All writing
16 min read

IBM's 25% Drop, Anthropic Mythos, and the Cyber-Software Budget Reset. What Australian CIOs Should Do Before FY27 Locks.

IBM's Q2 warning, Mythos zero-days, Gold Eagle and the Essential Eight retirement have reset Australian FY27 IT budgets. Here is the playbook CIOs need now.

WT
Wai Tech Editorial
Written with AI assistance

Four things happened in the last ten days that, taken together, rewrite the Australian enterprise IT budget conversation for FY27.

On 14 July 2026, IBM told the market its Q2 numbers would miss. Its shares fell 25% in a single session, the company's worst day in 39 years. CEO Arvind Krishna wrote to investors that customers had paused several large mainframe and software deals in the closing weeks of June. His reason was direct. Mythos, Anthropic's new frontier cybersecurity model, is making buyers stop and ask how much they should be spending on cyber before they sign anything else.

On 15 July 2026, the White House launched Gold Eagle, an AI-backed vulnerability clearinghouse coordinated by Treasury, CISA, Homeland Security and Defence. Its job is to triage the wave of software flaws that Mythos and comparable models are finding. Frontier models, including Mythos, feed into it.

Also on 15 July 2026, Prime Minister Albanese announced the Office of AI, binding legislation for large data centres in early 2027, and a categorical refusal to loosen the Copyright Act 1968 for AI training. That announcement covered the physical and IP layers of the AI stack.

And running quietly underneath all of it, the Australian Signals Directorate's consultation on Essentials for Enterprise IT closed on 12 July 2026. The Essential Eight, the compliance baseline every Australian board and regulator has anchored on since 2017, is being retired within two years. The trigger for the retirement is that the framework cannot keep up with AI-enabled threats or the pace of vulnerability discovery.

Read together, these four events describe a single reset. Cybersecurity has become the item that eats every other line in the budget. Software deals are pausing. AI infrastructure is drawing capital out of application spend. The compliance baseline is being rewritten. If your FY27 budget conversation is still running on the assumptions you locked in April, those assumptions are now stale.

What IBM's Q2 warning actually said

The precise sentence in Krishna's investor note matters. He wrote that in the last few weeks of June, clients shifted quarterly capex spend toward servers, storage and memory to lock in supply-constrained infrastructure before expected price rises. Then he added the second, more consequential line. Cybersecurity became a competing drain because AI has gotten good at finding holes. Mythos, he said, is making people pause to say, wait, how much do I need to spend on cyber. They are pausing on new deals until they know.

This is not a general software recession call. Krishna framed it as a small number of large mainframe and adjacent software deals delayed at quarter end. But the reason is the important part. Buyers are treating cyber as an unquantified liability that has to be sized before the next software commitment gets signed. That behaviour, once it starts, spreads.

Cybersecurity stocks moved with the reasoning. CrowdStrike lifted 12%. Okta lifted 11%. Palo Alto Networks and Zscaler tracked with them. The market read Krishna's letter as an admission that a structural reallocation is underway.

Why Mythos is the trigger, not the theme

Anthropic's Claude Mythos Preview was announced in April 2026 and access was deliberately restricted to a small set of organisations including AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorgan Chase, the Linux Foundation, Microsoft, NVIDIA and Palo Alto Networks. It is not a general release model.

What Mythos did in testing is what changed the conversation. Anthropic reported that the model identified and exploited zero-day vulnerabilities in every major operating system and every major web browser when directed to do so. Many of the flaws it surfaced were ten or twenty years old. The oldest was a 27-year-old bug in OpenBSD. It also autonomously found a 17-year-old remote code execution vulnerability in FreeBSD tied to NFS, now catalogued as CVE-2026-4747, that allowed anyone to gain root on a machine running the service.

The point of Mythos, from an enterprise buyer's perspective, is not that Anthropic has a very capable red team model. The point is that Mythos-class capability exists at all. Once a frontier model can read decades-old code and surface exploitable flaws faster than any human review team, the vulnerability discovery curve rewrites itself. Every enterprise now has to plan for the case where a comparable open or leaked model is available to an adversary before the vendor patch cycle catches up.

That is the risk Krishna's customers are pricing in.

What Gold Eagle is doing, and why it matters offshore

Gold Eagle is the US administration's institutional response to the same discovery curve. Established under Executive Order 14409 signed on 2 June 2026, and formally stood up on 15 July, it is a Treasury-managed clearinghouse that consolidates AI-discovered vulnerabilities from government and industry, prioritises the most consequential ones and coordinates remediation across critical infrastructure. It runs on top of Carnegie Mellon's Vulnerability Information and Coordination Environment, VINCE, and pulls findings from Mythos and other closed frontier models under controlled arrangements.

Gold Eagle is a US instrument, but it changes Australian enterprise reality on two fronts.

First, the shared vulnerability catalogue and remediation timelines that come out of Gold Eagle will become de facto benchmarks for Australian critical infrastructure obligations under the Security of Critical Infrastructure Act. If a hyperscaler patches a Gold Eagle-flagged flaw across US infrastructure in a defined window, an Australian regulator will treat that window as the reasonable standard of care for the same asset in the same fleet.

Second, insurance markets are already using Gold Eagle's initial priority list as the reference set for coverage renewals. Australian cyber insurers underwrite against the same global carriers. Premiums, deductibles and exclusion language for the second half of 2026 will be shaped by which vulnerabilities Gold Eagle categorises as urgent and by how quickly named vendors close them.

Why the Essential Eight is being retired now

The ASD's June 2026 announcement that the Essential Eight will be retired within two years was originally read as a routine framework refresh. In the light of Mythos and Gold Eagle, it looks like something else. It looks like an admission that a static compliance ladder built around conventional malware and legacy patch cycles cannot survive machine-speed vulnerability discovery.

The consultation on the replacement, Essentials for Enterprise IT, closed on 12 July 2026. Two things about the design of the new framework matter for FY27 planning.

The first is that Essentials for Enterprise IT is threat-informed and prioritised, not a fixed ladder. It expects organisations to allocate control effort against the current threat surface rather than against a numbered list. That model is only workable if the organisation has a live understanding of what its threat surface is. For most Australian mid-market and enterprise IT teams, that is not yet an operating capability. It has to be built.

The second is that the ASD has signalled agentic AI will likely have its own dedicated chapter, with distinct identity and access requirements for non-person entities and specific treatment for prompt injection as a control-defeating attack class. That aligns with the direction APRA has already taken under CPS 234 and CPS 230 revisions, and with the OAIC's expectations under the December 2026 automated decision making transparency amendment. The compliance topology is converging.

The follow-on chapters, on operational technology and cloud, will complete the picture. The FY27 board reporting cycle is where these chapters will start to appear in audit letters.

The Australian FY27 budget problem, in specifics

Take those four developments back to the Australian CFO conversation and the shape of the problem is clear.

Vendors will push cost increases in FY27 renewals to fund AI infrastructure. Microsoft's Copilot repricing, Salesforce's Agentforce metering, SAP's autonomous ERP add-ons, ServiceNow's Now Assist tiers and Oracle's Fusion AI packages are all showing double-digit unit price shifts on the Australian sell side. That is real money coming out of the software line.

Cyber is now a live claim on the same budget. The Gartner projection that Australian information security spend will exceed AUD 7.5 billion in 2026, a 9.5% year-on-year lift, was published before the IBM warning. That number is now conservative. Cyber lift for FY27 in most Australian enterprises will land closer to 15 to 20% once the Essentials for Enterprise IT gap analysis is done.

AI infrastructure has its own capital claim through the data centre legislation. Colocation, sovereign cloud and locally-hosted inference contracts will reprice in 2027 as operators absorb the new power, water and cost pass-through obligations. If your FY27 model assumed flat unit costs on Australian-hosted compute, it is now optimistic.

Software modernisation, the traditional home of discretionary IT spend, gets squeezed between all three. That is the pause behaviour Krishna described, imported into an Australian budget cycle where the CIO is already carrying an Office of AI implementation on top.

What Australian technology leaders should do in the next sixty days

The FY27 budget conversation for most listed and mid-market Australian companies is running through July and August. The internal papers get locked before board approval in September and October. That means the useful window to reshape the budget is now.

Reopen the FY27 cyber envelope with the Essentials for Enterprise IT draft in hand. The right question for the CFO is not how much you want to spend on cyber. It is what percentage of your existing Essential Eight compliance investment is now stranded, and what the incremental cost is to close the gap to the new threat-informed baseline. That framing survives an audit committee.

Front-load your AI vendor renewal negotiations before December 2026. Every enterprise SaaS contract due in the first half of 2027 will be at repricing risk. If you have a renewal window that opens in the second half of 2026, use it. The vendor's negotiation posture will harden materially once Gold Eagle's second and third publication cycles land and once the Office of AI signals which Australian standards will apply.

Run a Mythos-class exposure exercise on your own estate. You do not have Mythos access. You do not need it to run the exercise. Take the categories of flaw that Anthropic has published in its Mythos preview writeup, cross-reference them against the CVE stream that Gold Eagle is prioritising, and map both against your own software bill of materials. The output tells you where your unpatched exposure sits on the same taxonomy your auditors and insurers will use for FY27.

Rewrite your software supplier due diligence to include vulnerability response timing. It is no longer enough for a vendor to warrant SOC 2, ISO 27001 or Essential Eight Maturity Level Two compliance. The material question is how quickly the vendor patches when Gold Eagle flags a flaw in one of their dependencies. Put that answer into your standard vendor questionnaire before the FY27 procurement round.

Brief the board on the reset explicitly. The IBM story landed as a market story. The board risk register still treats cyber and software modernisation as parallel budget lines. They are not parallel any more, they are competing for the same dollar. The board paper for the September cycle should show that competition and the executive team's decision framework for allocating between them.

Discoverability, and where Wai fits

The FY27 budget conversation will be shaped, in part, by what buyers, boards and regulators find when they type these questions into AI answer engines. Which vendors move quickly on Gold Eagle-flagged flaws. Which Australian technology partners can operate against the new Essentials framework. Which providers have credible answers on Mythos-class exposure.

That is the citation surface Wai builds ARC for. ARC is the platform that makes Australian technology brands consistently discoverable, defensible and citable inside AI answer engines, using content mapped to how buyers, regulators, insurers and analysts actually describe the market. When the Essentials for Enterprise IT draft becomes the reference document, and when Gold Eagle's remediation timings become the insurance underwriting benchmark, the vendors whose content already speaks that language will earn the citation.

The FY27 budget window is short. The discoverability window is shorter. Both are open right now.

FAQ

Why is IBM stock down 25%? IBM shares fell 25% on 14 July 2026 after the company released preliminary Q2 numbers that missed consensus and a shareholder letter from CEO Arvind Krishna warning that several large mainframe and software deals had been paused at quarter end. Krishna attributed part of the pause to buyers reassessing how much to spend on cybersecurity following the launch of Anthropic's Mythos model, which surfaced thousands of high-severity zero-day vulnerabilities in every major operating system and web browser.

What is Anthropic Mythos and why does it matter? Mythos is Anthropic's frontier cybersecurity model, released in preview in April 2026. In testing it identified and exploited zero-day flaws in every major operating system and browser, including a 17-year-old remote code execution bug in FreeBSD, CVE-2026-4747. Access is restricted to a controlled set of hyperscalers, security vendors and critical infrastructure partners. It matters because it proves that frontier models can surface exploitable vulnerabilities at machine speed, which changes how enterprises size cyber budgets and how insurers underwrite them.

What is the White House Gold Eagle initiative? Gold Eagle is a US federal vulnerability clearinghouse launched on 15 July 2026 under Executive Order 14409. It is managed by the Department of the Treasury with contributions from CISA, Homeland Security and Defence. It consolidates AI-discovered vulnerabilities from government and industry, prioritises the most consequential ones and coordinates remediation across critical infrastructure. It runs on Carnegie Mellon's VINCE platform and draws findings from frontier models including Mythos. Its priority lists are already shaping insurance underwriting and vendor patch expectations globally.

Is Australia replacing the Essential Eight? Yes. The Australian Signals Directorate confirmed on 24 June 2026 that the Essential Eight will be retired within two years and replaced by a broader Essentials series. Consultation on the first chapter, Essentials for Enterprise IT, ran through the ASD Cyber Security Partnership Program portal and closed on 12 July 2026. Further chapters will cover operational technology and cloud. Agentic AI is expected to receive dedicated treatment, including specific controls for non-person identities and prompt injection.

What does IBM's Q2 warning mean for enterprise software budgets? It signals that enterprise buyers are willing to delay large software commitments to preserve budget for cybersecurity investment. That behaviour, once it takes hold, pressures every discretionary software line in the FY27 budget, especially in mainframe, ERP, application modernisation and traditional consulting. Vendors will react by tightening discount structures. CFOs and CIOs should expect software modernisation programs to face harder internal competition for funding through the second half of 2026.

Should Australian companies pause software deals for cybersecurity? Not reflexively. The pause behaviour Krishna described was concentrated in large multi-year mainframe and adjacent software commitments. For most Australian mid-market and enterprise buyers, the correct response is a formal reassessment of cyber posture against the Essentials for Enterprise IT draft and the Gold Eagle priority set, followed by a decision on how much of the software budget to reallocate. Pausing without doing the assessment risks locking in worse renewal terms later.

How are CIOs balancing AI and cyber budgets in FY27? Australian CIOs are treating three lines as competing for the same pool: AI vendor renewals, AI infrastructure and cyber. The emerging practice is to model each line against a shared risk register, front-load AI vendor renewals into the second half of 2026 to lock in current pricing, size the cyber line against the Essentials for Enterprise IT gap analysis, and let AI infrastructure ride the 2027 data centre legislation transition. Software modernisation gets what is left, which is materially less than in FY26.

What is Essentials for Enterprise IT ASD consultation? Essentials for Enterprise IT is the first chapter of the replacement framework the ASD is building to succeed the Essential Eight. It is threat-informed and prioritised, not a fixed maturity ladder. It sits on the Information Security Manual and expects organisations to allocate mitigations against the current threat surface. Consultation closed on 12 July 2026. Operational technology and cloud chapters follow. It will become the Australian compliance baseline over the next two years, and will be reflected in APRA CPS 234 and CPS 230 revisions and in OAIC expectations under the December 2026 Privacy Act amendment.

Keep reading

More writing.

A few more pieces along the same thread. See the full index for everything.

Subscribe

One short note, as it happens.

The writing above, delivered to your inbox when we publish it. No other emails, no tracking pixels, and you can leave in a click.