Key Takeaways
- The Five Eyes intelligence alliance (US, Australia, Canada, NZ, UK) issued joint guidance highlighting significant cybersecurity risks posed by agentic AI systems in critical infrastructure and defense, emphasizing they are not immune to LLM vulnerabilities.
- Core risks fall into five categories: privilege escalation, flawed design/configuration, unpredictable behavior, structural weaknesses, and accountability gaps, necessitating proactive management throughout the AI lifecycle.
- Recommended best practices span securing agent design, development, third-party component vetting, secure deployment, and continuous operation, with strong governance, explicit accountability, human oversight, and incremental deployment as foundational principles.
- The guidance builds directly on prior federal and allied AI security efforts, including CISA’s 2025 critical infrastructure guidance and NSA’s data lifecycle best practices, creating a evolving framework for AI risk management.
- Organizations must treat agentic AI security as an ongoing process requiring continuous threat model assessment, rigorous monitoring, and adaptation to counter evolving threats in high-stakes environments.
Understanding Agentic AI Security Risks
The National Security Agency, representing the Five Eyes alliance, released the cybersecurity information sheet “Careful Adoption of Agentic AI Services” to address escalating concerns about deploying autonomous AI systems in sensitive environments. Unlike traditional AI, agentic AI possesses the capability to perceive, decide, and act independently to achieve goals, significantly increasing its potential attack surface and the complexity of securing it. The guidance explicitly states that these systems inherit all known risks associated with large language models (LLMs), such as prompt injection, data poisoning, and hallucinations, while introducing novel vulnerabilities stemming from their autonomous decision-making and interaction with operational technology (OT) and information technology (IT) networks. This joint advisory underscores a growing recognition among allied nations that securing agentic AI is paramount for safeguarding critical infrastructure like power grids, water treatment facilities, transportation networks, and defense systems against sophisticated cyber threats.
Detailed Risk Categories Identified
The guidance breaks down the specific security challenges into five distinct but interconnected risk categories. Privilege risks arise when agentic AI systems are granted excessive or improperly scoped permissions, potentially allowing them to access sensitive data, modify critical configurations, or execute harmful actions if compromised or behaving unexpectedly. Design and configuration risks stem from inherent flaws in how the AI agent is architected or set up, such as inadequate input validation, insufficient sandboxing, or poorly defined operational boundaries, which attackers could exploit to manipulate the agent’s behavior. Behavior risks focus on the unpredictability of autonomous actions; even well-designed agents might exhibit emergent, unsafe, or unintended behaviors due to complex interactions with their environment, adversarial inputs, or internal model inconsistencies, leading to operational disruption or safety hazards. Structural risks concern weaknesses in the underlying infrastructure supporting the agent, including insecure APIs, vulnerable communication channels, or inadequate isolation between the agent and other system components. Finally, accountability risks highlight the difficulty in tracing decisions and actions back to specific human or system owners when AI operates autonomously, complicating incident response, forensic analysis, and liability determination, especially in regulated critical sectors.
Lifecycle-Based Security Best Practices
To mitigate these risks, the guidance prescribes specific best practices across the entire agentic AI lifecycle. During the designing secure agents phase, organizations should implement strict least-privilege principles, define clear operational boundaries and fail-safes, conduct threat modeling specific to agentic behavior, and prioritize explainability and transparency in decision-making processes. In developing secure agents, the focus shifts to rigorous secure coding practices, continuous vulnerability scanning of dependencies, implementing robust input and output sanitization to counter injection attacks, and utilizing secure development lifecycle (SDL) methodologies tailored for AI/ML components. Managing third-party components requires thorough vetting of suppliers, maintaining a software bill of materials (SBOM) for all AI and associated software, enforcing strict supply chain security standards, and monitoring for vulnerabilities in external libraries or models used by the agent. For deploying agents securely, the guidance stresses incremental rollout (starting in isolated, monitored environments), enforcing network segmentation and zero-trust principles around the agent, ensuring secure configuration baselines, and validating integrity before full deployment. Finally, operating agents securely demands continuous monitoring for anomalous behavior, real-time threat detection tuned to agent-specific tactics, regular re-assessment against evolving threat models, explicit human-in-the-loop or human-on-the-loop oversight for high-risk actions, and well-defined incident response plans that account for AI-specific failure modes.
Building on Prior AI Cybersecurity Efforts
This new agentic AI guidance does not exist in isolation but represents a critical evolution in the Five Eyes’ collective approach to securing AI in national security contexts. It directly follows and complements earlier initiatives. In 2025, the Cybersecurity and Infrastructure Security Agency (CISA), alongside its international partners within the alliance, published specific guidance aimed at critical infrastructure operators who are integrating AI into their operational technology (OT) systems – environments where safety and reliability are paramount, and where agentic AI’s autonomous actions could have immediate physical consequences. Concurrently, the NSA and its allies issued a separate cybersecurity information sheet detailing best practices for securing data throughout the entire AI lifecycle, from collection and preparation to model training, deployment, and retirement. The current agentic AI guidance synthesizes and advances these previous efforts by addressing the unique challenges posed by systems that don’t just process data but actively act on it within complex, often legacy, operational environments. It demonstrates a maturing understanding that AI security requires not just protecting the model or data, but securing the agent’s actions, its interactions, and the governance framework surrounding its autonomous behavior within mission-critical systems.
Implications for Critical Sectors and Future Focus
The release of this guidance signals a clear expectation from the NSA and its Five Eyes partners that governance, oversight, continuous risk assessment, and explicit accountability will become non-negotiable components of deploying agentic AI in defense and critical infrastructure. Organizations operating in these sectors are now expected to move beyond basic AI security checklists and implement the phased, lifecycle-based approach outlined, treating agentic AI not as a standalone tool but as an integrated component requiring persistent vigilance. The emphasis on incremental deployment and continuous assessment against evolving threat models acknowledges the dynamic nature of both AI capabilities and adversarial tactics. This guidance is likely to shape procurement standards, influence audit frameworks, and drive investment in specialized security tooling and training focused on AI-specific threats like behavioral anomaly detection for autonomous systems. As agentic AI adoption grows, the principles laid out – strong foundational governance, rigorous technical controls throughout the lifecycle, and unwavering commitment to human oversight and accountability – will be essential for harnessing its benefits while managing the inherent cybersecurity risks to national security and public safety. The joint nature of the advice underscores the allied commitment to establishing common baselines for resilience in an increasingly AI-driven threat landscape. (Word Count: 898)