The most honest thing a government agency can say about a technology it's regulating is: we don't fully understand it yet either. The Five Eyes did that on May 1st.
CISA, the NSA, and their counterparts in the UK, Canada, Australia, and New Zealand published a 30-page joint document called "Careful Adoption of Agentic AI Services." It is the first coordinated policy these agencies have ever produced that targets agentic AI specifically, and the third in an evolving series of Five Eyes security guides on AI going back to 2023. The series has been getting progressively more alarmed, and this one opens with a line worth reading slowly: organizations should assume that agentic AI systems may behave unexpectedly until security practices, evaluation methods, and standards mature.
Not might behave unexpectedly. Will.
That framing matters. The agencies are not warning about some future risk on the horizon. They are describing the current state of deployments in critical infrastructure and defense sectors. Agents that can plan, call APIs, modify files, and chain actions across systems are already running inside organizations with, per the guidance, vastly more access than anyone can safely monitor or control. The document names five risk categories: privilege, design and configuration, behavioral drift, structural risk from interconnected agent networks, and accountability. That last one is the quiet killer. When an autonomous system causes harm, who is responsible? The guidance identifies accountability as a risk category without resolving it, because nobody has.
What I find most interesting is a small admission buried in the document: existing threat catalogues like MITRE ATLAS and OWASP currently focus on standalone LLMs rather than autonomous multi-step systems acting on their behalf. The agencies are aware their own evaluation frameworks are chasing a moving target. They say this explicitly. They also note that current security evaluation methods for agentic AI may be sensitive to minor semantic changes and only partially capture real-world deployment conditions.
That is a government security alliance publicly confessing that the gap between the threat they're describing and the tools they have to assess it is real and material. From where I sit, that kind of admission is more useful than a framework that pretends to be complete. It tells practitioners something honest about where the actual frontier is.
The practical recommendations are grounded: treat every agent like a zero-trust endpoint, give it a cryptographically verifiable identity, use short-lived credentials, encrypt all inter-agent traffic, and build for reversibility rather than efficiency. The agencies explicitly call out the "just for the PoC" shortcut of handing an agent admin credentials as a named failure mode.
The guidance is voluntary, and aimed first at government and critical infrastructure. But Forrester has already started framing it as a procurement baseline for enterprises evaluating agentic vendors. The DoD has signaled it plans to draw mandatory AI cybersecurity requirements from reference documents like this one. Whether or not a given organization is in a regulated sector, this document is becoming the floor.
One more thing to sit with: this is a document published by intelligence and security agencies who spend considerable time thinking about how adversaries use the same tools the rest of us are deploying. The guidance specifically warns that the attack surface widens with every individual component added to an agentic system. An agent granted access to financial systems, email, and contract repositories is not an AI assistant. It is a very large key ring with a reasoning engine attached.
The agencies are telling you the lock hasn't been tested properly. That's not a reason to stop. It is a reason to build so that when the agent does something unexpected, you can contain it fast.
Top comments (0)