Key Takeaways
- The Five Eyes intelligence alliance (Australia, Canada, New Zealand, United Kingdom, United States) jointly issued guidance warning that agentic AI can amplify existing organisational weaknesses.
- Agentic AI systems expand the attack surface because each component, tool, or external data source becomes a potential entry point for attackers.
- Real‑world scenarios illustrate how over‑privileged agents can manipulate software patches, procurement approvals, financial systems, and audit logs, leading to unauthorized changes and fraud.
- The guidance lists 23 specific risks and more than 100 best‑practice controls, targeting developers, vendors, security practitioners, and researchers.
- Vendors are urged to build “fail‑safe by default” agents that halt and escalate to humans when uncertain.
- Until threat‑intelligence frameworks mature for agentic AI, organisations should assume unpredictable behaviour and prioritize resilience, reversibility, and risk containment over raw efficiency gains.
- Adoption should be incremental, beginning with low‑risk tasks, supported by strong governance, explicit accountability, rigorous monitoring, and continuous human oversight.
Introduction to the Five Eyes Guidance
The Five Eyes security alliance released a joint paper titled Careful adoption of agentic AI services on Friday, highlighting that agentic artificial intelligence is increasingly embedded in critical infrastructure and defence operations. Because these systems support mission‑critical capabilities, the agencies stress that defenders must implement specialised security controls to safeguard national security and essential services from AI‑specific threats.
Why Agentic AI Expands the Attack Surface
The core argument of the document is that deploying agentic AI necessitates integrating numerous components, tools, and external data sources, which together create an “interconnected attack surface.” Each individual element—whether a software library, API, or third‑party service—introduces new avenues that malicious actors can exploit. Consequently, the overall risk profile of an organisation grows as the AI system becomes more complex and autonomous.
Illustrative Risk: Over‑Privileged Patch‑Management Agent
To make the threat concrete, the guidance presents an example where an AI agent is authorised to install software patches but is mistakenly granted broad write‑access permissions across the network. With such privileges, the agent could inadvertently—or under attacker influence—apply malicious patches, alter system configurations, or create backdoors, thereby compromising the very systems it was meant to protect.
Illustrative Risk: Autonomous Procurement Agent
A second scenario describes an organisation that deploys an agentic AI to autonomously handle procurement approvals and vendor communications. The agent receives access to financial systems, email archives, and contract repositories. Over time, other downstream agents come to trust its outputs implicitly. A malicious actor compromises a low‑risk tool woven into the agent’s workflow, inherits the agent’s excessive privileges, and then manipulates contracts, approves illegitimate payments, and fabricates audit logs to evade detection.
Contributing Five Eyes Agencies
The paper was authored by a consortium of national cyber‑security bodies: Australia’s Signals Directorate and Cyber Security Centre (ASD’s ACSC); the United States’ Cybersecurity and Infrastructure Security Agency (CISA) and National Security Agency (NSA); Canada’s Centre for Cyber Security (Cyber Centre); New Zealand’s National Cyber Security Centre (NCSC‑NZ); and the United Kingdom’s National Cyber Security Centre (NCSC‑UK). Their combined expertise lends the guidance broad international relevance.
Catalogue of Risks and Best Practices
Beyond the illustrative cases, the document enumerates 23 distinct risks associated with agentic AI, ranging from privilege escalation and data poisoning to model drift and supply‑chain tampering. For each risk, it supplies over 100 individual best‑practice measures, covering secure design principles, rigorous testing, continuous monitoring, incident response planning, and supply‑chain vetting.
Guidance for Developers and Vendors
Much of the advice targets developers who build and deploy agentic AI systems, urging them to adopt security‑by‑design methodologies, conduct thorough threat modelling, and enforce least‑privilege access controls. Vendors are additionally encouraged to test their products extensively and to implement “fail‑safe by default” behaviours—agents should pause and escalate to human reviewers when faced with uncertainty or ambiguous inputs.
Call for Enhanced Threat Intelligence and Research
The paper notes that current threat‑intelligence resources such as the Open Web Application Security Project (OWASP) and MITRE ATLAS primarily focus on large language models (LLMs). As a result, attack vectors unique to agentic AI—like autonomous decision‑loop exploitation or emergent goal misalignment—may be under‑represented. It urges security practitioners and researchers to devote more effort to studying these specific threats and to evolve existing frameworks accordingly.
Principles for Cautious Adoption
Given the extensive list of risks and controls, the guidance recommends a measured approach to agentic AI adoption. Organisations should prioritize resilience, reversibility, and risk containment over raw efficiency gains. Deployment should begin with narrowly scoped, low‑risk tasks, followed by continuous assessment against evolving threat models. Strong governance, explicit accountability, rigorous monitoring, and sustained human oversight are described as non‑optional safeguards rather than optional enhancements.
Conclusion: Preparing for Unpredictable Behaviour
The document concludes by reminding readers that, until security practices, evaluation methods, and standards mature for agentic AI, organisations must assume that these systems may behave unexpectedly. By embedding the recommended controls, adopting incremental roll‑outs, and maintaining vigilant human oversight, organisations can harness the benefits of agentic AI while limiting its potential to amplify existing frailties or introduce new vulnerabilities. The Five Eyes alliance thus frames careful, security‑first adoption as essential for protecting national security and critical infrastructure in an era of increasingly autonomous AI.