The Five Eyes intelligence alliance — the United States, Australia, United Kingdom, Canada, and New Zealand — published their first joint guidance document on agentic AI on May 1, 2026. Titled “Careful Adoption of Agentic AI Services,” the guidance is co-authored by CISA, the NSA, Australia’s ASD ACSC, the Canadian Centre for Cyber Security, New Zealand’s NCSC, and the UK’s NCSC.
This is not a general AI ethics statement. It is operational security guidance aimed at organisations that are actively deploying, or about to deploy, AI systems that can take real actions: sending emails, modifying files, calling APIs, provisioning access, and chaining those actions together without a human approving each step.
Why This Guidance Exists Now
The timing reflects a shift in enterprise AI that has happened faster than most security frameworks expected. A year ago, most enterprise AI systems answered questions. Today, platforms like Microsoft 365 Copilot, GitHub Copilot Workspace, Salesforce Agentforce, and ServiceNow’s newly launched AI specialists can plan and execute multi-step tasks autonomously.
That is a different threat surface. A chatbot that answers incorrectly is a nuisance. An agent that provisions the wrong access, exfiltrates data it was given permission to query, or gets hijacked mid-task by a malicious instruction buried in a web page is a security incident.
The Five Eyes agencies identified four primary risk categories that every enterprise deploying AI agents should understand.
The Four Core Risks
Expanded attack surface. Every tool an AI agent can call, every database it can query, and every API it can reach is a potential entry point. As AI agents get connected to more enterprise systems to make them more useful, the number of systems exposed to a potential compromise grows with them. The agent is not just a user. It is a user with programmatic access to multiple systems simultaneously.
Privilege creep. This is the pattern where an AI agent accumulates permissions over time that were never explicitly granted for its current tasks. The guidance flags this as a specific risk because the access an agent needs to do one task may get carried forward to unrelated tasks, without any human noticing the scope has expanded.
Behavioral misalignment. AI agents do not always do what they were instructed to do at implementation time. Models change, context shifts, and the system can drift toward behaviour that seems locally correct at each decision step but produces an outcome no one intended. The guidance describes this as a distinct risk category from explicit attacks — the agent is not compromised, it just behaved differently than expected.
Obscure event records. Traditional security monitoring assumes humans generate logs. When agents take actions across multiple systems at machine speed, the audit trail becomes harder to construct and interpret. The guidance specifically warns that event records can become difficult to correlate across the systems an agent touches.
A fifth risk, indirect prompt injection, is increasingly discussed alongside these four. This is the attack where malicious instructions are embedded in content the agent is instructed to read — a web page, a document, an email — and those instructions redirect the agent’s behaviour. Google’s threat intelligence team flagged this exact pattern earlier this year as public web pages are being seeded with hidden instructions designed to hijack enterprise AI agents.
What the Guidance Recommends
The core recommendation is explicit access control. The guidance advises against granting AI agents broad or unrestricted access to sensitive data or critical systems, even if the agent’s purpose seems to require it. Instead, agents should receive the minimum permissions needed for each specific task and have those permissions expire or be reviewed regularly.
The framework emphasises four prerequisites that the guidance describes as non-negotiable: strong governance structures, explicit accountability for every agent’s actions, rigorous monitoring of what agents are doing in production, and human oversight that is built into the workflow rather than bolted on after something goes wrong.
A few practical implications for organisations already running or planning agentic AI deployments:
Every agent should have a defined scope. Not “access to finance systems” but “read-only access to accounts payable data for invoice reconciliation between these two platforms.” Vague permissions are how privilege creep starts.
Monitoring needs to change. Security operations teams that watch for anomalous human behaviour need updated playbooks for what anomalous agent behaviour looks like. An agent making 200 API calls in a minute might be working correctly or might be exfiltrating data. The baseline needs to be established before you can detect deviation from it.
The human escalation path needs to be designed, not improvised. The guidance suggests explicit checkpoints where agents must seek human approval before taking irreversible actions, such as sending external communications, deleting data, or provisioning new access.
What This Means for Business
The fact that six national cybersecurity agencies coordinated to publish operational guidance on AI agents is itself a signal. This is not theoretical future risk management. It reflects real deployments in critical infrastructure, government, finance, and defence where agentic AI is already running.
For business leaders, the guidance is useful beyond its security implications. It provides a framework for what “governed AI agent deployment” looks like in practice, which is exactly the question many boards and risk committees are asking as they try to approve agentic AI projects without understanding what governance of those projects should include.
The four risk categories — expanded attack surface, privilege creep, behavioral misalignment, and obscure event records — translate directly into audit questions that your IT security team can act on right now. Before your next AI agent goes into production, each of those four areas should have a documented mitigation.
The guidance also matters for vendor selection. Platforms that are building governance tools directly into their agentic AI architecture, such as ServiceNow’s AI Control Tower (which reached general availability today) and IBM’s watsonx Orchestrate observability layer, are building toward the controls that the Five Eyes agencies are recommending. The platforms that treat governance as an afterthought are creating compliance exposure for the organisations that deploy them.
The agencies titled their guidance “Careful Adoption of Agentic AI Services,” not avoidance. The message is that agentic AI is worth deploying, but the deployment needs to be architected for accountability from the start. The organisations that get this right in 2026 will have a more defensible and more capable AI infrastructure than those that have to retrofit governance after their first incident.
Source
CISA
Free Resource
Going deeper with Claude?
Get the free 32-page implementation guide for ANZ teams.
Your guide is ready
Check your downloads folder. If it did not open automatically, use the button below.
Download the Guide