US & Australia Release Agentic AI Security Guidance

Last Updated on May 3, 2026 by Arnav Sharma

On May 1st 2026, six cybersecurity agencies from across the Five Eyes alliance published joint guidance that every security team should have on their desk by Monday morning. The document, titled “Careful Adoption of Agentic AI Services,” comes from CISA, the NSA, Australia’s ASD ACSC, the Canadian Centre for Cyber Security, New Zealand’s NCSC, and the UK’s NCSC.

That’s a lot of acronyms. But the message behind them is simple: agentic AI systems are already running inside critical infrastructure, and most organisations have given them far more access than anyone can safely watch.

What Makes Agentic AI Different (and Why This Guidance Matters Now)

Most people still think of AI as a chatbot. You type a question, you get an answer, end of story. Agentic AI works nothing like that.

An agentic AI system can plan tasks, make decisions, call APIs, query databases, send emails, modify files, and chain together multi-step actions on its own. Think of it less like a chatbot and more like a junior employee with access to every system in your environment, except this employee never sleeps, never questions an instruction, and processes thousands of requests an hour.

Microsoft 365 Copilot can already draft emails, update CRM records, and compile reports. GitHub Copilot Workspace plans and implements code changes across entire repos. Salesforce Agentforce, ServiceNow AI agents, and dozens of other platforms have shipped agentic features that may already be running in your environment. Sometimes without IT even knowing about it.

That gap between capability and governance is exactly what this guidance targets.

The Five Risk Categories

The authoring agencies break down agentic AI risk into five categories. None of them are theoretical.

1. Privilege Risks

When you give an AI agent broad access to systems, a single compromise can cause damage way beyond what a typical software bug would allow. The guidance is blunt here: avoid granting broad or unrestricted access, especially to sensitive data or systems that matter. I’ve seen organisations hand admin-level credentials to AI services because it was the fastest way to get a proof of concept running. That shortcut becomes a liability when prompt injection enters the picture.

2. Design and Configuration Risks

Poor setup creates security gaps before the agent even goes live. Weak architecture, sloppy third-party integrations, and misconfigured permissions all fall into this bucket. If your deployment model involves copying API keys into environment variables and hoping for the best, this section is talking to you.

3. Behavioural Risks

An agent that pursues a goal in ways its designers never predicted. Goal misalignment and deceptive outputs sit in this category. The agencies warn that agents can take actions nobody anticipated, and those actions can have real consequences: modified files, changed access controls, deleted audit trails.

4. Structural Risks

Interconnected networks of agents can trigger failures that cascade across systems. This is lateral movement, but for AI infrastructure. Compromise one sub-agent in a multi-agent architecture, and you potentially have a foothold into the orchestrator. Compromise the orchestrator, and you’ve hijacked everything it controls. Most organisations have zero visibility into what happens between agents.

5. Accountability Risks

Agentic systems make decisions through processes that are hard to inspect. The logs they generate are hard to parse. When something goes wrong, tracing the root cause is a nightmare. The agencies point out that this isn’t just a technical inconvenience; it’s an operational liability.

Prompt Injection: Still the Biggest Headache

The guidance calls prompt injection the most persistent and difficult-to-fix threat facing agentic systems. And they’re right.

Here’s how it works in practice. An attacker embeds hidden instructions inside a document, email, or web page. When the AI agent processes that content, those instructions hijack its behaviour. The agent thinks it’s following legitimate orders. It might forward sensitive documents, exfiltrate data, or delete calendar entries, all while operating with the user’s own privileges.

This isn’t hypothetical. OpenAI themselves published guidance earlier this year admitting that prompt injection remains a core challenge. Some companies have gone further, saying the problem may never be fully solved because it’s baked into how language models process input. They can’t reliably tell the difference between instructions and data.

Simon Willison’s “Lethal Trifecta” framing still applies: if your agent has access to private data, processes untrusted input, and can make external requests, it’s vulnerable.

Why Australia’s Involvement Matters

Australia’s ASD ACSC co-authored this document, and that matters for a few reasons beyond diplomatic box-ticking.

Australia has spent the last several years building out one of the more aggressive national cybersecurity postures in the Five Eyes. The 2023-2030 Australian Cyber Security Strategy set a clear direction, and ASD has been shipping operational guidance at a pace that would surprise people who only watch US policy. Their involvement here signals that agentic AI risk is being taken seriously at the national security level, not just treated as a tech industry problem.

For organisations that operate across borders, especially those doing business in APAC, the cross-jurisdictional authorship carries weight. When CISA, the NSA, and ASD ACSC all put their names on the same document, it gives security teams a much stronger case for budget and policy changes. It’s no longer just one country’s recommendation.

How This Compares to Existing AI Policies

The guidance explicitly says that agentic AI does not require an entirely new security discipline. Instead, the agencies recommend folding these systems into existing frameworks and governance structures, applying established principles like zero trust, defence-in-depth, and least-privilege access.

That’s the right call. The NIST AI Risk Management Framework (AI RMF) already covers a lot of the governance and risk assessment ground. The OWASP Top 10 for Agentic Applications, released in December 2025 with input from over 100 security researchers, maps ten risk categories from agent goal hijacking through to rogue agents. The Five Eyes guidance sits alongside these, not in competition with them.

Where the new guidance adds value is in the specifics around identity, credential management, and human approval workflows. It pushes hard on cryptographically secured agent identities, short-lived credentials, and encrypted communications between agents. These aren’t abstract principles; they’re actionable controls.

One line from the guidance stands out and deserves quoting: the agencies say that until security practices and standards mature, organisations should assume agentic AI systems may behave unexpectedly and plan deployments accordingly, prioritising resilience, reversibility, and risk containment over efficiency gains.

A Practical Checklist for Deploying AI Agents Safely

Based on the guidance and what I’ve seen work in practice, here’s a deployment checklist worth printing out:

Before you deploy:

• Map every system the agent will interact with, including APIs, databases, file stores, and communication channels
• Define exactly which actions the agent can take and document the ones that require human sign-off
• Start with low-risk, non-sensitive use cases and expand from there
• Run a threat model that includes prompt injection scenarios

Identity and access:

• Give each agent its own cryptographically verified identity, separate from user accounts
• Use short-lived credentials, not persistent API keys
• Scope permissions to the minimum needed for each specific task
• Encrypt all agent-to-agent and agent-to-service communication

Monitoring and oversight:

• Log every action the agent takes, not just failures
• Set up alerts for guardrail triggers and unexpected behaviour patterns
• Build rollback capability into every workflow the agent touches
• Schedule regular third-party reviews of privileged agent architectures

Ongoing governance:

• Treat agent deployments as part of your existing security model, not as a separate programme
• Update vendor questionnaires and procurement terms to include agentic AI risk categories
• Run red-team exercises that include agent compromise scenarios
• Review permissions quarterly and revoke anything that has crept beyond what’s needed