News Own Your Online External Link Report it
News Own Your Online External Link
  1. Welcome to the National Cyber Security Centre
  2. Protect your organisation
  3. Cyber readiness in the Frontier AI era
Guidance

Cyber readiness in the Frontier AI era

The following advice is designed to help cyber security decision-makers in New Zealand government agencies prepare for the implications of Frontier AI products.

Roles & Audiences

Government

PUBLISHED DATE: 4 June 2026

Frontier artificial intelligence (AI) technologies are the most advanced, cutting-edge AI models available and represent an anticipated step change in capability, enabling significantly more powerful automation, reasoning and decision making than previous generations of AI. 

Frontier AI presents a clear dual-use challenge – the same models that strengthen cyber defence can be exploited by malicious actors to conduct cyber activities and other forms of harm, faster, cheaper and at greater scale. Frontier AI increases the risks posed by, and accelerates the consequences of, known vulnerabilities, legacy systems and weak cyber hygiene, creating a ‘vulnerability storm’ for entities. 

New Zealand government entities must ensure they are appropriately protected in the Frontier AI era through the consistent application of cyber security fundamentals, which remain the most effective defence for strengthening their cyber security posture.

Advisory

This advisory provides official whole-of-government advice for ensuring strong cyber security readiness in the frontier AI era.

New Zealand Government entities do not need access to the most advanced frontier AI models to stay protected. Effective cyber readiness is achieved through implementation of existing cyber security mitigations and practices consistent with existing technical advice published by the National Cyber Security Centre (NCSC) and policy as outlined in the Protective Security Requirements (PSR) respectively.

Guidance

NCSC has created the practical guidance How to Act Now to Prepare for Frontier AI  [PDF, 161 KB]

New Zealand Government entities should treat the following actions as an immediate priority:

  • Review and assure compliance with the NZISM, NCSC Cyber Security Framework, Minimum Cyber Security Standards and PSR
  • Confirm executive accountability for cyber security risk management for frontier AI
  • Review NCSC guidance on frontier AI
  • Identify and remediate material gaps that could be exploited by AI-enabled threat actors

The NCSC Cyber Security Framework sets out how we think, talk about, and organise cyber security efforts. Its five functions represent the breadth of work needed to secure an organisation.

The Minimum Cyber Security Standards are designed to focus on the basics and create visibility and uptake of good cyber security practices. Although the Standards do not cover the entire cyber security spectrum, they are an important standalone tool that provides alignment between policy requirements as established in the Protective Security Requirements, the NCSC’s Cyber Security framework, and the technical controls within the NZISM. Start here with your action plan.

Framework
  • NCSC Cyber Security Framework

    Under the Protective Security Requirements, every public service department needs to have a cyber security framework. This is our framework, and as the system leader for cyber security we are sharing it to show what we think a good framework looks like.

    Guide & govern Cyber security is promoted through governance efforts and by providing guidance to your people.

    Identify & understand - Identify which cyber security activities we are responsible for and where to apply them, including identifying assets, understanding the context and threat environment, and knowing where security responsibilities lie between us and our suppliers.

    Prevent & protect - Assets need protection in a way that prevents bad things from happening, and potential vulnerabilities are removed before they are exploited.

    Detect & contain - Incidents will occur and they need to be contained. Security monitoring is a necessary component of knowing when abnormal activity is occurring. Knowing how and why our systems interconnect is essential to limiting threat actors' actions.

    Respond & recover - Prioritise security incident response to get critical services back to normal operation as quickly as possible.

Minimum Security Standards
  • Minimum Cyber Security Standards

    They are intended for GCISO-mandated agencies who will be required to implement them, however non-mandated agencies wishing to adopt the Standards are also welcome to do so.  

    Risk Management - Organisations have considered and assessed all risks and threats and have put in place adequate measures that meet acceptable risk levels. Organisations use a defined and documented risk-based approach.

    Security Awareness - Good security awareness training is in-line with the organisation’s risk posture, is relevant to staff and is continually developed to reflect changes in business, technology, and the threat landscape.

    Asset importance - Organisations have a framework and process to enable timely asset identification and importance.

    Secure configuration of software - Organisations will adopt a secure-by-design approach when implementing new software within their environments. They will consider industry best-practice and vendor guidance.

    Patching - Organisations have processes to identify, implement, and oversee security patches for their systems and applications, including levels around patch compliance.

    Multi-factor Authentication - MFA is adopted by organisations to assist in protecting business-critical and external-facing systems from unauthorised access, misuse, or compromise.

    Least privilege - Organisational requirements incorporate the principle of least privilege when designing and authorising access to their systems.

    Detect unusual behaviour - Organisations have implemented a process to detect abnormal activity within their environments, including actions to enable timely and effective mitigations.

    Data recovery - Data recovery capabilities are adopted by organisations to assist in protecting business-critical and externally facing systems from risks concerning data loss.

    Response planning - Organisations have in place a process to develop and test cyber-incident management plans to ensure business continuity in the event of system or service failure.

We wish to acknowledge and thank our partners at the Australian Department of Home Affairs and the ASD for their PSPF Policy Advisory 001-2026 – Cyber Readiness in the Frontier AI Era v1. which we've adopted for the New Zealand context. Any errors or omissions in this document are our own.

Topics

Information security Risk management Artificial intelligence
Top