American and Allied Cyber Agencies Issue First Joint Guidance on Securing Agentic AI

On May 1, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the U.S. National Security Agency (NSA), the Australian Cyber Security Centre, the UK National Cyber Security Centre, the Canadian Centre for Cyber Security, and the New Zealand National Cyber Security Centre, published joint guidance on the “Careful Adoption of Agentic AI Services” (Guidance).

This is the first cybersecurity guidance issued by the so-called “Five Eyes” allies (Australia, Canada, New Zealand, the United Kingdom, and the United States) specifically on agentic AI —AI that can independently make decisions and execute multiple tasks with limited to no human oversight. The Guidance is the third installment in an evolving series of Five Eyes collaborative security guides following Guidelines for Secure AI System Development (2023) and Deploying AI Systems Securely (2024). On May 8, 2026, China’s Cyberspace Administration, National Development and Reform Commission, and Ministry of Industry and Information Technology also released its own agentic AI policy to standardize safety principles and promote adoption.

The Guidance advises organizations to adopt agentic AI incrementally, beginning with low-risk tasks, and treat strong governance, human oversight, rigorous monitoring, and explicit accountability as essential requirements, not optional measures. Until security standards and evaluation methods mature, it recommends that organizations plan for unexpected behavior and prioritize resilience, reversibility, and risk containment over efficiency.

The Guidance explains that, although agentic AI systems provide significant automation capabilities, their autonomy across interconnected tools and environments introduces complex security risks that exceed those of traditional software. As organizations grant agentic AI systems greater authority, those risks will become increasingly difficult to predict and control. For example, a few weeks ago, the founder of a technology company publicly disclosed how the company’s agentic AI deleted production data while attempting to “fix” a problem encountered in carrying out a user’s command, despite explicit system prompt instructions to the AI agent not to guess and not to run destructive or irreversible commands.

The Guidance advises organizations to adopt agentic AI incrementally, beginning with low-risk tasks, and treat strong governance, human oversight, rigorous monitoring, and explicit accountability as essential requirements, not optional measures. Until security standards and evaluation methods mature, it recommends that organizations plan for unexpected behavior and prioritize resilience, reversibility, and risk containment over efficiency.

Corporate America is adopting AI agents with increasing speed and scale. Gartner predicts that, within two years, the average Fortune 500 company will run 150,000 AI agents, yet only 13% of organizations believe they have adequate governance structures in place for their agents. In the face of such “AI agent sprawl,” organizations should consider best practices — such as those set out in this Guidance — to build a centralized agent inventory; establish agent governance structure, including through a centralized platform; require human oversight, particularly of high-risk uses; and strengthen existing security protocols, including a defense-in-depth strategy and zero-trust architecture, as well as more fundamental techniques like the principle of least-privilege, and role-based access control.

Mapping Risks

The Guidance notes that organizations, particularly those in strategic sectors such as defense and critical infrastructure, are increasingly interested in agentic AI systems. Agentic AI can automate complex workflows, improve response times, and support operational efficiencies. However, because of the expanded authority and broader accessibility of these systems, agentic AI introduces security and operational vulnerabilities.

The Guidance outlines several risks that organizations should take into consideration, including:

1. 1. Expanded attack surface. Agentic AI systems rely on external tools, Application Programming Interfaces (API), memory stores, third-party integrations, and data retrieval mechanisms to function effectively, creating additional, exploitable pathways for malicious actors.
   2. Privilege compromise and scope creep. Over time, an agentic AI system may accumulate excessive permissions or inherit access to digital systems beyond what is specifically necessary for its intended role. Especially in high-risk environments with access to sensitive data, compromised agents may cause significant harm.
   3. Behavior misalignment. An agentic AI system may behave in ways that do not fully align with an organization’s intent, security expectations, or operational policy. Even when functioning as designed, the system may take actions that are technically permitted but unsafe, particularly in complex or poorly defined environments.
   4. Obscure event records. The actions of agentic AI systems are not always transparent, making it difficult for organizations to determine why a system acted in a certain way or which component action resulted in an unintended incident. Inadequate logging — when an agentic AI system fails to capture a complete trail of its autonomous decisions, tool usage, and data access — complicates auditing, compliance, and incident response.

Mitigating Harms

To address these emerging risks, the Guidance provides best practices to adopt the technology for each stage of the lifecycle, including design, deployment, and operation.

The Guidance’s dozens of recommended best practices are directed to specific stakeholders in the AI ecosystem (e.g., agentic AI developers, vendors, operators) and fall into four central categories:

I. Designing Secure Agents

Agentic AI developers should focus on system architecture, security controls, and tooling, and integrate safety mitigations into system design, before development and deployment. They should, among others:

• • Configure least-privilege access so agents only have permissions required for their tasks.
  • Require human oversight mechanisms, including approval steps and intervention points for high-risk actions, auditing, and reversibility following task execution to ensure security.
  • Maintain a trusted registry of authorized agents and regularly reconcile it with active systems.
  • Avoid reliance on a single security mechanism by defending “in depth” through overlapping security controls.

II. Developing Secure Agents

Agentic AI developers and vendors should recognize that the complexity of AI agents, together with their capacity for autonomous interaction with other systems, creates unique attack surfaces that require addressing through specialized security techniques. They should, among others:

• • Train agents in simulated, controlled environments to evaluate consequences of actions safely before real-world deployment.
  • Conduct continuous capability evaluations across the entire development lifecycle. 
  • Conduct red-teaming exercises to identify unintended agentic behaviors.
  • Validate that all third-party components originate from trusted sources.

III. Deploying Agents Securely 

Because integrating AI agents into networks can alter system risk, agentic AI vendors and operators should implement high-risk security controls at deployment. They should, among others:

• • Implement governance policies to manage AI agents.
  • Deploy AI agents in phase, restricting APIs and confining agents to “sandboxes.”
  • Implement layered guardrails and hard constraints.
  • Segment high-risk agents into specific domains.

IV. Operating Agents Securely

AI vendors and operators should exercise care in managing security concerns for agents they deploy. They should, among others:

• • Employ monitoring tools to strengthen human oversight of AI agents.
  • Keep human-in-the-loop review for actions “where the cost of error is high.”
  • Regularly assess an agent’s likelihood of bypassing safeguards.
  • Limit privileges of AI agents to the minimum required for the task.

Assessing Domestic and International Implications

From a governance perspective, agentic AI remains an emerging but rapidly evolving regulatory domain.

Domestically, the Guidance may shape future AI regulations and U.S. government procurement requirements. For example, the U.S. Department of Defense (DoD) recently signaled plans to adopt mandatory cybersecurity requirements for AI it acquires. Congress directed that these requirements be drawn from existing cybersecurity reference documents to the “maximum extent feasible.” Because the Guidance is one of the first U.S. government-associated forays into agentic AI cybersecurity, it may well inform DoD and broader U.S. government AI cybersecurity procurement requirements currently in the works. Likewise, a contract clause proposed for inclusion in General Services Administration Schedule solicitations and contracts for AI capabilities would require contractors to “preserve all relevant logs, forensic images, and incident artifacts for a minimum of 90 calendar days from a security incident” that involves “Government Data.” Best practices articulated by the Guidance to retain that data could be relevant.

Initiatives such as NIST’s Center for AI Standards and Innovation AI Agents Standards Initiative, launched in February 2026, also signal increasing formal attention to the security and standardization of autonomous AI systems, with further guidance and standards still under development.

Internationally, frameworks such as the EU AI Act already classify certain AI systems, including high-autonomy agents, as high-risk, requiring transparency, technical safeguards, and human oversight.

China’s new agentic AI policy outlines standardized safety principles for the development and deployment of AI agents while continuing to promote rapid adoption of these technologies in support of the country’s “AI Plus” initiative, a national strategy aimed at integrating AI across economic and industrial sectors, with a target of achieving 90% AI integration in key industries by 2030.

Accordingly, organizations seeking to, or currently integrating, agentic AI systems into operational environments should consider aligning implementation of the Guidance’s security best practices with existing cybersecurity and risk management frameworks.

Practically, this effort requires incorporating agentic AI-specific risks into standard risk assessment processes and ensuring appropriate security controls are in place prior to deployment. The Guidance points to two reference frameworks to map agent-specific threats against existing risk taxonomies: the OWASP 2026 Top 10 for Agentic Applications and MITRE ATLAS. Incorporating these methodologies into pre-deployment threat modeling may help organizations create a defensible record that they considered and addressed the risks identified by the Guidance’s authors. These controls should include clearly defined access boundaries and strict control flows that limit and govern agent autonomy. During deployment, organizations should maintain transparency and human oversight mechanisms to ensure system explainability, supported by continuous monitoring and auditing of all agent activity, including tool usage, inter-agent communication, and decision-making chains.

As this regulatory landscape develops, organizations should anticipate increasing expectations to implement agentic AI-specific risk mitigation efforts and to demonstrate their compliance.