Frontier Artificial Intelligence: Implications for Technology, Cyber Security, and Operational Resilience
Date: April 2026
Introduction
Recent advances in frontierFootnote 1 artificial intelligence (AI) significantly compress the timeframe to respond to risks. For example, Anthropic's Claude Mythos Preview, a frontier AI model, can identify, chainFootnote 2, and generate vulnerability exploits at machine speed. In this way, frontier AI challenges the effectiveness of current risk management practices such as patch management and incident response that have not necessarily been built to scale.
From a supervisory perspective, frontier AI represents a transformation to the threat environment. Frontier AI is not a discrete or time-limited event and forces us to revisit traditional risk management assumptions. Governance, operational agility, and resilience-focused controls take on greater importance.
This bulletin aims to raise awareness of risk arising from frontier AI models and highlights relevant sound practices with references to our Guideline B-13 – Technology and Cyber Risk Management (B-13), Guideline E-21 – Operational Risk Management and Resilience (E-21) and Guideline B-10 – Third-Party Risk Management (B-10).
Enhance governance and accountability
Frontier AI creates governance and accountability challenges, particularly when systems operate at machine speed with limited human oversight. The pace of AI-enabled threat evolution may outstrip existing governance structures, limiting their ability to provide effective oversight of AI-driven decisions and to manage risks arising from third-party, supply-chain dependencies.
Consistent with B-13 Principles 1 and 2 and E-21 Principle 1, we expect institutions to ensure that governance frameworks adequately address risks arising from emerging threats and technologies.
Institutions can consider the following risk control and mitigation measures:
- Provide timely, actionable information to boards and senior management on how accelerated threats could affect prevention, detection, response, and recovery capabilities.
- Integrate AI-related risk assessments into existing enterprise risk management frameworks and policies, such as cyber, third party, and model risk.
- Establish clear accountability and usage expectations for AI, including controls over access and limits on autonomous actions across internal and third-party environments.
Identify and defend under compressed timelines
Frontier AI models have the potential to enable the rapid exploitation of zero-days and the chaining of vulnerabilities across complex environments. This increases the likelihood of near-simultaneous exploitation of institutions that rely on traditional vulnerability management approaches, such as periodic scanning and fixed patch cycles.
Institutions should consider whether key controls continue to operate effectively and at a sufficient pace and scale. B-13 Principles 5, 9, 14, and 15 provide further detail on the expectations of timely risk identification and mitigation.
Institutions can consider the following risk control and mitigation measures:
- Accelerate patch management by enabling the rapid testing and deployment of vendor patches at increased frequency and scale.
- Maintain an updated inventory of technology assets supporting critical operations, supported by an effective technology currency management process.
- Enforce phishing-resistant, multi-factor authentication and use cryptographic verification for internal communications to reduce the effectiveness of AI-based social engineering attacks.
- Deploy compensating controls, including zero-trust principled segmentation and access restrictions, to limit the potential impact of compromise when immediate patching is not feasible.
Detect and respond with urgency
As threat actors adopt frontier AI, institutions that do not leverage AI for defence could face a widening capability gap. This gap can limit the ability to detect, prioritize, and respond to threats at the speed and scale associated with in AI-enabled attacks.
Institutions should evaluate key controls to determine whether they remain effective, with appropriate visibility and agility. B-13 Principles 16 and 17 provide further expectations on detection and response capabilities.
Institutions can consider the following risk control and mitigation measures:
- Use AI-enabled security capabilities to scale up detection and response, such as behaviour-based detection, anomaly identification, alert prioritization, triage, response automation, and advanced threat monitoring.
- Integrate AI into existing security operations and environments, such as security information and event management systems, to improve visibility and response times.
- Test controls against AI-enabled attack techniques through AI-specific red-teaming, penetration testing, and adversarial simulations.
- Maintain AI governance and appropriate human oversight for high-impact decisions and ensure robust validation and monitoring.
- Strengthen incident response readiness and preparedness for faster and more disruptive cyber incidents, including malicious AI.
Increase resilience under continuous change
Frontier AI places sustained pressure on systems and operations through continuous vulnerability discovery and remediation. Frequent patching and system updates can increase the risk of outages and operational instability. Rapid and coordinated cyber attacks also increase the likelihood of disruption to critical operations. This underscores the importance of E-21 Principle 6 and the related expectations.
Third-party providers might struggle to maintain services under continuous operational stress. Given dependencies on common technology service providers, frontier AI‑enabled exploitation heightens third‑party and supply‑chain risk. This reinforces the importance of understanding and managing third parties' ability to operate during disruptions as described in B-10 Principle 9.
To reduce the risk of operational impacts and third-party disruptions, institutions can consider the following risk control and mitigation measures:
- Streamline change management and testing practices to support frequent updates.
- Adopt a zero-trust approach that verifies every access request and maintains consistent controls as systems continuously change.
- Implement segmentation and containment strategies to limit the impact of failures or compromises.
- Ensure robust backup, recovery, and business continuity capabilities that are tested under realistic scenarios.
- Monitor third-party providers for resilience under accelerated remediation demands.
Conclusion
Frontier AI accelerates existing risks – not only to individual institutions but also to the broader financial ecosystem. The sound practices outlined above complement existing expectations regarding cyber and technology risk management under B-13, operational resilience under E-21, and third-party risk management under B-10.
By maintaining a strong security baseline, strengthening third-party risk management, and embedding operational resilience focused controls supported by automation, institutions can enhance their ability to manage AI-enabled threats with greater speed and scale. Collaboration across the private and public sectors can further reinforce these efforts by supporting shared awareness and collective preparedness, contributing to a more resilient financial system overall.
OSFI is closely following developments in frontier AI models. We regularly engage with domestic and international partners as these models develop. We will share additional information as it becomes available.
Related links
- Canadian Centre for Cyber Security (CCCS), Frontier Artificial Intelligence – ITSAP.10.050 (April 2026)
- Financial Services Information Sharing and Analysis Center, Sector Risk Advisory: Preparing the Enterprise for AI-Enabled Vulnerability Discovery (April 2026)
- AI Security Institute, Our evaluation of Claude Mythos Preview's cyber capabilities (April 2026)
- CCCS, Top 10 Artificial Intelligence Security Actions – ITSAP.10.049 (March 2026)
- G7 Cyber Expert Group, Statement on Artificial Intelligence and Cybersecurity (PDF) (October 2025)
- Department of Finance, Global Risk Institute, OSFI, FIFAI II: Summary Report: A Collaborative Approach to AI Threats, Opportunities, and Best Practices: Security and Cybersecurity (PDF) (July 2025)
- Cybersecurity and Infrastructure Security Agency et al., Joint Guidelines for Secure AI System Development (PDF) (November 2023)
- National Institute of Standards and Technology, AI Risk Management Framework (AI RMF 1.0) (January 2023)
- OSFI, Operational Risk Management and Resilience Guideline (E-21) (August 2024)
- OSFI, Third-Party Risk Management Guideline (B-10) (September 2023)
- OSFI, Technology and Cyber Risk Management Guideline (B-13) (July 2022)