exploitation by bad actors is narrowing, and the level of expertise required to mount a competent attack is falling.”
Frontier AI has materially shifted the cybersecurity baseline for CIIs, he said.
Singapore’s Cybersecurity Act identifies 11 sectors as CIIs, including energy, water, banking and finance, healthcare, transport, and government.
The challenge demands board-level and CEO attention, especially for CII owners, and should not be left to IT departments, Koh said.
He pointed to Anthropic’s move to restrict access to its Claude Mythos Preview under Project Glasswing, due to the former’s advanced cyber capabilities.
Singapore does not have access to Mythos, said the Ministry of Digital Development and Information (MDDI) said in a May 2026 parliamentary response to a question on the AI model.
The government “maintains close working relationships” with various industry partners, including AI labs and cybersecurity vendors to access potential impact when new capabilities emerge, MDDI said.
The ministry added that it is working with partners that have access to Mythos to better understand its capabilities and implications.
It noted that AI already is changing how attacks are carried out, citing Google’s 2025 report that revealed threat actors had used AI to develop a new class of malware, called PROMPTFLUX. AI was used to rewrite portions of the malware code in real-time to evade detection, MDDI said.
It said AI-enabled cyber risks are an amplification of an existing systemic risk, where the fundamentals are essential to strengthen organisations’ cyberdefences.
In an update last week, Anthropic said it had expanded Project Glasswing partnerships to 150 organisations, from 50 in early-April, that have access to Claude Mythos Preview.
The initial 50 partners, which included the US government, collectively found more than 10,00 security flaws rated high- or critical-severity, after using the Claude model to scan their codebases.
The expanded 150 partners are based in more than 15 nations and include CII operators, the Anthropic said, adding that it planned to further stretch its geographical reach.
Then on June 9, it launched Claude Fable 5, which it described as a Mythos-class model with safeguards so it would be "safe for general use". This means queries on some topics will instead receive a response from its preceding model, Claude Opus 4.8, it said.
At the same time, the LLM vendor also launched Claude Mythos 5, which it said would be made available only for "a small group" of cyberdefenders and infrastructure providers.
This version runs on the same underlying model as Fable 5, with safeguards lifted in some areas.
Wakeup call to move beyond humans
Anthropic had earlier noted that Mythos was able to identify thousands of zero-day vulnerabilities and more than 99% of vulnerabilities it found had yet to be patched. It, too, called for the industry and cyber defenders to take “urgent action” in response.
CSA's Koh said boardrooms should commission review to ascertain if their organisation’s cybersecurity risk mitigation measures are adequate amidst frontier AI development.
Their assessment should include both IT and OT (operational technology) systems, whether vulnerability management and incident response are fast enough, and if their own AI Use is appropriately governed.
He said CSA also would monitor further developments and release additional technical guidance as the market evolves.
“We predicted 18 to 24 months ago that LLMs (large language models) would be able to find zero-day vulnerabilities,” said Stephen Hager, Google Cloud’s director of Office of the CISO, who covers the cloud vendor’s US public sector.
He told FutureCISO that LLMs now are able to find CVEs (Common Vulnerabilities and Exposures) and link them in a chain, resulting in bigger attack vectors.
Calling it a good wakeup call, Hager said companies must realise they can no longer afford to simply have SOC (security operations centre) analysts looking at logs to patch.
They need to use AI to run such tasks and leverage LLM capabilities to their advantage, such as scanning their source codes for potential vulnerabilities, he said.
CII organisations also will need strong governance and operational safeguards, as they automate their security operations (SecOps) to counter “machine-speed” threats, said Daryl Pereira, Google Cloud’s director and Asia-Pacific head office of CISO.
“The goal is not simply to automate faster, but to automate responsibly,” Pereira said in a video call with FutureCISO.
Enterprises moving towards agentic defence should adopt key measures, such as tapping runtime protection to perform prompt sanitisation, he noted. This blocks risks, such as prompt injections and prevents sensitive data leaks during model interactions.
They also should secure AI-native development lifecycles from inception, he said, adding that this should include integrating security scanning directly into developer tools.
This will ensure vulnerabilities or secrets in AI-generated outputs are caught before the code is sent to production.
“Modern cyberattacks do not just steal data; they systematically destroy an organisation’s ability to recover,” Pereira said. “To prevent this, companies must isolate their critical management planes, such as identity providers and backup infrastructure, from the main corporate network. This containment prevents a breach in one department from freezing the entire business.”
“For CII owners, the era of human-speed cybersecurity is over. AI-powered threats are real and persistent that demands urgent, board-level attention,” said Vivek Chudgar, Asia-Pacific Japan managing director of Google Cloud’s Mandiant Consulting.
To outpace machine-speed adversaries, CII operators need to increase their tolerance levels for faults to benefit from AI-integrated defences, Chudgar said.
Automating security operations and rigorously reducing the attack surface through zero-trust principles are essential for protecting critical infrastructures, he added.
Guard AI agents as you would humans
And it seems 93% of Singapore organisations either are using or plan to use AI agents for sensitive security tasks, such as password resets and VPN access, according to a study by Semperis.
Some 66% of respondents in the Asian nation believe AI will drive attacks on identity infrastructure, noted the report, which polled 1,100 organisations across eight global markets including Singapore, Australia, Germany, Italy, and the UK.
Across the board, 65% of organisations say their AI identities are registered, authenticated, and authorised in a formal system, while 6% acknowledge they do not track agents at all.
Amongst those that do, 57% use the same system as they do for human identities, while 43% authenticate and authorise AI agents using a separate system.
Semperis suggests this introduces another layer of complexity for security teams.
“AI agents may not behave like human users, but they can still hold access, interact with sensitive systems, and become part of the organisation’s identity fabric,” the identity management vendor said. “Without clear registration, authentication, authorisation, and recovery processes, these non-human identities can widen the attack surface and complicate incident response.”
Already, 29% use AI agents to manage security-related help desk tickets, including password resets and VPN access, while 65% plan to do so within the next year.
Another 92% reveal that some percentage of their workforce have AI installed on local machines where it can access encryption keys and SSH. The latter, Secure Shell, is a cryptographic network protocol that enables secure access to a remote machine.
“Singapore organisations have been quick to explore AI across business and security operations, but every AI agent introduced into the enterprise also creates a new identity that must be governed, monitored, and recovered if compromised,” said Gerry Sillars, Semperis’ vice president for Asia-Pacific Japan. “As AI moves closers to privileged systems, identity resilience needs to be built into AI adoption from the start.”
As AI adoption accelerates attack lifecycles and facilitates hyper-personalised social engineering, CII owners must pivot towards “active resilience”, said Pereira.
This means increasing defensive friction, while ensuring recovery systems are isolated from the production attack surface, he said.
Organisations should minimise what is exposed to effectively reduce their attack surface in the AI era, he added.
“The biggest risks still stem from exposed entry points, [with] exploits on internet-facing applications [still] one of the most common initial access vectors,” he noted. “Organisations should prioritise reducing unnecessary external exposure, patching aggressively, as well as tightening APIs (application programming interfaces), endpoint, and AI-connected services.”
Pereira also urged companies to maintain a dynamic AI Bill of Materials, so they have visibility of their AI frameworks, models, and IDE (Integrated Development Environment) extensions across their network.
Doing so will further help their cybersecurity teams track authorised tools and uncover shadow AI or unapproved plugins that could leak sensitive data, he said.
Tightening permissions and monitoring how systems are used internally will further reduce the attack surface, he added.
This includes avoiding broad access rights and restricting over-permissive identities and OAuth tokens, which provide third-party applications access to a user’s data without revealing their password, to enforce least privilege across identities and integrations.
CII operators also should adopt agentic defence, where AI agents are deployed to proactively find novel attack patterns and automate response actions.
“This shifts defence from manual craft to an automated science, enabling a response to threats in seconds rather than minutes,” said Pereira.
Employees also will need to be retrained to combat AI-powered social engineering attacks, where live, human-steered conversations can bypass conventional automated filters, he said.
Guarding against shadow AI
Shadow AI, in particular, is a major concern amongst organisations, according to Pereira.
“It’s a big issue. People are going to try [to circumvent policies] anyway, even when you stop them from using [AI applications],” he said.
He advised businesses to allow access to AI tools, but to do so with guardrails in place.
“If there are too many barriers, it can be harmful,” he added. “If you have uncontrolled AI with uncontrolled access to data, you’ll have unintended outcomes. So it’s best to manage it by allowing AI, but promoting a suite of approved AI models that people can experiment with…[and] controlling that experimentation with guardrails, baked into that with security.”
That sometimes also means knowing when to say no to AI.
Organisations need to avoid using AI that they cannot explain, said Patrick Moreau, Thales’ vice president of PRotection System.
AI users need to be able to explain why they are using it, have a set of data that is sufficiently large, be able to analyse the data, and explain the responses, Moreau said via a video call with FutureCISO.
Organisations must remain the operator in the loop, he said.
He noted that GenAI applications can be perceived as accessible and easy to use, but users still should know to reject responses that they cannot explain.
Moreau further noted that it is particularly difficult for CIIs to transition to new systems, since they run critical infrastructures that cannot be shut down, even temporarily, to facilitate new deployments.
It is a unique constraint and requires a comprehensive transformation plan that takes this into consideration, including training employees to manage the transition, he said.
