Multi Agency Guidance on Securing Agentic AI Systems

On May 1, 2026, the United States Cybersecurity and Infrastructure Security Agency (CISA) and National Security Agency (NSA), along with counterpart agencies of Australia, Canada, New Zealand and the United Kingdom, jointly published guidance titled Careful Adoption of Agentic AI Services. This is the first cybersecurity guidance issued by the Five Eyes nations specifically addressing agentic AI—i.e., AI systems that use one or more “agents” powered by large language models (LLMs) that can interpret information, make decisions, and take actions on their own. The 30-page guidance identifies a broad set of security risks associated with agentic AI. To help organizations respond to these risks, it also provides over 100 recommendations for organizations that design, develop, deploy, and operate agentic AI systems, with particular attention to critical infrastructure and defense sectors.

The guidance reflects a cautious approach to agentic AI adoption, recommending that organizations treat security as a core priority and proceed incrementally, starting with clearly defined, low-risk tasks and continuously reassessing as threats evolve. The authoring agencies characterize strong governance, clear accountability, rigorous monitoring, and human oversight as “essential prerequisites.” The guidance offers a useful perspective on what Five Eyes cybersecurity agencies consider as priorities for the identification, assessment, and mitigation of risks specific to agentic AI. Organizations will benefit from considering these recommendations in the context of other business priorities, the pace of innovation, evolving security requirements, and their own risk tolerance.

This Legal Update summarizes the key takeaways from the guidance, and outlines key recommendations that companies may consider as they adopt agentic AI.

Agentic AI Security Considerations and Risks

The guidance describes the following set of broader security considerations inherent to agentic AI architecture.

• Inherited risks of LLMs: Agentic AI systems are built on large language models. They accordingly inherit LLM vulnerabilities, such as prompt injection and adversarial manipulation. This means that malicious actors can target these systems using existing AI and cyber-attack vectors.
• Increased attack surface: Agents rely on additional components such as external data sources, third-party tools, and memory systems. This widens the attack surface and exposes the system to new avenues of exploitation, including indirect prompt injection through web-connected services.
• Increased complexity: Information flows continuously between AI and non-AI systems in agentic architectures. This blurs traditional defensive boundaries, increases the risk of cascading failures across interconnected components, and makes it difficult to isolate AI-specific threats from broader cybersecurity risks.
• Evolving security as technology matures: As the technology matures, the security landscape will continue to shift: governance mechanisms designed for human actors may not translate effectively to autonomous agents, agents may behave unpredictably, and gaps in security tooling and standards persist.

The guidance describes how agentic AI systems may introduce or amplify security vulnerabilities. It particularly highlights five principal categories of security risk for companies to consider:

• Privilege Risks: Granting the AI more access than necessary for its intended task, leading to scope creep and greater risk in the event of a compromise;
• Design and Configuration Risks: Insecure design choices, such as using untested third-party software or poor segmentation, increase identity and privilege risks;
• Behavior Risks: AI agents acting in unexpected ways, causing harm or becoming exploitable by bad actors through misleading instructions (“prompt injection”), tricking them into ignoring their constraints (“jailbreaks”), corrupting their training data (“data poisoning”), or providing deceptive inputs designed to fool them (“adversarial examples”);
• Structural Risks: The creation of a broad attack surface given the interconnected nature of the agent’s scope of access to tools and systems; and
• Accountability Risks: The complexity of agentic AI systems making it hard to gain visibility to figure out why a particular action was taken, and whether the outcome is accurate and reliable.

Recommended Best Practices for Agentic AI Security

The guidance generally recommends that organizations integrate a process to manage agentic AI risks into existing governance structures and security frameworks, applying established principles such as zero trust, defense-in-depth, and least-privilege access. The guidance emphasizes adopting agentic AI with security as a priority, carefully evaluating how it will be used, and “never granting it broad or unrestricted access, especially to sensitive data or critical systems.” The guidance recommends starting with low-risk, clearly defined tasks and planning for unexpected behavior—prioritizing resilience over efficiency. The guidance also includes an appendix detailing relatively mature cybersecurity practices that the agencies consider “prerequisites before implementation of AI agents.”

Against this backdrop, the authoring agencies provide over 100 recommended best practices for managing agentic AI security. The guidance organizes its recommendations around four lifecycle stages:

• Designing Secure Agents: The guidance recommends that developers should organize agent instructions clearly, use techniques that ground AI responses in reliable data sources, and build in checkpoints for human review to prevent agents from escalating into higher-risk activities on their own. Each agent should have its own secure, verifiable identity. A “defense-in-depth” approach using multiple overlapping security measures is recommended to avoid relying on any single safeguard.
• Developing Secure Agents: This section of the guidance, directed at AI developers and vendors, sets out recommendations for testing, evaluation, input management, red teaming, resilience, and accountability.
• Deploying Agents Securely: The guidance recommends implementing high-impact security controls at deployment to manage new risks and reduce vulnerabilities. These include: threat assessments using current risk frameworks; updated governance policies that define legal accountability and risk ownership; a gradual rollout; best practices for “secure by default” implementation; specified guardrails and constraints; and isolation where possible to reduce the risk of unexpected or malicious behavior from AI agents.
• Operating Agents Securely: The guidance on operations focuses on best practices for broad monitoring and auditing, including monitoring internal processes—not just inputs and outputs—and using independent monitoring systems that can cross-validate agent reports and system logs. For high-impact actions where mistakes would be costly, the guidance recommends human review or approval checkpoints. Additionally, the recommendations note the importance of privilege and authentication. The authoring agencies recommend limiting agent access to only what is needed for each task, with temporary credentials for sensitive actions and ongoing verification that agents are who they claim to be.

Defend Against Future Risks

To address the evolving security challenges of agentic AI, the guidance recommends that organizations share threat information by collaborating with major AI developers and government agencies, developing evaluation methods specifically designed for AI agents, and using system-level analysis techniques to identify security risks across entire systems rather than individual components. The guidance acknowledges that threat intelligence for agentic AI systems is developing, and that some attack vectors or unique risks may not be fully captured by existing industry reports and frameworks.

****

While the guidance does not carry the force of law, it may influence emerging regulatory expectations and shape industry standards for responsible agentic AI deployment. Organizations accordingly may wish to consider the guidance’s recommendations when evaluating their own agentic AI security posture, deploying agentic AI systems, evaluating relevant legal obligations and managing risks through contract.