Singapore's Cyber Security Agency (CSA) has ordered boards and senior leaders of all Critical Information Infrastructure (CII) owners to review their cybersecurity defenses against AI-powered attacks.
Senior Minister of State Tan Kiat How told parliament this is not an issue for IT teams alone-it demands attention at the highest levels, including board members and CEOs.
The directive covers CII sectors: energy, water, banking, healthcare, transport, infocomm, media, security, emergency services, and government.
CSA chief David Koh warned that frontier AI is accelerating faster than current risk management assumptions, making vulnerability discovery cheaper and faster.
Organizations must assess whether their risk assessments account for AI-enabled threats, ensure visibility over critical systems, and evaluate whether patching, monitoring, and incident response are fast enough.
Reviews must be presented to board or executive risk committees, with clear remediation plans for any material gaps.
Regarding Anthropic's Mythos AI model, the government acknowledged it lacks direct access but is working with partners who do to assess risks. Tan stressed the broader shift is systemic, not limited to any single model.