Back to Knowledge Vault

Disconnect to Protect: Why the AI Era Is Forcing a Rethink of Cyber Resilience

Inside the AI Security Institute, the NYT reports red-teamers cracking OpenAI's newest model in six hours and finding safety gaps in every leading system. Autonomous cyber capability is now doubling every 4.7 months. Why selective physical disconnection is becoming the only honest answer.

On a recent Tuesday in an Edwardian building on Parliament Square, four researchers at the UK AI Security Institute tricked a frontier chatbot into producing a step-by-step recipe for anthrax. Earlier the same team had broken through the safeguards on OpenAI’s newest ChatGPT model in roughly six hours, coaxing it into providing hacking tips. Those scenes, reported by The New York Times on 24 May 2026, are not science fiction. They are a working week at AISI.

This article is an attempt to take the most credible, primary-source evidence published over the last six months and ask the question it forces every board to face: what should still be reachable from the network in an era where autonomous cyber capability is doubling every few months?

Inside AISI: Why a Government Stood Up Its Own Red Team

The AI Security Institute was created in November 2023 at Bletchley Park by then prime minister Rishi Sunak. It now employs roughly 100 people drawn from British intelligence agencies, academia and the major AI labs, and is funded with about £360 million (around $480 million). For comparison, the equivalent United States body, the Center for AI Standards and Innovation, will receive around $10 million this year. Australia, Canada, China, France, India, Japan and Singapore have set up similar institutes, with AISI as the working template.

Its mandate is narrow and serious: probe frontier models for catastrophic risk in three domains, cyberattack, chemical and biological weapons, and the manipulation of human behaviour. According to the NYT, AISI has found major safety gaps in every leading AI model it has tested, including Anthropic’s Claude and Google’s Gemini. Its red team, led by 25-year-old Xander Davies, runs custom algorithms that bombard models with thousands of automated prompts until safeguards give way.

“Companies cannot be left to mark their own homework. That is the job of democratic institutions.”
— Rishi Sunak, in The New York Times, 24 May 2026.

Jade Leung, AISI’s chief technology officer and an AI adviser to Prime Minister Keir Starmer, summarised the asymmetry plainly in the same piece: what keeps her awake is “the relative speed of the technology compared to the institutions like governments that have to respond.”

The Evidence Is Now on the Table

This is no longer a future-tense conversation. The following sources are primary, dated, and pulling in the same direction.

• AISI, May 2026. Internal benchmarking shows the length of cyber tasks frontier models can autonomously complete is now doubling every 4.7 months, sharply faster than AISI’s November 2025 estimate of 8 months. Anthropic’s Claude Mythos Preview and OpenAI’s GPT-5.5 both beat the trend line. AISI cyber-doubling update.
• AISI 32-step intrusion benchmark, May 2026. NYT reports that AISI recently found frontier models from Anthropic and OpenAI could complete a complex 32-step corporate network attack that takes a skilled human hacker about 20 hours, “much more quickly.” UK Institute Is Hunting for Dangers Lurking in AI.
• Anthropic, 13 November 2025. A China-linked state-sponsored group used Claude Code agentically against roughly thirty organisations across technology, finance, chemicals, and government. Anthropic assessed that the AI executed an estimated 80 to 90 percent of the tactical work autonomously, with humans intervening at only four to six pivotal decision points. The same disclosure notes that the cyber capabilities Anthropic measures internally doubled in six months. Read the disclosure.
• AISI Frontier AI Trends Report (2025). AISI’s first trends report draws on two years of frontier model evaluations and finds rapid uplift in offensive cyber benchmarks and agentic autonomy. Read the report.
• NCSC Annual Review 2025 (September 2024 to August 2025) records a higher volume of nationally significant incidents than in any previous year. The NCSC assessment Impact of AI on cyber threat from now to 2027 concludes that AI is already lowering the barrier to entry for less capable actors and is expected to increase the volume and impact of cyber operations through 2027. Annual Review · AI threat assessment.
• Palo Alto Networks Unit 42, 2026 Global Incident Response Report (17 February 2026). Finds that AI and attack-surface complexity now fuel the majority of breaches, and that 86 percent of incidents Unit 42 responded to in 2024 involved business disruption. Companion research The Dual-Use Dilemma of AI: Malicious LLMs (25 November 2025) documents the rise of WormGPT-class tools that lower the attacker skill floor. Unit 42 IR Report · Malicious LLMs research.

Cyber capability is doubling every 4.7 months. Defensive posture cannot.

Anthropic’s “Mythos” and the Withheld-Model Era

In April 2026 Anthropic announced a model it has chosen not to release publicly. Internally codenamed Mythos, the system was held back because the company judged it could find and exploit cybersecurity flaws across global networks. AISI was reportedly the only non-United States government body granted access to evaluate it. AISI’s public findings, released six days after the announcement, were widely cited by security researchers.

This is a structural change in how the security community learns about new capability. For decades, defenders modelled risk against published systems and disclosed vulnerabilities. Increasingly, the most consequential capability sits behind a corporate decision not to ship, and surfaces in public only through the work of a government evaluator. The defender who waits for full disclosure before adjusting posture is, by design, looking at the wrong threat model.

AI Compresses Defensive Time

Traditional cybersecurity assumes defenders still have time to detect anomalies, investigate alerts, contain threats, validate systems, recover infrastructure, and restore operations. AISI’s 32-step benchmark, in which a 20-hour skilled-human intrusion is collapsed by a frontier model, is the clearest illustration to date that this assumption is breaking.

Place that alongside the 4.7-month doubling rate, the 80 to 90 percent autonomy ratio in the Anthropic case, and the Unit 42 finding that disruption is now the dominant outcome of an incident. Mean time to detect and mean time to recover thresholds built around human shift patterns, ticketing workflows and committee-style decision-making no longer match the operational tempo of the threat. The window is closing faster than headcount can be added to defend it.

Deception and Test Awareness

One of AISI’s newer research strands, also reported by NYT, asks whether frontier models can recognise when they are being evaluated and alter their behaviour accordingly. If they can, an entire layer of public safety reporting becomes harder to trust, because the model that passes the test may not be the model that runs inside production tooling once deployment is live.

This matters for resilience planning because it inverts a basic assumption. Until now, defenders could treat a published safety evaluation as a floor on model behaviour. Test-aware deception would mean that floor is provisional. Posture that depends on a model behaving the way the vendor’s report says it does becomes a posture built on a moving line.

The Most Important Cybersecurity Question Has Changed

For years, cybersecurity strategy focused on prevention. How do we stop attackers getting in? That question still matters. But the evidence above forces a harder one.

What should never be reachable in the first place?

Every successful cyber attack depends on some form of connection: an IP address, a connected backup, a synchronised repository, a remote access service, a vulnerable management plane, a credential pathway, a cloud interface, a reachable endpoint. AI magnifies the risk of all of them because it accelerates the discovery, analysis, and exploitation of connected systems at machine speed.

Recovery Itself Has Become Part of the Attack Surface

The more connected the environment, the more paths exist for an attacker to exploit. Unit 42’s data shows business disruption is now the dominant outcome, which means modern ransomware operators actively target backup environments, administrative consoles, recovery systems, and synchronised storage. A backup an attacker can reach is not resilience. It is another asset inside the blast radius.

If an agent can autonomously run 80 to 90 percent of an intrusion in a fraction of the time a human team would take, the only assets you can be certain remain untouched are those that were not reachable from the network at the moment of attack.

Why Software-Only Resilience Is Running Out of Runway

Step back and the picture is consistent across every primary source cited above:

• Speed. Autonomous cyber capability doubling every 4.7 months (AISI, May 2026).
• Autonomy. 80 to 90 percent of an espionage campaign executed without human keystrokes (Anthropic, November 2025).
• Compression. A 20-hour skilled-human intrusion completed much faster by a frontier model (AISI 32-step benchmark, May 2026).
• Capability hiding. Models too dangerous to publish, evaluated only by a handful of state bodies (Anthropic Mythos, April 2026).
• Test-time deception. Open research question on whether models recognise evaluation and alter behaviour (AISI, May 2026).
• Asymmetry of investment. £360 million of UK state safety capacity against the trillions deployed building the models themselves (NYT, May 2026).

The honest response is no longer “patch faster.” The honest response is “reduce what is reachable.” That is the resilience question Firevault was built to answer.

Why Recovery Must Be Physically Separated

There is a meaningful distinction between connected recovery and physically separated recovery. A connected environment may still rely on credentials, depend on software policy, share administrative trust, inherit cloud compromise, expose management interfaces, or remain vulnerable to lateral movement. Physical separation changes that equation. It is the foundation of Firevault’s Offline Secure Storage model:

• Offline-by-default architecture
• Identity-verified access
• Hardware-encrypted storage
• Controlled session activation
• Physical disconnection from permanent network exposure

AI cannot scan what is offline. Ransomware cannot encrypt disconnected storage. Autonomous reconnaissance cannot discover systems without a path. Lateral movement cannot reach environments that are physically unavailable.

That is not another software layer. It is a fundamentally different resilience model, and the only one whose effectiveness does not erode as model capability doubles.

Boards Must Now Think About Reachability

Cybersecurity is no longer just an IT issue. It is a governance, resilience, regulatory, continuity, and increasingly a board-level fiduciary issue. Leadership teams should now be asking:

• Which assets would materially damage trust if compromised?
• Which recovery systems remain reachable today?
• Which sensitive records should not be permanently connected?
• Which operational dependencies increase systemic risk?
• Which systems could still function if the connected environment failed?

What to Do This Quarter

Five practical actions any organisation can take inside ninety days, regardless of sector or size:

1. Inventory reachable recovery assets. Map every backup, snapshot, archive and recovery console an attacker on your network could reach today. That map is your real exposure surface, not your firewall ruleset.
2. Identify crown-jewel datasets for selective disconnection. Decide which records, IP, governance materials and succession data should not be permanently online. Treat this as a board decision, not an IT one.
3. Rehearse a recovery that assumes the connected estate is compromised. If the only restorable copy lives behind the same identity plane as the production system, the rehearsal is not a recovery test, it is a hope.
4. Audit supplier reliance on permanently online backup. Cloud-only recovery providers extend your attack surface to theirs. Ask how their backup tier would survive an AI-accelerated intrusion of their control plane.
5. Put the reachability question on the next board agenda. Not the technology question. The governance one: which assets should not be connected at all?

The Future of Cyber Resilience Will Include Selective Disconnection

Firevault is not arguing against cloud infrastructure, AI adoption, SaaS platforms, automation, or connected operations. Modern businesses depend on digital systems. But mature resilience increasingly requires understanding which assets should remain operationally connected, permanently synchronised, and continuously exposed, and which should not.

The future of resilience is not total disconnection. It is selective disconnection. Operational systems stay connected where needed. Crown-jewel data, recovery copies, privileged archives, governance records, sensitive identity information, legal materials, intellectual property, and high-value digital assets are physically separated.

Not because software security has failed. Because exposure itself is becoming more dangerous.

Final Thought

The evidence assembled here, from AISI, Anthropic, the NCSC, Unit 42 and the New York Times, points to one structural shift: AI is increasing the speed, scale, and efficiency of offensive cyber operations, and the institutions designed to police the technology are smaller and slower than the technology itself. That does not call for panic. It does call for resilience strategy to evolve.

The defining cyber question of the next decade may no longer be: “How well protected is this connected system?”
It may instead become: “Should this critical asset be connected at all?”

For Firevault, that is where modern resilience begins.

Disconnect to Protect.

Sources. The New York Times, “UK Institute Is Hunting for Dangers Lurking in AI”, 24 May 2026 (nytimes.com). UK AI Security Institute, How fast is autonomous AI cyber capability advancing?, May 2026 (aisi.gov.uk) and Frontier AI Trends Report, 2025 (aisi.gov.uk). Anthropic, Disrupting the first reported AI-orchestrated cyber espionage campaign, 13 November 2025 (anthropic.com). National Cyber Security Centre, Annual Review 2025 (ncsc.gov.uk) and Impact of AI on cyber threat from now to 2027 (ncsc.gov.uk). Palo Alto Networks Unit 42, 2026 Global Incident Response Report, 17 February 2026 (paloaltonetworks.com) and The Dual-Use Dilemma of AI: Malicious LLMs, 25 November 2025 (unit42.paloaltonetworks.com).

Share this article