BlackFlag Advisory
Threat Scan Enquire
Sydney, NSW  ·  Asia-Pacific
Home / Intelligence / AI and the Compliance Clock
Compliance, AI & GRC

The Compliance Clock
Just Got Faster.

BlackFlag Advisory
Intelligence Team
23 June 2026
8 min read

The window is closing: AI has shrunk the gap between a vulnerability and its exploitation from years to months. A passive external assessment shows you what an attacker already sees — before your next audit cycle does.

Assess Your Exposure →
YESTERDAY · YEARS discovery exploitation TODAY · MONTHS, AND CLOSING discovery exploitation AI is the accelerant.

The window defenders rely on is collapsing — and it is collapsing fastest at the edge of the network, where exposure lives.

On Monday night, the heads of the Five Eyes cyber security agencies did something they almost never do. They put their names to a single page together — Australia's ACSC, the United States' CISA and NSA, and their British, Canadian and New Zealand counterparts — and told boards, not IT departments, that the assumptions underpinning their cyber risk are about to expire.

Their message was deliberately plain. Frontier AI models are expected to outpace what the industry currently expects of them, and they will reshape both attack and defence. The agencies framed the timeline not in years but in months. They said AI lowers the barrier for malicious actors and shrinks the window between a vulnerability being discovered and being exploited. And they were explicit that breaches should now be assumed rather than feared — preparedness, not prevention, is the measure that matters.1

If that sounds abstract, the same week supplied the worked example.

One week. Two warnings. No new vulnerability required.

16 Jun
Researchers expose the operational infrastructure behind FortiBleed — an automated campaign harvesting working credentials from internet-facing Fortinet firewalls and VPN gateways.4
18 Jun
The ASD's ACSC issues a "Critical alert — Act now" advisory: rotate credentials, restrict management-interface exposure, enforce MFA, and stop publishing admin panels to the internet.2
19 Jun
Fortinet confirms the campaign rides on reused credentials and legacy password hashing, not a new flaw. Estimates of affected devices run from tens of thousands to more than 86,000 verified records across 194 countries.3
22 Jun
The Five Eyes issue their joint statement. Their first instruction to leaders: reduce your attack surface. Challenge whether systems need to be exposed at all.1

FortiBleed was not a clever zero-day. It was an exposure problem wearing a brand name: management interfaces that should never have been reachable from the public internet, credentials that had already leaked and were never rotated, and old firmware quietly storing passwords in a format built to be cracked offline. Automation — scan the internet, test known passwords, turn each compromised device into a listening post to harvest more — did the rest. This is exactly the kind of work AI makes cheaper, faster and more relentless. And it is exactly the kind of weakness no internal security tool was ever positioned to see.

The ProblemPoint-in-time assurance was built for a slower world

Australian organisations don't lack frameworks. They are measured against the Essential Eight, the ACSC Information Security Manual, the Protective Security Policy Framework, the Australian Privacy Principles and the Notifiable Data Breaches scheme, ISO 27001, the NIST Cybersecurity Framework, and — for regulated entities — APRA CPS 234 and the operational-resilience standard CPS 230.

Every one of those instruments shares a quiet assumption: that a control assessed today still describes reality tomorrow. The annual audit, the point-in-time penetration test, the once-a-year attestation — all of it presumes the ground moves slowly enough that a snapshot remains true for a useful length of time.

When the exploitation window shrinks from years to months, a point-in-time assessment doesn't just age. It expires before the audit committee has finished reading it.

This is the real compliance story buried inside the Five Eyes warning. The frameworks aren't wrong — but the cadence they assume is being overtaken. "We patch on a quarterly cycle" was once a defensible control statement. Against an adversary who can weaponise a disclosure in weeks, it is now a description of a gap. The board question is no longer "do we have the control?" The agencies were blunt about this: it is no longer enough to have controls in place; leaders must be confident those controls will hold during a real incident.1

The ContrastEurope is writing the obligation down. Australia is being warned.

The difference in how Europe and Australia are responding is instructive — and it tells you which way the regulatory wind is blowing.

The European Union already has a codified answer. The EU AI Act (Regulation 2024/1689) entered into force in 2024 as the world's first comprehensive AI law, classifying systems by risk and attaching cybersecurity, documentation and risk-management duties to the high-risk tier. Under May 2026's "Digital Omnibus" agreement, the heaviest obligations were deferred — to December 2027 for stand-alone high-risk systems and August 2028 for AI embedded in regulated products — but the architecture, and the penalties, remain.5 Sitting alongside it are ENISA's AI Threat Landscape and its Framework for AI Cybersecurity Practices, layered on top of the existing NIS2 and DORA regimes.6

Australia has no equivalent binding AI statute. What it has instead is the Privacy Act reform program, sector regulators like APRA tightening operational-resilience expectations, and — this week — a rare direct instruction from its signals directorate. For an Australian board, that absence is the point: you cannot wait for a law to tell you the standard has moved. The Five Eyes statement is the signal.

Australia / Five Eyes

Urgency, by instruction

  • Reduce attack surface; question whether systems need to be online at all
  • Patch faster; retire unsupported legacy systems
  • Tighten who can reach critical networks
  • Assume breach; test the response plan in advance
  • Treat cyber as a board-level business risk, not an IT issue
European Union

Obligation, by statute

  • EU AI Act: risk-tiered duties, codified in law
  • High-risk deadlines deferred to 2027–2028, but binding
  • Penalties to €35m or 7% of global turnover
  • Extraterritorial: applies if you touch anyone in the EU
  • ENISA threat landscape + FAICP layered over NIS2 and DORA

If your organisation procures, deploys or builds AI that reaches into Europe, the EU regime already applies to you regardless of where you're headquartered. If it doesn't, the direction of travel is still clear: principles harden into obligations, and the warning issued today becomes the audit finding tomorrow.

The MarketEveryone is selling you an AI defender. Are you keeping up?

The same week the spy chiefs urged leaders to use AI in their own defence, the market is already crowded with vendors who will sell them exactly that. This is not a criticism — the agencies were right that defenders must adopt these tools. But it is worth being clear-eyed about what each of them actually secures, because the marketing language ("AI-powered", "autonomous", "agentic") flattens some very different jobs.

Vendor & product What the AI actually does Where the money is
MicrosoftSecurity Copilot
Agentic assistants across Defender, Sentinel, Intune and Entra; natural-language triage and incident summarisation inside the Microsoft estate.
Core: inside
+ external add-on: Defender EASM (acquired, ex-RiskIQ)
CrowdStrikeCharlotte AI · Falcon AIDR · Falcon Surface
Conversational SOC investigation on Falcon telemetry; AIDR extends to securing enterprise AI and discovering shadow-AI usage.
Core: inside
+ external add-on: Falcon Surface (acquired, ex-Reposify)
Palo Alto NetworksCortex XSIAM · Precision AI · Cortex Xpanse
Cross-source correlation across endpoint, network and cloud telemetry; AI-driven detection and response at SOC scale.
Core: inside
+ external add-on: Cortex Xpanse (acquired, ex-Expanse)
SentinelOnePurple AI (Athena)
Plain-language threat hunting and autonomous investigation over the Singularity data lake and connected SIEMs.
Core: inside
No external-exposure product
Darktrace · VectraActiveAI · Cognito
Behavioural anomaly detection on network traffic; flags lateral movement and insider-style activity against a learned baseline.
Core: inside
Google · IBMMandiant / Cloud · QRadar / X-Force
AI woven into threat intelligence, SOC tooling and incident response, backed by large in-house intelligence teams.
Core: inside
+ external add-on: Mandiant ASM · IBM Randori (both acquired)
OpenAIAardvark → Codex Security (GPT-5)
Autonomous "security researcher" that reads repositories, validates exploitability in a sandbox and proposes patches; rolling out via ChatGPT Enterprise.
In your code
AnthropicClaude · Mythos-class models
Frontier reasoning applied to vulnerability discovery and code review; cyber-tuned models named directly in the Five Eyes' capability concerns.
In your code
Several of these vendors do now sell an outside-in view — and they're capable products. But read the third column: in every case the external tool is an add-on, bolted onto a platform whose revenue, and therefore whose engineering budget, lives inside the network. We'll come to why that distinction matters.

And here is the genuinely sharp edge of this market: the tools are dual-use. The same frontier models being sold as defenders are the ones the Five Eyes named as offensive accelerants. Researchers have already demonstrated prompt-injection and data-leakage weaknesses in the leading consumer models themselves.7 The vendor you buy to find your flaws is built on the same capability your adversary is renting to find them faster. Buying more tools is not the same as being harder to reach.

The Blind SpotThe breaches don't beat the inside. They walk around it.

The major Australian breaches of the last four years share one thing, and it isn't a clever new attack. None of them defeated anyone's endpoint detection. Each walked in through the external edge — an exposed service, a credential already circulating, a trusted vendor — the one surface the expensive internal platform was never built to watch. The global data says the same.

31%
of breaches now begin by exploiting an unpatched, internet-facing vulnerability — the single most common entry point
Verizon DBIR 2026
~0 days
median time from a critical edge-device flaw going public to its mass exploitation
Verizon DBIR 2025
209 vs 5
days to patch an exposed edge device, against the days an attacker needs to exploit it
Tenable / DBIR
BreachHow they got inWhere it entered
Medibank2022 · 9.7M records
No MFA on an internet-facing VPN; a stolen credential walked straight in. The regulator named the missing control as the cause.
External edge
Optus2022 · ~9.5M
An exposed, poorly-controlled API sitting open to the internet.
External edge
Latitude2023 · 14M
A stolen employee login, reused into two third-party providers.
External edge
MediSecure2024 · 12.9M
Ransomware through a trusted third-party e-prescription vendor — the largest notification in OAIC history.
External edge
Genea2025 · ~940GB
Intrusion via an exposed Citrix remote-access server; the data behind it left unencrypted.
External edge
Qantas2025 · 5.7M
A social-engineered help desk handed over access to a third-party Salesforce instance.
External edge
QLearn / Canvas2026
The same collective behind Qantas, the same method, into another third-party platform.
External edge
Not every breach begins here — but a striking share of Australia's largest recent ones did. Read the right-hand column: not one of these defeated the internal detection stack. Each came in through an exposed internet-facing service, a credential already circulating in public, or a trusted third party — the outside-in surface. Full analysis: We Keep Winning the Last War.9

Which raises the uncomfortable question for a board: do the platforms you pay most for actually watch that edge? Several now sell an outside-in add-on — Microsoft's Defender EASM, CrowdStrike's Falcon Surface, Palo Alto's Cortex Xpanse — but every one was bought, not built (RiskIQ, Reposify, Expanse), and funded like an afterthought. The quarter CrowdStrike acquired its external module, it added under US$1 million of net new recurring revenue, against US$198 million on the core platform.8 The budget follows the revenue, and the revenue lives inside the perimeter.

YOUR PERIMETER Where the platform budget lives SOC & telemetry Endpoints Your code Identity & cloud Exposed VPN / admin panel Forgotten subdomain · leaked creds attacker outside-in sees this first

An EASM add-on can be bolted to the edge of this box — but the investment, the telemetry and the company's reason for being all sit inside it. FortiBleed lived on the red line: at the perimeter, reachable without credentials. Surfacing it on a dashboard is not the same as governing it.

That edge is the soft layer — credentials in a public dump, the SaaS instance signed up without telling IT, the forgotten subdomain, the management interface left exposed. None of it needs a breach to find. It is sitting in public right now, and AI only makes finding it faster and cheaper.

The Five Eyes put "reduce your attack surface" at the top of their list for a reason. You cannot reduce an attack surface you have never measured from the outside.

The PositionExposure you can see. Governance you can evidence.

This is the whole of what BlackFlag Advisory does — the entire craft, run with full attention, and vendor-neutral, so the answer doesn't require you to buy and live inside anyone's platform first. We assess what your organisation looks like from the outside using only publicly available sources — no system access, no credentials, no disruption. Passive OSINT. The attacker's first move, run for your benefit instead of theirs.

But a list of exposed assets is not, on its own, a board-ready answer. The harder and more valuable step is the second one: translating those technical findings into the language your obligations are written in. An exposed admin panel is a finding. An exposed admin panel mapped to Essential Eight maturity, to your APP 11 security obligations, and to the breach-notification clock under the NDB scheme — that is a governance position a board, an auditor or a regulator can act on.

The question worth asking your team this week

When did we last look at ourselves the way an attacker does — from the outside, with no access — and can we evidence that our external exposure is known and managed?

If the honest answer is "the annual pen test" or "we'd have to check," the Five Eyes have already told you that window is closing faster than your assessment cycle.

Getting the basics right and moving quickly, the agencies said, will matter more than buying the most tools. We agree — and we'd add one line to it. Before you can get the basics right, you have to be able to see them. From the outside. The way the people targeting you already do.

Sources

  1. Five Eyes cyber security agencies, joint statement, 22 June 2026 — Australian Signals Directorate, cyber.gov.au.
  2. ASD's ACSC, critical alert on Fortinet firewalls and VPN gateways (FortiBleed), 18 June 2026 — cyber.gov.au.
  3. Fortinet situational analysis (19 June 2026) and incident-response advisories — IBM X-Force; Arctic Wolf, FortiBleed campaign analysis.
  4. SOCRadar research into the FortiBleed credential-harvesting infrastructure, June 2026, as reported by Industrial Cyber and Cyber Daily.
  5. EU AI Act (Regulation (EU) 2024/1689) and the "Digital Omnibus" provisional agreement of 7 May 2026 — deadlines deferred to 2 Dec 2027 (Annex III) and 2 Aug 2028 (Annex I); penalties to €35m or 7% of global turnover.
  6. European Union Agency for Cybersecurity (ENISA): AI Threat Landscape; Framework for AI Cybersecurity Practices (FAICP) — enisa.europa.eu.
  7. OpenAI, "Introducing Aardvark / Codex Security" (GPT-5 agentic security researcher); Tenable research on prompt-injection vulnerabilities in leading consumer LLMs, 2025–2026.
  8. EASM product lineage: Microsoft Defender EASM (ex-RiskIQ, 2021); CrowdStrike Falcon Surface (ex-Reposify, 2022); Palo Alto Cortex Xpanse (ex-Expanse, ~US$800m, 2020). Revenue contribution figures from CrowdStrike Holdings Form 8-K, Q3 FY2023 (quarter ended 31 October 2022) — Reposify added under US$1.0m to net new ARR against US$198.1m net new ARR for the quarter.
  9. Initial-access data: Verizon Data Breach Investigations Report 2026 (vulnerability exploitation 31%, now the leading initial-access vector) and 2025 (edge-device / VPN exploitation, near-zero median time to mass exploitation); edge-device patch-vs-exploit timing per Tenable. Australian breach record (Medibank, Optus, Latitude, MediSecure, Genea, Qantas, QLearn) drawn from OAIC, ASD/ACSC, Federal Court judgments and company disclosures, as collated in BlackFlag Advisory, "We Keep Winning the Last War" (June 2026).

Is Your External Exposure
Known and Governed?

BlackFlag Advisory shows your board what an attacker sees from the outside — exposed services, circulating credentials, third-party risk — translated into the obligations you actually report against. Passive only, no systems accessed.

Request an Assessment →
Passive Only — No Systems Accessed

All BlackFlag Advisory assessments use exclusively passive OSINT techniques and publicly available data sources. No systems, networks, or accounts are accessed, probed, or tested at any time. Board-ready output delivered within three to seven business days.