Skip to main content
AI & Machine Learning

NCSC Warns of Agentic AI Risks, Urges Cautious Deployment

Person sitting at desk with concerned expression, looking at blank laptop screen.

"Think about what could happen if an agent misunderstood its task, exceeded its intended scope or was manipulated, and never grant an agent unrestricted access to sensitive data or critical systems," the UK's National Cyber Security Centre (NCSC) warns in fresh guidance on agentic artificial intelligence.

NCSC issues guidance on agentic AI risks

The NCSC has published a short guidance note aimed at organizations eager to use agentic AI while managing its cyber risks. The document summarizes a more detailed report produced jointly with the Five Eyes counterparts in Australia, Canada, the US and New Zealand. The central message is stark: the autonomy and complexity of agentic systems amplify danger by enabling excessively broad access to external systems, data and tools and by generating unpredictable behavior.

The guidance highlights two practical difficulties. First, actions that occur faster than humans can review make problems harder to spot. Second, the range of behaviors and tools available to agents complicates efforts to explain why an agent took a particular course of action. Both dynamics increase the chance that a single design or privilege failure could escalate into a serious incident.

Operational governance: who owns, who approves, who can stop it

The NCSC urges organizations to resist rushing into deployment. Teams must determine, before deployment, who owns the agentic system, who approves its access, who monitors its behavior, who reviews incidents and who has the authority to stop it if something goes wrong. The agency recommends deploying incrementally, "starting with tightly bounded pilots using clearly defined tasks," and cautions that if an agent is over‑privileged or poorly designed, one failure could become a serious incident.

In blunt terms, the NCSC adds: "Ensure you maintain ongoing visibility of the system’s operation and understand how to retain meaningful human oversight and control. If you cannot understand, monitor or contain an agent’s actions, it is not ready for deployment.”

ETSI EN 304 223 and the NCSC's best-practice checklist

To mitigate these risks, the NCSC points to established industry best practices defined by the international ETSI EN 304 223 standard and lists concrete measures organizations should apply:

  • Apply least privilege so that agents get only the minimum access they need, for the shortest time required
  • Limit scope by restricting what agents can access, what actions they can take and when they can take them
  • Avoid long-lived credentials by using temporary ones where possible and revoking elevated access once tasks are complete
  • Use secure defaults so that applications are designed with safe configurations, secure protocols and appropriate validation
  • Understand dependencies to manage supply chain risk for third-party components, models, tools and integrations
  • Monitor behavior to spot unusual or unexpected activity across tools, workflows and connected systems
  • Threat-model the deployment by considering how the system could be misused, manipulated or caused to behave unexpectedly
  • Plan for incidents to ensure response plans cover agentic AI failures, misuse and loss of control

Where agentic AI may be appropriate — and the NCSC's final cautions

The NCSC acknowledges that agentic AI can offer "significant benefits in many scenarios, particularly where tasks are repetitive, well-understood and low risk." Even so, its conclusion is precautionary: adopt responsibly, thoughtfully and at scale only after starting small, applying existing cyber hygiene and governance from the outset, and planning for failure — including knowing how you would respond to it.

What this means for technologists, procurement leaders, and regulators

Technologists and security teams will be focused on implementing the NCSC checklist: least-privilege access, temporary credentials, monitoring for unexpected behavior, and explicit threat models before deployment. Procurement and enterprise leaders will need to reassess use cases — asking whether agentic AI is actually necessary, insisting on tightly bounded pilots, and managing supplier and model dependencies to limit supply‑chain risk. Regulators and oversight bodies now have a clear reference point in ETSI EN 304 223 and the Five Eyes‑aligned report summary, reinforcing the expectation that deployments include human oversight, incident planning and constrained privileges.

The NCSC leaves organizations with a clear operational litmus test: if you cannot understand, monitor or contain an agent’s actions, do not deploy it. That simple yardstick — combined with the practical checklist and the insistence on incremental pilots and ownership clarity — frames the immediate debate for any organization weighing agentic AI. Whether firms will heed the "never grant an agent unrestricted access" injunction will determine, in short order, whether agentic systems are a measured productivity tool or a source of systemic cyber risk.

Original story