“Until security practices, evaluation methods and standards mature, organisations should assume that agentic AI systems may behave unexpectedly and plan deployments accordingly, prioritising resilience, reversibility and risk containment over efficiency gains,” the guidance reads.
Agentic AI defined and where it is already used
On Friday, a coalition of cybersecurity agencies from the United States, Australia, Canada, New Zealand and the United Kingdom published joint guidance that treats autonomous or "agentic" artificial intelligence as a core cybersecurity concern. The document defines agentic AI as software built on large language models that can plan, make decisions and take actions autonomously. For that autonomy to be useful, agents commonly connect to external tools, databases, memory stores and automated workflows so they can execute multi‑step tasks without human review at each stage — a capability the agencies say is increasingly present in critical infrastructure and defense sectors.
Five categories of risk the agencies identified
- Privilege: When agents are granted too much access, a single compromise can cause far more damage than a typical software vulnerability.
- Design and configuration flaws: Poor setup can create security gaps before a system even goes live.
- Behavioral risks: Agents may pursue goals in ways their designers never intended or predicted.
- Structural risk: Interconnected networks of agents can trigger failures that spread across an organization’s systems.
- Accountability: Agentic systems make decisions through processes that are difficult to inspect and generate logs that are hard to parse, complicating efforts to trace what went wrong and why.
The agencies also underscore that these failures can have tangible, concrete effects: altered files, changed access controls and deleted audit trails.
Identity, credentials and human sign-off
Identity management receives significant attention in the guidance. Agencies recommend that each agent carry a verified, cryptographically secured identity, use short‑lived credentials and encrypt all communications with other agents and services. For high‑impact actions, the guidance is explicit that a human should have to sign off — and deciding which actions require that approval is a job for system designers, not the agent.
Prompt injection and limits of current defenses
The guidance calls out prompt injection — instructions embedded inside data that can hijack an agent’s behavior — as a continuing vulnerability. The document notes that prompt injection has been a lingering problem with large language models, adding that some companies have admitted the problem may never be solved. More broadly, the agencies acknowledge that the security field has not fully caught up: some risks unique to agentic AI are not yet covered by existing frameworks, and the guidance calls for more research and collaboration as the technology takes on operational roles.
Integrating agentic systems into existing cyber governance
Rather than treating agentic AI as requiring a wholly new discipline, the co‑authoring agencies — the U.S. Cybersecurity and Infrastructure Security Agency and the National Security Agency, the Australian Signals Directorate’s Australian Cyber Security Centre, the Canadian Centre for Cyber Security, New Zealand’s National Cyber Security Centre and the United Kingdom’s National Cyber Security Centre — urge organizations to fold these systems into cybersecurity frameworks and governance structures they already maintain. The guidance recommends applying established principles such as zero trust, defense‑in‑depth and least‑privilege access when designing and operating agents.
What this means for technologists, policymakers, and procurement leaders
- Technologists and security teams: Expect to treat agents as high‑risk assets — apply least‑privilege, require cryptographically verified identities, build short‑lived credentials into deployments and plan for reversible operations rather than efficiency‑only architectures.
- Policymakers and regulators: The agencies’ admission that some agentic risks fall outside current frameworks signals a need for coordinated research, standards development and cross‑jurisdictional collaboration to mature evaluation methods and security practices.
- Procurement leaders and operators in critical sectors: Where agents perform high‑impact actions, procurement and system design must bake in human approval gates and contractual requirements for secure identity and encryption; organizations should prioritize resilience and risk containment over rapid efficiency gains.
The joint guidance is a clear signal: agentic AI is already moving from experimental deployments into systems where mistakes can rewrite files, change controls and erase evidence. The agencies do not promise immediate solutions; instead they urge organizations to assume unexpected behavior, to limit privileges and to design for reversibility and containment while the security community develops more mature practices and standards.




