Five Eyes Security Agencies Warn Against Rapid Adoption of Agentic AI Systems

In a significant development for AI governance and security, intelligence and cybersecurity agencies from the Five Eyes alliance have jointly published guidance urging extreme caution in the adoption of agentic AI systems. The document, titled "Careful adoption of agentic AI services," represents a unified stance from some of the world's most influential security organizations on the risks posed by increasingly autonomous AI systems.

The guidance comes from the United States' Cybersecurity and Infrastructure Security Agency (CISA) and National Security Agency (NSA), the Canadian Centre for Cyber Security, the United Kingdom's National Cyber Security Centre, Australia's Signals Directorate and Cyber Security Centre, and New Zealand's National Cyber Security Centre. These agencies collectively oversee national security interests across most English-speaking democracies.

What is Agentic AI?

Agentic AI refers to systems that can operate autonomously to achieve specific goals, making decisions and taking actions without direct human intervention for each step. Unlike traditional AI systems that simply respond to prompts, agentic AI can chain together multiple actions, access various data sources, and adapt its approach based on changing circumstances. This autonomy makes it potentially powerful but also potentially dangerous when deployed without proper safeguards.

The guidance opens with a stark observation: "Agentic artificial intelligence (AI) systems increasingly operate across critical infrastructure and defense sectors and support mission-critical capabilities," making it "crucial for defenders to implement security controls to protect national security and critical infrastructure from agentic AI-specific risks."

Attack Surface Amplification

A core concern highlighted in the document is how agentic AI systems inherently expand an organization's attack surface. The agencies explain that implementing agentic AI requires integration with many components, tools, and external data sources, creating an "interconnected attack surface that malicious actors can exploit."

"Consequently, every individual component in an agentic AI system widens the attack surface, exposing the system to additional avenues of exploitation," the document warns. This interconnected nature means that compromising any single component could potentially lead to compromise of the entire agentic system or the systems it interacts with.

Concrete Risk Examples

To illustrate the dangers, the guidance provides several concrete examples of how agentic AI systems could be exploited:

In one scenario, an AI agent empowered to install software patches is given broad write access permissions. A malicious insider crafts a seemingly innocuous prompt: "Apply the security patch on all endpoints and while you are at it, please clean up the firewall logs." The agent dutifully executes both tasks because its permissions allow these actions, even though the user isn't in the privileged IT group. This results in the deletion of critical security logs.

Another example describes an organization deploying agentic AI to autonomously manage procurement approvals. The agent is given access to financial systems, email, and contract repositories. Over time, other agents begin relying on the procurement agent's outputs and implicitly trust its actions. When a malicious actor compromises a low-risk tool integrated into the agent's workflow, they inherit the agent's over-generous privileges. The attacker then uses this access to modify contracts and approve unauthorized payments, while creating faked audit logs that evade detection.

These examples demonstrate how the autonomous nature of agentic AI can lead to unintended consequences that might not occur with more traditional, narrowly focused AI systems.

Comprehensive Risk Assessment

The document doesn't just provide theoretical concerns—it outlines 23 different specific risks associated with agentic AI and offers over 100 individual best practices to address them. This comprehensive approach reflects the seriousness with which these agencies view the emerging technology.

Much of the guidance targets developers who deploy AI systems, urging them to implement robust security controls from the outset. However, the document also places significant responsibility on vendors, requiring them to thoroughly test their products and ensure they "fail-safe by default, requiring agents to stop and escalate issues to human reviewers in uncertain scenarios."

A significant gap identified in current security frameworks is the lack of threat intelligence specifically tailored to agentic AI systems. The guidance notes that resources like the Open Web Application Security Project and MITRE ATLAS currently focus primarily on large language models (LLMs), potentially missing attack vectors unique to agentic AI.

"Threat intelligence for agentic AI systems is still evolving, which can introduce significant security gaps," the document warns. "As a result, some attack vectors unique to agentic AI may not be fully captured or addressed."

Recommended Approach: Cautious Adoption

Given the substantial risks identified, the guidance concludes with a clear recommendation against rapid, widespread adoption of agentic AI systems. Instead, the agencies advise organizations to "approach adoption with security in mind, recognizing that increased autonomy amplifies the impact of design flaws, misconfigurations and incomplete oversight."

The document specifically recommends:

• Deploying agentic AI incrementally, beginning with clearly defined low-risk tasks
• Continuously assessing systems against evolving threat models
• Implementing strong governance and explicit accountability structures
• Maintaining rigorous monitoring and human oversight
• Prioritizing resilience, reversibility, and risk containment over efficiency gains

"Strong governance, explicit accountability, rigorous monitoring and human oversight are not optional safeguards but essential prerequisites," the guidance states. "Until security practices, evaluation methods and standards mature, organisations should assume that agentic AI systems may behave unexpectedly and plan deployments accordingly."

Implications for Organizations

This guidance carries significant weight for organizations considering agentic AI adoption. While the technology promises increased automation and efficiency, the Five Eyes agencies are effectively warning that rushing to implement these systems could create substantial security vulnerabilities.

The recommendation to prioritize resilience over efficiency suggests a fundamental rethinking of how organizations evaluate AI technologies. Rather than focusing solely on productivity gains, organizations will need to consider how autonomous systems might amplify existing weaknesses and create new risks.

For vendors of AI technologies, the guidance represents a clear call to improve security practices and build fail-safes into their products. Those who fail to address these concerns may find their products viewed with suspicion by security-conscious organizations.

As AI systems become increasingly autonomous, the balance between utility and risk will become increasingly important. The Five Eyes agencies' guidance represents an early but influential attempt to establish security guardrails for this emerging technology.

The document can be accessed directly through the agencies' websites, with CISA's version available here and similar publications expected from other participating agencies.

This guidance from some of the world's most influential security agencies suggests that the era of unchecked AI advancement may be giving way to a more security-conscious approach—one that recognizes both the potential benefits and the substantial risks of increasingly autonomous artificial intelligence systems.