Articles

Five Eyes Agentic AI Guidance Is a Procurement Document in Security Clothing

Algorithm Times Staff

5 min read
Share
An editorial illustration depicting an AI agent with security measures in place around it.

When CISA, the NSA, and their counterparts in the UK, Australia, Canada, and New Zealand published "Careful Adoption of Agentic AI Services" on May 1, engineers looking for a policy announcement got something more operationally specific: a 30-page document that reads less like regulatory guidance and more like a structured indictment of how agentic AI's already being deployed.

The framing in the document's opening lines is worth reading precisely.

The guidance focuses on agentic AI software built on large language models that can autonomously plan, make decisions, and take actions. It doesn't hedge that description with qualifiers like "as these systems mature" or "if widely adopted." The agencies are characterizing systems already operating inside critical infrastructure and defense sectors, and they say so directly.

The document opens with the observation that agentic AI systems "increasingly operate across critical infrastructure and defense sectors," making it "crucial for defenders to implement security controls to protect national security and critical infrastructure from agentic AI-specific risks."

That alone tells you that this isn't a prospective brief or a forward-looking document. It's a response to current conditions.

Why does agentic AI security need its own guidance?

Agentic AI security oversees AI systems that go beyond text generation and plan, execute multi-step tasks, call external tools, and take real-world actions with limited human oversight at each step.

Traditional application security assumes deterministic behavior: the same input produces the same output. Agentic systems break that assumption, because an agent's behavior depends on its prompt, the context it retrieves, the tools available to it, and the reasoning path it takes in the moment. That non-determinism makes conventional testing, logging, and access control models insufficient on their own.

The CISA guidance is the first time all five nations of the Five Eyes intelligence-sharing alliance have issued coordinated policy on a single AI attack surface. It follows a period in which agentic systems have moved from experimental pilots into production environments faster than security frameworks could track them.

What's notable is that the agencies aren't proposing a new security discipline. Their central message is that organizations should fold agentic AI into the cybersecurity frameworks and governance structures they already maintain, applying established principles such as zero trust, defense-in-depth, and least-privilege access.

Five risk categories. Two matter most right now.

The guidance identifies five risk categories: privilege escalation, design and configuration flaws, behavioral unpredictability, structural cascade failures across multi-agent systems, and accountability gaps in audit logging. All five are real. Two of them represent the most acute gaps in current vendor documentation.

On audit logging, the problem isn't that engineers don't want this data. It's that most agentic systems weren't designed to produce it in a usable form. Research into enterprise deployments finds that only 21.9% of teams treat AI agents as independent, identity-bearing entities with their own access scopes and audit trails. The rest rely on shared service accounts or shared API keys, which means attribution breaks before forensics can even begin.

When an agent creates and instructs another agent, which 25.5% of deployed agents can do, the chain of command quickly becomes unauditable. The CISA document flags this explicitly: when agentic systems fail, the consequences can include altered files, changed access controls, and deleted audit trails. That last item's particularly significant. An agent that can modify access controls can, by extension, cover its tracks.

The cascade failure category is equally underspecified in vendor documentation. Post-incident analysis of 2025 and 2026 agent-involved breaches found that 78% of agents had significantly broader permission scopes than their function required, typically because teams over-provision under delivery pressure and intend to tighten permissions later.

In a single-agent deployment, that's a misconfiguration. In a multi-agent pipeline, it's a structural vulnerability. A compromised scheduling agent that escalates a forged request to a downstream clinical agent, which trusts the delegated authority, produces a data exfiltration chain with no single security alert firing.

The guidance calls this structural risk, but the more precise description is emergent risk: failure modes that don't exist in any individual agent but appear only when agents interact.

The Prompt Injection Problem Isn't Solved

The document pays significant attention to prompt injection in agentic workflows, and the agencies are candid about why existing frameworks don't cover it adequately.

NIST's AI Agent Standards Initiative acknowledges that the RMF's risk contextualization machinery currently stops at the model boundary, and that organizations using the RMF to govern agentic deployments can't use it alone to reason about what happens when an agent with code execution capability encounters a prompt injection attack through a tool output.

This gap has documented consequences. In April 2026, researchers disclosed that a single malicious payload written into a GitHub pull request title could trigger simultaneous failures across three major AI coding agents, including Claude Code Security Review, Google's Gemini CLI Action, and GitHub's Copilot Coding Agent.

GitGuardian's 2026 State of Secrets Sprawl report found over 24,000 unique secrets exposed in MCP configuration files on public GitHub repositories, including more than 2,100 confirmed valid credentials. None of those exposures required a sophisticated attacker. They required an agentic system with write access to secrets, no runtime policy enforcement, and a slightly malicious input.

Observability vendors can tell you what an agent did after the fact, but none of them intercept an input before the model processes it. Logging is a forensics tool. The agencies are right that it's a prerequisite, but it doesn't constrain behavior.

What the guidance actually tells engineers to do

The guidance's operational recommendations center on three principles: assume unexpected behavior, deploy incrementally beginning with low-risk tasks, and treat resilience and reversibility as primary design constraints rather than efficiency gains.

The document is direct that "strong governance, explicit accountability, rigorous monitoring and human oversight are not optional safeguards but essential prerequisites."

For teams building or procuring these systems, the five risk categories map to a design checklist that's more specific than most vendor documentation currently provides.

The guidance recommends that each agent carry a cryptographically verified identity, use short-lived credentials, encrypt all agent-to-agent communications, and require human approval for high-impact actions. It's explicit that deciding which actions require human sign-off is the responsibility of system designers, not something to be delegated to the agent.

The agencies acknowledge that existing evaluation methods for agentic AI security are still evolving, may be sensitive to minor semantic changes, and only partially capture real-world deployment conditions, which is a candid admission that even this guidance has inherent limits.

Frameworks like Forrester's AEGIS and OWASP's Top 10 for Agentic Applications, published in December 2025, exist specifically to fill those gaps with mapped, auditable controls.

Why the Five Eyes imprimatur changes the procurement calculus

The guidance carries weight beyond its technical content because of who signed it. The co-authoring bodies represent all five nations of the Five Eyes intelligence-sharing alliance, with the United States contributing two agencies, a coalition whose joint imprimatur signals that agentic AI security has crossed the threshold from emerging concern to active policy priority. That designation has practical downstream effects for anyone selling into government or regulated markets.

Enterprise security questionnaires in 2026 increasingly ask how AI agents are identified, scoped, and audited. Vendors that can demonstrate per-agent identity, just-in-time credentials, and OWASP-aligned controls move through procurement faster.

Weak agent governance now blocks deals the way missing SOC 2 reports did three years ago. The Five Eyes document gives security and procurement teams explicit language to use in RFPs, and it gives vendors a compliance target to build toward. Any vendor selling into federal contracting or regulated industries who can't answer questions about privilege scoping, agent identity management, audit log architecture, and cascade isolation will find those gaps increasingly disqualifying.

Similar to Australia's Cyber Security Centre's Essential Eight requirements, broad adoption by public and private organizations beyond critical infrastructure is expected.

The guidance didn't create these requirements. It formalized them, gave them a Five Eyes signature, and handed procurement teams a checklist they'll use whether vendors are ready or not.

Read more