The Prudential Authority (PA) has told supervised financial institutions to prepare for what it describes as “a material shift in the cyber-risk landscape” driven by rapid advances in artificial intelligence.
Although the PA notes that “AI-assisted vulnerability discovery and attack automation are not new”, it argues that recent advances in frontier AI systems materially accelerate existing dynamics, placing pressure on security approaches that depend on periodic scanning, patch cycles, and manual intervention.
In a communication published on 24 April, the PA states that frontier AI “materially compresses the time between vulnerability discovery and exploitation”, which increases the probability of “correlated cyber events across institutions with shared technologies or dependencies”.
The PA also says these developments reinforce a trajectory in which attackers increasingly “identify and weaponize weaknesses at machine speed”, particularly across complex technology environments.
To illustrate the pace of change, the PA points to recent coverage relating to Anthropic’s Claude “Mythos” Preview, which it says demonstrated the ability of advanced models to “autonomously discover high-impact software vulnerabilities” and “generate working exploits”, materially compressing the time between a vulnerability’s existence and its exploitation.
Although the communication notes that “AI-assisted vulnerability discovery and attack automation are not new”, it emphasises that frontier systems represent “a significant acceleration in speed, scale, and autonomy”.
At the same time, the regulator seeks to avoid alarmism. “It is important to note that these developments do not signal an immediate crisis for the South African financial sector,” the PA writes, but it adds that the shift “requires a measured, forward-looking approach for institutions to be prepared”.
The communication also highlights that frontier AI capabilities can be used defensively, and institutions can apply them to “strengthen detection, response, and resilience”.
The practical implication, as the PA frames it, is a supervisory emphasis on performance under compressed timelines.
The regulator says its focus is shifting “from awareness of AI-accelerated cyber risk to execution, operational resilience, and effective decision-making under compressed timeframes.” In other words, the central question is less whether firms recognise the risk, and more whether they can detect, contain, and recover fast enough when the interval between vulnerability discovery and exploitation narrows.
What the PA expects institutions to do
The communication sets out expectations that, taken together, aim to ensure institutions identify true exposure quickly and act decisively.
It says institutions should “prioritise cyber risk based on exploitability rather than volume” and continuously validate exposure “across applications, dependencies, third-party connections, systems and applications, and automated service accounts”.
The PA also emphasises the need for detection and response that can keep pace with attackers. “Detection and response capabilities should operate at machine speed through appropriate automation,” it says, and this should be supported by “strong and ongoing identity and access controls”. It adds that institutions are expected to apply AI “intentionally and securely” to strengthen “investigation, triage, containment, and remediation”.
A further emphasis is urgency around known-but-unremediated weaknesses. The PA states that institutions should “treat N-day vulnerabilities as urgent, particularly in legacy and third-party environments”. In parallel, it calls for governance of AI usage across development and operations, saying AI usage “should be visible, governed, and monitored to detect unsafe behaviour early”.
Governance: board and executive accountability
The PA’s message is that AI-accelerated cyber risk is not only a technical matter. It describes it as “a board-level and executive responsibility requiring clear ownership and oversight”.
Boards and senior management, the communication says, should ensure “decision-rights for containment and recovery are pre-defined”, that “risk appetite is reviewed against compressed attack timelines”, and that management can detect and respond “at the required speed and scale”.
Importantly, the PA states that these developments “do not replace or reduce existing regulatory obligations”. Rather, it reiterates the continued relevance of the Joint Standard on Cybersecurity and Cyber Resilience, calling it “the cornerstone of regulatory expectations for governance, detection, response, recovery, and timely reporting of incidents”.
The PA adds that institutions aligned with the Joint Standard’s “intent and principles will be better positioned to sustain operational continuity, confidence, and financial stability”, and says it will increasingly focus supervisory attention on “preparedness, execution under stress, and resilience outcomes, rather than awareness alone”.
