Cybersecurity agencies from the United States, Australia, Canada, New Zealand, and the United Kingdom jointly issued guidance on Friday, emphasizing the need for organizations to regard autonomous artificial intelligence systems as a critical cybersecurity concern. The agencies warned that the technology is being implemented in essential infrastructure and defense sectors without adequate safeguards in place.
The guidance specifically addresses agentic AI—software that utilizes large language models capable of planning, decision-making, and executing actions independently. To function effectively, such systems must connect to various external tools, databases, and automated workflows, enabling them to carry out complex tasks without human oversight at each step.
Co-authored by the U.S. Cybersecurity and Infrastructure Security Agency, the National Security Agency, the Australian Signals Directorate’s Australian Cyber Security Centre, the Canadian Centre for Cyber Security, New Zealand’s National Cyber Security Centre, and the United Kingdom’s National Cyber Security Centre, the document aims to integrate agentic AI into existing cybersecurity frameworks rather than create new security protocols. The agencies advocate for established principles like zero trust, defense-in-depth, and least-privilege access to be applied to these systems.
The guidance outlines five primary categories of risk associated with agentic AI. The first risk is privilege escalation, where granting excessive access can lead to catastrophic consequences from a single breach, far exceeding typical software vulnerabilities. The second involves design and configuration flaws, where insufficient setup creates security vulnerabilities before systems are operational.
The third risk pertains to behavioral anomalies, where an agent may pursue objectives in unintended or unforeseen ways. The fourth category is structural risk, highlighting how interconnected networks of agents can trigger cascading failures throughout an organization. The final risk of accountability underscores the challenges in evaluating decision-making processes within these systems, as their operations can be opaque, complicating the tracing of errors and failures.
Particularly concerning is the issue of prompt injection, a vulnerability where malicious instructions embedded within data can alter an agent’s behavior for harmful purposes. This long-standing problem with large language models continues to challenge developers, with some acknowledging that a definitive solution may not be achievable.
The guidance places considerable emphasis on identity management. Agencies recommend that each agent possess a verified, cryptographically secured identity, utilize short-lived credentials, and encrypt all communications with other systems and agents. Importantly, for high-stakes actions, human approval should be mandatory, with the responsibility of determining which actions require this oversight resting firmly with system designers rather than the agents themselves.
Despite the pressing need for security measures, the agencies admit that the field has yet to fully adapt to the unique risks posed by agentic AI. Certain threats associated with these systems are not adequately addressed by existing security frameworks. The document calls for increased research and collaboration in this area as the technology continues to assume more operational roles.
“Until security practices, evaluation methods, and standards mature, organizations should assume that agentic AI systems may behave unexpectedly and plan deployments accordingly, prioritizing resilience, reversibility, and risk containment over efficiency gains,” the guidance states. This proactive approach aims to mitigate the potential dangers as organizations increasingly integrate autonomous AI into their operations.
