The federal government has told agencies that the answer to frontier artificial intelligence (AI) compressing attack schedules from days to hours is to fix long-neglected security fundamentals.
This is clearly stated in the Home Office’s Protective Security Policy Framework (PSPF) Recommendation 001-2026, which adds that effective cyber defense does not require buy-in to frontier AI models such as the much-vaunted Human Claude myth.
The PSPF recommendation states that “Australian government agencies do not need access to cutting-edge frontier AI models to maintain protection.”
Instead, the PSPF directs agencies to implement the recommendations of the Australian Signals Directorate (ASD)’s Essential Eight (E8) Framework and its Information Security Manual (ISM).
PSPF requires government agencies to achieve E8 maturity level 2 for hardening and patching user applications. The Australian National Audit Office (ANAO) has criticized authorities on this point in past reviews.
The PSPF recommendations are mandatory for government agencies to follow and define Frontier AI technologies as the most cutting-edge in the field.
PSPF said Frontier AI is expected to undergo gradual changes in its capabilities, enabling much more powerful automation, reasoning and decision-making than previous generations of AI.
However, the above compliance obligations do not formally prohibit the use of advanced AI for cyber defense.
Related guidance issued by the ASD’s Australian Cyber Security Center (ACSC) states that AI can be a meaningful way to reduce manual workload, enhance threat prioritization, and speed detection and response.
The official advice is that once the short-term foundations are in place, AI implementation will be considered for the medium term.
Under the six-stage maturity model attached to the recommendation, ASD envisions a state where “artificial intelligence is used in cyber defense, is safe, controllable, under human supervision, and used in an ethical and responsible manner.”
This only happens after agencies have locked down configuration baselines, reduced attack surfaces, and addressed legacy system debt.
At the same time, ACSC warns that poorly implemented AI may actually create more security risks than reduce them.
As the use of AI increases both in adversarial situations and by security researchers, concerns have surfaced that automated, machine-driven efforts will create what the PSPF calls a “storm of vulnerabilities.”
This can overwhelm cyber defenses as patching efforts cannot keep up with the number of new vulnerabilities discovered, allowing attackers to exploit vulnerabilities faster than ever before.
In its advisory, PSPF warned that frontier AI is collapsing the time between vulnerability discovery and active exploitation from days to hours.
