FCA Bank of England HM Treasury Regulatory Alert — 15 May 2026
A joint statement from the FCA, Bank of England, and HM Treasury has put frontier AI cyber risk at the top of the agenda for regulated firms. In March, a GET-IT audit across 2,011 UK domains showed precisely the gap they're now pointing at.
Last Thursday, the FCA, Bank of England, and HM Treasury published a joint statement on frontier AI and cyber resilience. For regulated firms — banks, insurers, payment services, investment firms, and financial market infrastructures — this is not routine guidance. A joint statement from all three UK financial authorities at once carries a different weight. It means the issue has cleared every committee, every sign-off chain, and every set of legal eyes across three of the most cautious institutions in the country.
The message is direct: frontier AI is changing the threat landscape faster than most firms are adapting to it, and organisations that have underinvested in core cyber fundamentals are now materially exposed.
What struck me reading it is that the gap they're describing is not theoretical. We measured it in March.
The joint statement sets out several domains where the authorities expect regulated firms to take active steps. The language throughout is unusually candid for a regulatory publication. A few lines are worth noting directly.
This is the regulators acknowledging publicly that the attacker's toolkit has been fundamentally upgraded. An adversary with access to a frontier AI model can now identify and exploit vulnerabilities faster than a human security team can triage them. The implication for firms with legacy systems or unpatched infrastructure is stark.
The word "progressively" matters here. This is not a fixed risk. The exposure gap widens over time as AI capabilities advance and attackers gain access to better tooling. A firm that is behind today will be further behind in twelve months.
The statement specifically flags five areas for action: governance and board-level understanding of frontier AI risk; vulnerability identification and faster remediation at scale; third-party and supply chain risk management; access management and attack surface reduction; and response and recovery capability. It also explicitly states that boards should consider whether they have appropriate cyber insurance in place.
In March 2026, GET-IT published findings from a passive OSINT audit conducted across 2,011 UK domains spanning five sectors — Finance, Charities, Education, Manufacturing, and SMEs. The audit used our Cyber-Vitals framework: no systems were touched, no intrusive testing was conducted. Everything observed was publicly visible to any external party, including a threat actor.
The finance sector results present a specific and uncomfortable pattern.
Finance leads every other sector on maturity. It has the most investment, the most regulatory pressure, and the strongest documented security frameworks. And yet 42% of audited domains carried observable external exposure — the kind of exposure a frontier AI model can identify and begin to exploit in minutes, not hours.
We called this the "Decoy Effect." Strong front-door security — properly configured SSL, good security headers, visible compliance posture — creates the appearance of a hardened perimeter. But the back door, the administrative pathways, the legacy assets sitting forgotten on subdomains: these are not visible in a compliance audit. They are visible from the outside.
The joint statement highlights that frontier AI models can "rapidly identify and enable exploitation of a potentially large number of vulnerabilities across firms' technology estates." It calls for firms to triage, prioritise, and remediate vulnerabilities more quickly and at scale.
Our audit found that the vulnerabilities requiring rapid remediation are, in many cases, not exotic. They are foundational. DMARC configuration. Exposed admin panels. Legacy files broadcasting server architecture to any passive observer. These are not zero-day exploits requiring nation-state resources. They are the kind of surface that a well-prompted frontier AI model could map across an entire sector in an afternoon.
The remediation is equally straightforward in many cases. During the audit project, we applied established hardening techniques to a standard WordPress deployment — the most common web architecture in the SME and financial services space. The site moved from a failing grade to a consistent A+ rating in a short timeframe, with no loss of functionality. The gap is not primarily technical. It is one of prioritisation, oversight, and resource allocation.
The statement calls for action across several domains. Translated from regulatory language into practical terms for a mid-sized FCA-regulated firm, the immediate priorities are:
Our audit data was published in March. The FCA statement was published in May. We are not claiming credit for the regulators' analysis — they have access to intelligence we do not. But the pattern our external passive audit identified in the UK financial sector is precisely the pattern the joint statement describes: firms that look well-defended from the front and carry unresolved exposure at the back.
The value of an external audit is that it reflects what an adversary sees, not what your internal controls document says. In a world where frontier AI can map an attack surface at speed and scale, that distinction matters more than it ever has.
If you want to know what your perimeter looks like from the outside, we can show you — without touching a single system.
A GET-IT Cyber-Vitals scan is passive, remote, and non-intrusive. You will receive a maturity grade, an exposure summary, and a prioritised remediation briefing. No system access required.
Book a Free Vitals Scan →