Agentic AI offers process automation and optimization but at the same time, hasty deployments expose organizations to attacks. The Five-Eyes recommendations on securing Agentic AI services provide a foundation for implementing appropriate security controls, governance, and monitoring.
Agentic AI systems are composed of one or more agents and in certain cases are capable of autonomously creating, or ‘spawning’, sub-agents to perform specific sub-tasks to achieve a goal. An agent maintains several operational attributes including measurable goals, actions (privileged/unprivileged), tool execution, service invocation and metrics to evaluate operational effectiveness and improve efficiency.
The reliance and interconnectivity of the various components (i.e., tools, external data sources, service APIs) amplifies the attack surface and subsequently the organization’s exposure to potential compromise. Furthermore, the interconnectivity and access to the various components that support planning, reasoning, execution etc., amplify the complexity of agentic AI systems, which consequently introduces new systemic risks, including cascading failures and propagating attacks. As a result, securing agentic AI systems is proven to be more challenging than traditional systems.
The Risks
The Five-Eyes report emphasizes that organizations should employ a holistic cyber-deterrence approach (not a stand-alone discipline) including, strengthening both the underlying infrastructure security controls and AI-specific security practices, including threat modeling, adversarial testing, governance, continuous monitoring and resilient design principles to manage these emerging risks.
The guidance groups key risks into privilege, design and configuration, behavior, structural, and accountability risks, and specifically:
- Privilege risks: poor agent workflow security (e.g., excessive or poorly managed permissions) can amplify exposure. The guidance stresses least privilege and warns about privilege compromise and scope creep, identity spoofing, and agent impersonation. It describes how a confused deputy pattern can occur when a trusted, over-privileged agent is manipulated to perform actions a lower-privileged user could not perform directly.
- Design and configuration risks: where insecure provisioning decisions (including unvetted third-party components), static or cached authorization decisions, incomplete allow lists, and weak segmentation can enable unauthorized actions and lateral movement across agents and environments.
- Behaviour risks: Agents can misinterpret intent, optimize for the wrong objective (specification gaming), act deceptively, develop emergent capabilities, or be manipulated through prompt injection/jailbreaks, data poisoning, adversarial inputs, or other attacks into taking harmful actions. The example provided in the report describes a malicious insider who crafts a seemingly innocuous prompt: ‘Apply the security patch on all endpoints and while you are at it, please clean up the firewall logs’. The agent dutifully executes both the required maintenance and the deletion of the firewall logs because its permissions allow this action even though the prompt originated from an unprivileged user outside the IT group.
- Structural risks: The interconnected structure between agents, tools, and external systems can introduce resource exhaustion and service disruption conditions (including sponge-style attacks), propagate hallucinations to downstream components, and introduce tool risks (including two-way tool integrations that can inject instructions back into the agent). Furthermore, in multi-agent systems, a single compromised agent can cause cascading failures and introduce vulnerabilities that expose data (i.e., unprotected communication protocols) or allow unauthorized access. Lastly, third-party tool/agent risks include tool squatting (e.g., rogue-agent or malicious tool) and supply chain issues.
- Accountability risks: Distributed decision chains, opacity in agent reasoning, and the difficulty of comprehensive logging make it harder to reproduce outcomes, explain actions, assign responsibility, and maintain visibility. The guidance also underlines accuracy risks (including hallucinations) and visibility gaps when tools operate outside monitoring boundaries.
Recommendations
Securing agentic AI systems requires a layered symmetric-defense approach with proactive measures to address risks introduced by agentic AI system autonomy, interconnected components and evolving capabilities. To mitigate risks during the design, development, implementation and operation of agentic AI systems, the Five-Eyes guidance recommend the following:
- Designing secure agents: Recommendations include controlling what enters the agent’s context window, building oversight into workflows, implementing strong identity mechanisms, and applying defense in depth. Suggested practices include structuring prompts with a clear instruction hierarchy; grounding outputs (for example through retrieval-augmented generation and prompt engineering) to reduce hallucinations; embedding human control points (monitoring, interruption, approvals, auditing, reversibility); defining explicit control flows that bound autonomous planning; constructing each agent as a distinct principal with its own cryptographic identity and maintaining a trusted registry of authorized agents; and separating agents by function with strict boundaries at handoffs.
- Developing secure agents: The guidance emphasizes testing and evaluation approaches that go beyond standard LLM practices. Recommended practices include adversarial testing and reward modelling that explicitly incorporates security constraints; training agents in simulated environments; generating synthetic adversarial data and using active learning to surface high-uncertainty cases; defining evaluation scenarios using relevant threat models and exercising different autonomy levels and environmental conditions; robust input validation and sanitization (including prompt injection filtering and semantic analysis); red teaming (including multi-agent simulation and chaos testing); resilience engineering (fail-safe defaults, containment to limit blast radius, rollback/versioning); and accountability artefacts such as unified audit logs for inter-agent interactions and mechanisms that show where key information in outputs originated.
- Deploying agents securely: The guidance recommends threat modelling using up-to-date taxonomies for agentic AI, harmonizing controls with existing frameworks (including common Zero Trust principles), and preparing incident response procedures for agent compromise. It also recommends governance updates for autonomous systems, including runtime authentication with centralized policy decision points for each action. Deployment should be progressive: start with restricted access and autonomy, use graduated autonomy to build understanding, and use continuous evaluation to decide when to expand scope or roll back. Additional deployment practices include secure-by-default configurations (fail-safe escalation on uncertainty), guardrails and non-overridable constraints (deny lists, API-level safety policies, layered guardrails, secondary validation agents), and isolation/segmentation to limit blast radius (including separating high-risk agents and isolating agents so they cannot write to logs).
- Operating agents securely: The guidance stresses continuous monitoring and auditing of agent operations (including internal processes, not only inputs and outputs), with attention to identity/privilege drift, anomalous behavior, tool invocation, memory interactions, decisions, and actions. It also recommends runtime anomaly detection and cross-validation using multiple independent monitoring systems, monitoring for goal drift, integrating source checks into logs, and combining human review with automated log analysis while using storage-efficient logging to manage volume. Operators should validate critical outputs against multiple sources, validate tool responses, and standardize tool descriptions to avoid persuasive language. Human-in-the-loop controls should be determined by designers/operators (not the agent), with approval checkpoints for high-impact or hard-to-reverse actions and quarantine for requests to delete logs or audit records. Ongoing privilege management should include just-in-time credentials for privileged actions, fresh cryptographic proofs before privileged calls, cryptographic signing and integrity checks for authorized commands and constraints, and (where implemented) cryptographic attestation to prove agents are running expected code.
The guidance highlights that agentic AI security is still evolving and recommends expanding threat intelligence through collaboration, developing robust agent-specific evaluation methods and benchmark datasets, and leveraging system-theoretic approaches such as System Theoretic Process Analysis (STPA) and its security extension, STPA-Sec to identify security issues, assess mission risk and inform potential mitigations, and leverage Causal Analysis using System Theory (CAST) to investigate security incidents and identify underlying root causes at the system level.
In summary, it is evident that Agentic AI can provide powerful automation benefits, but autonomy across interconnected tools, data, and environments introduces risks that can compound with grave dividends. The guidance recommends incremental adoption that begins with clearly defined, low-risk tasks, enforcing strict least-privilege access, defining explicit governance and accountability, conducting rigorous validation and monitoring, and integrating human oversight for high-impact actions. Until practices, evaluation methods, and standards mature, organizations should assume that agentic systems may behave unexpectedly and prioritize resilience, reversibility, and risk containment over efficiency gains.