Cybersecurity

Five Eyes Warns of Autonomous AI Security Risks

Analyst 207||Source: GovInfoSecurity
People in business casual attire discuss and review information on a large blank screen in a modern technology facility.

"When a risk arises, it’s critical for responders to have operational visibility to understand what the agent did, why it did and what the user intended," said John Harmon, regional vice president of cyber solutions at Elastic and former global network analyst for the National Security Agency.

Joint warning from CISA, the NSA and Five Eyes partners

The Cybersecurity and Infrastructure Security Agency, the National Security Agency and allied cyber agencies across the U.K., Canada, Australia and New Zealand have published joint guidance warning that agentic, or autonomous, artificial intelligence systems are introducing a new class of security risks. The document states these systems "can independently plan, reason and take action across enterprise environments" and that their rapid adoption is expanding attack surfaces, complicating oversight and amplifying the consequences of security failures.

How agentic AI differs from traditional generative systems

Unlike traditional generative AI systems that produce outputs for human review, the guidance distinguishes agentic AI by its design to execute tasks autonomously through integration of large language models with external tools, data sources and system-level permissions. The agencies say agentic AI "can automate repetitive, well-defined and low-risk tasks" but also warn that the same capabilities can introduce "productivity losses, service disruption, privacy breaches or cyber security incidents" if not properly secured.

Elad Schulman, CEO and co-founder of the GenAI security platform Lasso Security, told ISMG the community currently lacks visibility into how agent workflows evolve and whether intent remains consistent over time. "Without visibility into intent and the ability to detect deviations from that baseline, organizations are effectively blind to the most critical risks in autonomous systems," he said.

Identity risks and the "ultimate insider threat"

The guidance calls out identity-related dangers unique to agentic environments. Because agents rely heavily on external tools, APIs and third-party components, each integration point is another exposure, the agencies said. Attackers can impersonate agents or steal credentials to operate within trusted workflows, and many monitoring systems that are tuned to detect anomalous behavior rather than identity misuse may not flag those attacks until after damage occurs.

Travis Rosiek, public sector chief technology officer for Rubrik, characterized agentic AI as "a deputy with full system access, making it a kind of ultimate insider threat." He urged strict enforcement of least privilege across both human and non-human identities, warning that inherited trust relationships can unintentionally grant agents broad access and increase the risk that agents attempt to bypass controls if permissions are too expansive or poorly scoped.

Operational visibility, continuous governance and technical controls

Across the guidance and expert commentary, several practical controls recur. Organizations are urged to treat agentic AI as part of existing cybersecurity architectures rather than a standalone technology, applying principles such as least privilege, zero trust and defense in depth across the lifecycle of agent deployment. Specific recommendations include:

  • Start with low-risk, non-sensitive use cases and restrict agent permissions to the minimum required.
  • Implement continuous monitoring of agent behavior, tool usage and decision-making processes to provide runtime visibility.
  • Adopt stronger identity controls, including cryptographic authentication for agent-to-system interactions, and use segmentation to contain failures and limit lateral movement.
  • Build continuous, contextual governance with guardrails and rollback capabilities so that identity, access and behavior are evaluated in real time.
  • Require human approval for sensitive operations, insert checkpoints into agent workflows and retain the ability to interrupt or reverse agent actions in real time.

John Harmon stressed the need for improved telemetry and contextual controls so that "when a risk arises" responders can determine what an agent did, the tools it used and the user's intent.

What this means for federal organizations, security teams, and procurement leaders

Federal organizations and critical infrastructure operators: The guidance specifically targets these actors as early experimenters with agent-based AI. They are advised to begin with low-risk deployments, enforce least-privilege access boundaries, and ensure human approval for high-impact actions.

Technologists and security teams: Observability and continuous governance are central requirements. Teams should prioritize telemetry that ties agent actions to intent and tools, and implement cryptographic authentication and segmentation strategies to constrain potential misuse.

Procurement leaders and program managers: The agencies' message underscores the need to treat agentic capabilities as integrated components of enterprise security. Procurement decisions should enforce minimal permissions by design and require vendors to support rollback, interruption and auditability.

The joint guidance closes with a clear operational posture: "Organizations should assume that agentic AI systems may behave unexpectedly and plan deployments accordingly," the report says. The agencies, vendors quoted in the guidance, and operators experimenting with agentic systems now face a test of whether existing cybersecurity architectures can be extended—through telemetry, identity controls and human-in-the-loop checkpoints—to manage a class of systems that act with autonomy rather than merely advise humans.

https://www.govinfosecurity.com/five-eyes-sound-alarm-on-autonomous-ai-security-risks-a-31590

Artificial IntelligenceCisaCyber ThreatsEmerging ThreatsNational SecurityNSAFive EyesAutonomous AI Security
Related Intelligence

Continue Reading

Diverse group of people collaborate around a large table with laptops and notes.

AI Exposes Thousands of Open-Source Vulnerabilities

This summer is shaping up to be a wild ride, with thousands of open-source vulnerabilities exposed and a new coalition, Athena, stepping in to save the day with AI-powered solutions. Led by Chainguard, Athena brings together over two dozen major companies to tackle the problem head-on.

Analyst 207
Diverse group of people engaged in respectful conversation around a table with laptops and notebooks.

Cybersecurity Forum Opens Weekend Discussion Thread

Join the weekend Bunker Talk thread, where the community comes together for a refreshing, no-holds-barred discussion that's free from the usual toxicity - with one key rule: respectful, fact-based conversation, even when politics get involved. Share your thoughts, hash out differences, and engage with the best commenting crew on the net in a space that values civility and substance.

Analyst 207
Secret Service agent in airport terminal looks concerned at personal smartphone.

US Secret Service Exposes Agents to Cyber Risk with Lax Mobile Security

The US Secret Service is putting its agents at risk of cyber attacks by allowing them to use personal phones for work, with over 15,000 instances of unsecured calls made during critical operations. This lax mobile security leaves them vulnerable to hackers, despite having access to supposedly secure government-issued devices.

Analyst 207
Technician examines server rack with laptop in a brightly-lit network operations room.

CISA Mandates Urgent Patching for Exploited Cisco Flaw

Don't wait until it's too late: Cisco has issued a critical patch for a vulnerability (CVE-2026-20230) in its Unified Communications Manager Server, and the US Cybersecurity and Infrastructure Security Agency (CISA) is requiring urgent remediation by June 28. Act now to protect your system from potential remote exploitation.

Analyst 207