Five Eyes agencies issue first joint security guidance on agentic AI

CISA, NSA and counterparts in Australia, Canada, New Zealand and the UK warn autonomous agents are already inside critical infrastructure with insufficient safeguards.

The Five Eyes cybersecurity agencies on May 1 published “Careful Adoption of Agentic AI Services,” their first joint guidance specifically addressing autonomous AI agents and the first acknowledgment, in writing, that those agents are already operating inside critical infrastructure faster than the security frameworks meant to contain them. The document is co-signed by CISA, the NSA, the UK’s NCSC, Australia’s ASD’s ACSC, the Canadian Centre for Cyber Security, and New Zealand’s NCSC-NZ.

It’s the third installment in a series that began with 2023’s “Guidelines for Secure AI System Development” and continued with 2024’s “Deploying AI Systems Securely,” per a Crowell client alert tracking the sequence. The earlier two read as forward-looking. This one reads as catch-up.

The core argument is conservative by design: agentic AI doesn’t need a new security discipline, it needs to be forced into the old ones. Zero trust. Defense in depth. Least privilege. The guidance enumerates five risk categories per CyberScoop’s reading, excessive privilege, design and configuration flaws, behavioral risk, structural risk from interconnected agent networks, and accountability gaps in logs, and flags prompt injection as a lingering, possibly unsolvable problem. Recommended safeguards run toward the unglamorous: incremental deployment, low-risk starting tasks, fail-safe defaults, human-in-the-loop checkpoints, cryptographic agent identities, short-lived credentials, encrypted agent-to-agent communications.

The Register quotes the document warning that “every individual component in an agentic AI system widens the attack surface.” The agencies are blunter still elsewhere: “Until security practices, evaluation methods and standards mature, organisations should assume that agentic AI systems may behave unexpectedly and plan deployments accordingly, prioritising resilience, reversibility and risk containment over efficiency gains.”

That last clause is the news. State cyber authorities are telling operators to deprioritize efficiency, the entire commercial case for agents, in favor of containment. One week later, on May 8, China’s Cyberspace Administration published its own agentic AI policy. The regulatory convergence is happening faster than the technology is stabilizing.