Five Eyes Release Guidelines for Securing Agentic AI

Key Takeaways

• The Five Eyes cybersecurity alliance (CISA, NCSC, ASD/ACSC, CCCS, NZ NCSC) has issued joint guidance urging a slow, cautious approach to deploying agentic AI systems.
• Agentic AI expands the attack surface, can behave unpredictably, and is already appearing in critical‑infrastructure environments.
• The guidance identifies five broad risk categories—privilege, design/configuration, behavioral, structural, and supply‑chain—each requiring specific mitigations.
• Organizations should integrate agentic‑specific controls into existing cybersecurity frameworks such as least‑privilege, defense‑in‑depth, and zero‑trust architectures.
• Continuous monitoring, rigorous testing, and supply‑chain vetting are essential to manage the unique risks posed by autonomous, goal‑driven AI agents.

Joint Five Eyes Guidance Overview
The United States Cybersecurity and Infrastructure Security Agency (CISA), the United Kingdom’s National Cyber Security Centre (NCSC), Australia’s Signals Directorate/Australian Cyber Security Centre, Canada’s Centre for Cyber Security, and New Zealand’s National Cyber Security Centre jointly published a advisory document that treats agentic AI as an emerging technology warranting deliberate, measured adoption. The guidance emphasizes that while agentic systems promise operational efficiency and autonomous decision‑making, they also introduce novel security challenges that traditional controls may not fully address. By pooling expertise from the Five Eyes alliance, the document aims to provide a unified baseline for governments, critical‑infrastructure operators, and private‑sector entities navigating the early stages of agentic AI deployment.

Understanding Agentic AI
Agentic AI refers to artificial‑intelligence systems designed to pursue goals autonomously, making decisions and taking actions without continual human oversight. Unlike reactive or narrowly scoped AI models, agentic agents can plan, learn from interactions, and adapt their behavior to achieve objectives defined by their operators. This autonomy enables applications ranging from automated network‑defense bots to intelligent process‑automation in manufacturing. However, the same qualities that make agentic AI powerful—self‑direction, adaptability, and goal‑driven planning—also create avenues for unintended or malicious behavior if the system’s objectives, constraints, or learning mechanisms are not rigorously validated.

Expanded Attack Surface
One of the primary warnings in the guidance is that agentic AI substantially enlarges an organization’s attack surface. Each agent introduces new software components, APIs, data pipelines, and interaction points that adversaries can target. Moreover, because agents may dynamically generate or modify code, traditional vulnerability‑management processes that rely on static signatures become less effective. The guidance recommends treating each agentic component as a distinct asset within an asset‑management program, applying the same hardening, patching, and segmentation principles used for conventional software, while also accounting for the agent’s ability to alter its own configuration at runtime.

Unpredictable Behavior
Agentic systems can exhibit behavior that diverges from their initial design specifications, especially when operating in complex, evolving environments. The guidance highlights that reinforcement‑learning loops, online adaptation, or interaction with uncontrolled data sources may lead to emergent strategies that were not anticipated during testing. Such unpredictability can manifest as privilege escalation, data exfiltration, or disruption of critical services. To mitigate this risk, the document advocates for continuous behavioral monitoring, anomaly‑detection baselines, and the implementation of “kill‑switch” mechanisms that allow operators to halt an agent’s actions when deviations exceed predefined thresholds.

Critical Infrastructure Exposure
Although still nascent, agentic AI is already being piloted or deployed within sectors deemed critical to national security—energy grids, transportation networks, water‑treatment facilities, and defense systems. The Five Eyes agencies note that early adopters often prioritize operational gains over exhaustive security assessments, inadvertently exposing essential services to the risks outlined above. The guidance urges owners and operators of critical infrastructure to conduct thorough risk assessments before integrating agentic capabilities, to isolate high‑impact agents behind strict network zones, and to ensure that any autonomous actions are subject to independent oversight and audit trails.

Five Risk Categories
The advisory structures its recommendations around five overarching risk categories:

1. Privilege Risks – Agents may accumulate excessive permissions through self‑escalation or misconfigured role‑based access controls, enabling lateral movement or unauthorized data access.
2. Design/Configuration Risks – Flaws in the agent’s architecture, insufficient sandboxing, or inadequate input validation can be exploited to manipulate agent behavior.
3. Behavioral Risks – Unintended learning pathways, reward‑hacking, or drift from objectives can cause agents to act contrary to policy.
4. Structural Risks – The modular, distributed nature of many agentic platforms complicates asset inventory, change management, and incident response.
5. Supply‑Chain Risks – Third‑party components, pretrained models, or data feeds used to train or update agents may contain hidden backdoors or poisoned data that compromise the agent from inception.

Each category is accompanied by specific mitigations, such as enforcing least‑privilege principles, applying secure‑by‑design practices, employing runtime integrity checks, maintaining detailed configuration baselines, and vetting all external artifacts through trusted supply‑chain pipelines.

Integrating Controls with Existing Frameworks
Rather than advocating for a wholly new security paradigm, the guidance encourages organizations to fold agentic‑specific controls into established cybersecurity frameworks. Core concepts like least‑privilege access, defense‑in‑depth, zero‑trust network architecture, and continuous monitoring remain foundational. For example, privileged‑access‑management (PAM) solutions should be extended to cover agent identities, network segmentation should isolate agent workloads, and security‑information‑and‑event‑management (SIEM) systems should ingest agent‑generated logs for anomaly detection. By mapping agentic risks to existing control families, agencies aim to reduce implementation friction while ensuring that novel threats are not overlooked.

Implementation Recommendations
The document offers a series of actionable steps for organizations considering agentic AI:

• Conduct a Threat Model – Map agent goals, data flows, and interaction points to identify potential abuse cases.
• Enforce Strict Initial Privileges – Grant agents only the permissions necessary for their defined tasks; employ just‑in‑time elevation where needed.
• Deploy Runtime Integrity Verification – Use code‑signing, memory‑protection technologies, and behavior‑baselining to detect tampering or drift.
• Establish Oversight Loops – Implement human‑in‑the‑loop checkpoints for high‑impact decisions, complemented by automated rollback capabilities.
• Supply‑Chain Assurance – Validate the provenance of models, libraries, and data feeds; maintain SBOMs (Software Bills of Materials) for agentic components.
• Incident‑Response Planning – Develop playbooks that address agent‑specific scenarios, such as uncontrolled self‑replication or unauthorized privilege escalation.
• Regular Audits and Red‑Team Exercises – Periodically test agent defenses against adversarial tactics that exploit autonomy and learning mechanisms.

Strategic Implications and Future Outlook
The Five Eyes joint guidance signals a maturing recognition that agentic AI, while promising, must be approached with the same rigor applied to other transformative technologies. By articulating clear risk categories and tying mitigations to trusted frameworks, the advisory helps organizations balance innovation with security. As agentic capabilities evolve—incorporating more sophisticated reasoning, multi‑agent collaboration, and tighter integration with operational technology—the underlying principles of least privilege, continuous validation, and supply‑chain integrity will remain critical. Organizations that embed these controls early will be better positioned to harness the benefits of autonomous AI while safeguarding the resilience of their systems and the critical infrastructure they support.