Keast-Butler mentioned data and AI together as the defining strategic resources of the current era. GCHQ, she noted, exploits “ever greater volumes, velocity and variety of data” to fulfil its mission. The combination of data growth with AI’s capacity to extract value from it at speed creates what she described as a clear strategic asset — one that adversaries, particularly China, are actively developing. The implication for the private sector is direct: data governance and AI capability are no longer separate from security planning. They are security planning. “When you pair data’s exponential growth with AI’s ability to extract new value — at ever faster speeds — it’s clear that data is a strategic asset.”
Agentic AI for cyber defence
The most operationally significant announcement in the lecture was GCHQ’s development of a new national cyber defence blueprint built around agentic AI. Keast-Butler stated that the agency has produced a plan to “hardwire cutting-edge agentic AI into machine speed cyber defence.” The rationale is straightforward: modern cyberattacks move faster than human analysts can respond. Autonomous AI systems operating at machine speed are, in her assessment, the only viable approach to defence at scale.
GCHQ is also integrating frontier AI into its intelligence operations more broadly — for language translation, pattern recognition, and working through large volumes of data to surface relevant signals. These are capabilities that many large organisations are building in parallel, and the convergence of national security and commercial AI development is increasingly evident.
GCHQ’s National Cyber Security Centre has issued guidance on integrating AI responsibly into security operations. Keast-Butler’s remarks reinforce that agentic AI for threat detection and response is no longer experimental — it is the direction of travel for serious security organisations.
AI in the threat landscape
On the adversarial side, Keast-Butler described warfare as “increasingly data-driven, AI-enabled, and automated,” referencing ongoing conflicts as current examples rather than hypothetical scenarios. She also highlighted the use of AI-driven tools in grey-zone operations — activity that sits below the threshold of conventional warfare but is designed to disrupt infrastructure, supply chains, and public trust. Algorithms, she noted, are being weaponised in this space by state actors.
China was singled out as a “tech superpower” with advanced cyber, intelligence and military capabilities, and as a state that fully understands the strategic value of data. For businesses operating in sectors with exposure to Chinese technology or supply chains, this framing carries direct relevance to risk assessment.
The quantum variable
Keast-Butler linked AI strategy to quantum computing in terms that deserve attention. She stated that the timeline for operational quantum computers has shifted — it is no longer reliably “a decade away.” Once available, quantum systems will be capable of breaking current encryption standards, which underpins the security of virtually all digital infrastructure, including AI systems handling sensitive data. The NCSC has published transition timelines for post-quantum cryptography, and Keast-Butler’s message to businesses was to treat those timelines as live commitments, not future planning exercises.
Keast-Butler was explicit that GCHQ’s use of AI is governed by legal, ethical, and proportionality standards. She described the agency’s work as embedding frontier AI “responsibly and ethically” into operations, and emphasised that all activity is legal and proportionate. This framing reflects a broader trend among government security agencies to address public concern about autonomous systems and surveillance — though the specifics of governance frameworks remain, by necessity, largely unpublished.
She also placed AI governance in a longer time horizon, describing it as an “intergenerational duty” to secure AI for beneficial use. For organisations building AI policy today, this framing suggests that security regulators are thinking about AI in terms of durable systemic risk, not just immediate operational threat.
Cybersecurity in an AI world requires a step-change in urgency. Keast-Butler called on businesses to treat cybersecurity as a critical priority now, not as a compliance exercise. The specific actions she referenced — adopting passkeys over passwords, hardening supply chains, transitioning to post-quantum cryptography — are well-documented in NCSC guidance and represent baseline expectations, not advanced measures. The broader signal is that the gap between AI capability and AI security is widening. GCHQ is investing heavily to close that gap on the national security side. The expectation, clearly stated, is that the private sector does the same.
GCHQ stands for Government Communications Headquarters. It is one of the United Kingdom’s three main intelligence and security agencies, operating alongside MI5 (the Security Service) and MI6 (the Secret Intelligence Service)
