Ofcom has launched a review into whether existing telecoms security rules are making it harder for operators to adopt AI-driven cyber defences.
In a newly published AI strategy, the UK’s communications regulator said it is seeking input from operators regulated under the Telecommunications (Security) Act 2021 and the Network and Information Systems Regulations to better understand how AI is used in cybersecurity and whether existing regulatory requirements may create unintended barriers to deployment.
The work comes as organisations face what Ofcom describes as “immense upheaval” in cybersecurity driven by the emergence of increasingly capable AI systems.
“AI models like Mythos could make mounting attacks on networks easier and faster to achieve than ever,” the regulator said.
Ofcom’s initial focus will be on telecommunications operators and digital infrastructure providers subject to UK cybersecurity regulation. The regulator said it wants to understand how organisations are balancing the potential benefits of AI-enabled security tools against regulatory obligations that require strong oversight and understanding of security controls.
Part of the concern is how quickly the technology is improving. Ofcom cites research from the UK’s AI Security Institute showing that leading AI models went from apprentice-level cyber skills in 2023 to expert-level capabilities by 2025. According to the regulator, this means systems are now capable of performing tasks that would typically require more than a decade of specialist experience.
Despite rapid advances, organisations are still approaching AI with caution. Ofcom said reasoning models are becoming easier to trust thanks to fewer hallucinations and better source attribution, but concerns about reliability have not disappeared.
The strategy also highlights a broader rise in AI-enabled harms. More than one in five internet users now report encountering fake or deceptive images or videos online, according to Ofcom, while the regulator pointed to the growing misuse of chatbots, deepfake fraud content and so-called nudification applications used to create non-consensual sexual imagery.
Ofcom said the project is intended to strengthen the security of telecommunications networks and information systems by providing greater regulatory clarity and confidence to industry. The aim is to ensure that regulation does not unintentionally discourage the adoption of effective defensive technologies.
The regulator added that it expects to undertake related work on vendor and third-party assurance and will continue to engage with the Department for Science, Innovation and Technology and the UK’s AI Security Institute.
Insights gathered through the initiative could ultimately inform future policy development and government decision-making regarding the role of AI in protecting critical communications infrastructure.
