Singapore has told operators of critical information infrastructure (CII) to reassess their cyber defences after frontier artificial intelligence (AI_ models demonstrated the ability to identify vulnerabilities and execute attacks faster than organisations can respond.
In a letter issued Tuesday, Commissioner of Cybersecurity David Koh says recent advances have "materially shifted the cybersecurity baseline" for critical systems, warning that assumptions underpinning existing risk models may no longer hold.
The directive follows Anthropic's Claude Mythos Preview, which has identified thousands of zero-day vulnerabilities and completed a 32-step end-to-end corporate network intrusion simulation that would take a human expert about 20 hours.
Speed gap widens
Speaking in parliament earlier today, Senior Minister of State for Digital Development and Information Tan Kiat How says vulnerabilities that once took weeks to detect can now be identified “in hours, sometimes minutes,” outpacing patching cycles.
That mismatch is exposing the limits of existing operating models. Scheduled updates and periodic reviews are being overtaken by attack cycles that run closer to real time, increasing the likelihood of breaches before defensive measures are triggered.
See also: Google Cloud's security chief says context, not AI models, is the ‘real cyber defence superpower’
AI is also changing how attacks are carried out. Google reported last year that threat actors had deployed malware designed to consult a live AI model during intrusions, rewriting portions of its own code in real time to evade detection.
In a separate 2024 case, criminals used an AI-generated deepfake video call to impersonate a multinational firm's chief financial officer and trick employees into transferring US$25.6 million ($32.7 million) to fraudulent accounts.
Escalation to the boardroom
See also: Digital identity is infrastructure, not an afterthought
Authorities are pushing accountability beyond technical teams as the risk environment intensifies. "This is not an issue that should be delegated to IT teams alone," says Tan, adding that the threat demands leadership attention at the highest levels, including board members and chief executives.
The Cyber Security Agency of Singapore (CSA) has therefore asked organisations to review whether their cyber risk posture remains adequate, including how quickly they can detect vulnerabilities, deploy patches and respond to incidents. Where gaps are identified, boards are expected to commission remediation plans and make explicit risk-acceptance decisions.
James Greenwood, Asia-Pacific vice president of solution engineering at Tanium, believes CSA's decision to take the directive straight to boards and chief executives was "the right call, and one most jurisdictions in the region have yet to make."
He points to two consequences of the speed shift that he said are not yet fully absorbed at the board level. First, the pool of experts capable of finding and weaponising vulnerabilities was small enough that scarcity kept attack volumes manageable. However, that constraint no longer applies. Secondly, as attack timelines compress, "the long-standing assumption that critical vulnerabilities can wait for the next maintenance window no longer holds”.
Pressure on execution
The Singapore government is also moving to close the gap in its own systems. According to Tan, the government has been “fast-tracking AI capability building for cybersecurity”, including tools for vulnerability detection and attack surface monitoring, while working with industry partners to assess emerging risks. Capabilities being developed in-house will be extended to more agencies and critical infrastructure owners when ready.
Organisations are being urged to address gaps in basic controls. "Most breaches begin at an unmanaged asset," says Tan, pointing to forgotten internet-facing systems, third-party dependencies and shadow cloud accounts that fall outside an organisation's line of sight.
To stay ahead of the latest tech trends, click here for DigitalEdge Section
Greenwood says the review CSA has ordered will reliably surface the gaps any honest assessment would expect: slow patch cycles, blind spots across third-party systems and manual workflows that cannot keep up. The harder question is what happens next. When response times need to be measured in hours rather than weeks, working harder against the same processes is not enough. "The system itself has to be able to act," he asserts.
This points toward what Greenwood described as autonomous operations, which calls for the ability to detect, prioritise and remediate risk across an entire estate at machine speed, with people directing rather than executing the work manually. "It is the conversation we would encourage every director in a critical sector to have with their CEO and CISO over the coming weeks," he says.
Despite the escalation, the underlying risk is not entirely new “We should understand the advances in capabilities enabled by Mythos to be part of a continuum rather than a step change. Models like OpenAI's GPT-5.5 already show comparable cybersecurity capabilities and are more widely available, [and] open source AI models are so rapidly improving and are likely to reach similar capabilities within months,” says Tan.
The implication for organisations is one of execution. "There are no silver bullets and no one-time fixes. We must adapt and adjust to new risks,” he adds.
