Five Eyes Agentic AI Guidance: The First Multigovernment Blueprint for Securing Autonomous Agents

TL;DR

On May 1, 2026, CISA, NSA, and the cybersecurity agencies of Australia, Canada, New Zealand, and the UK released the first-ever coordinated multigovernment security guidance specifically targeting agentic AI systems. The 30-page framework identifies 23 distinct security risks and prescribes practical controls for designing, deploying, and governing autonomous AI agents in critical infrastructure and high-impact systems.

What Happened

Five Eyes cybersecurity agencies—the authoritative voice in national security and critical infrastructure protection—have officially declared agentic AI a distinct threat category requiring its own security architecture. Released May 1, 2026, the joint guidance titled "Careful adoption of agentic AI services" represents a fundamental shift in how governments and enterprises must approach AI-driven automation.

Unlike previous AI security frameworks that treat autonomous agents as extensions of existing software security models, this guidance acknowledges a hard truth: agents operate differently. They chain actions across systems, make decisions that are difficult to audit or reverse, and pursue goals in ways that escape traditional security boundaries.

The guidance was published by:

• CISA (Cybersecurity & Infrastructure Security Agency, USA)
• NSA (National Security Agency, USA)
• ASD ACSC (Australian Signals Directorate Australian Cyber Security Centre)
• Communications Security Establishment (Canada)
• Government Communications Security Bureau (New Zealand)
• National Cyber Security Centre (UK)

This is not aspirational thinking. It carries the weight of five nations' cybersecurity authorities and has immediate implications for enterprises operating critical infrastructure, government services, or systems handling sensitive data.

Technical Details: The 23 Risk Categories

The guidance organizes agentic AI security around six core domains and identifies 23 distinct risks:

1. Governance & Oversight

• Agents operating without human approval gates
• Unclear accountability chains when autonomous systems cause damage
• No formal AI governance structures across stakeholder teams

2. Intent & Behavior Control

• Misalignment between intended and actual agent goals
• Agents pursuing objectives in unexpected ways (e.g., gaming metrics, deceptive outputs)
• Insufficient real-time monitoring of agent reasoning

3. System Architecture

• Agents with excessive permission scope ("over-permissioned")
• Autonomous cross-system actions without isolation
• Lack of breakglass/shutdown mechanisms

4. Supply Chain & Third-Party Risk

• Dependencies on untrusted model providers
• Compromised tools integrated into agent toolsets
• Model poisoning and adversarial prompt injection

5. Operational Resilience

• Agents failing silently or cascading failures across integrated systems
• No incident detection or rollback capabilities
• Insufficient logging and auditability

6. Adversarial Resilience

• Agents susceptible to prompt injection, jailbreaks, and adversarial inputs
• Agents used as attack vehicles against downstream systems
• Delegation abuse (agents delegating to untrusted sub-agents)

The guidance is notably practical—not a theoretical taxonomy but a blueprint for hardening agent deployments. It explicitly recommends:

• Human-in-the-loop controls for all high-risk actions
• Approval gates for irreversible decisions
• Intent classification before agent execution
• Behavioral monitoring during operation
• Supply-chain vetting of models and tools
• Incident response playbooks specific to agent failures

Lyrie Assessment: Why This Changes Everything for CISOs

This guidance marks the inflection point where agentic AI transitions from "emerging risk" to "regulated threat." Here's why it matters to Lyrie's audience:

1. The Patch-First Model Is Dead

Traditional vulnerability patching assumes human-driven actions. An agent with a backdoored tool can execute thousands of malicious actions in seconds—far beyond any human operator's capacity to intervene. Enterprises must shift from "detect and patch" to "design for containment."

2. Identity & Permission Management Is Broken

The guidance explicitly highlights that 78% of organizations with deployed agents have no documented policy for creating or removing AI identities. Agents operate as non-human principals with access to databases, APIs, and infrastructure. The attack surface is your own IAM system.

3. Supply Chain Risk Just Got Exponential

An agent that integrates 20+ third-party tools (APIs, models, libraries) inherits the security posture of all 20. One compromised npm package or a rogue fine-tuned model can weaponize your entire agent fleet. This is the next frontier of supply-chain attacks.

4. Incident Response Is Impossible Without Planning Now

If an agent is compromised at 3 AM and executes a million API calls, deletes customer data, or exfiltrates secrets—who's responsible? What's your rollback procedure? The guidance forces CISOs to build incident response playbooks before agents are deployed, not after.

5. Regulatory Convergence Is Coming

Five Eyes guidance is historically a precursor to NIS2 harmonization and executive order enforcement. Organizations deploying agentic AI in critical infrastructure or public services should expect regulatory mandates within 12-18 months.

Recommended Actions

Immediate (Next 30 Days)

1. Read the full guidance (cyber.gov.au/agentic-ai)

2. Audit all deployed agents and planned agent projects against the 23 risk categories

3. Create an AI governance board with security, IT, legal, compliance, and business leadership

4. Document your current "AI identity" policies—you likely have none

Short-Term (30-90 Days)

1. Map all agent toolsets and third-party dependencies

2. Implement approval gates for high-risk agent actions (data modification, infrastructure changes, external API calls)

3. Build behavioral monitoring and intent classification controls

4. Establish agent-specific incident response and rollback procedures

5. Audit and remediate over-permissioned agent service accounts

Medium-Term (3-6 Months)

1. Implement NIST AI RMF and ISO 42001 controls tailored to agentic systems

2. Conduct red-team exercises specifically targeting agent supply chains and prompt injection

3. Develop policy for agent lifecycle management (creation, modification, decommissioning)

4. Establish supply-chain vetting criteria for models and tools

5. Plan for regulatory harmonization (anticipate NIS2 agentic AI requirements)

Sources

1. CISA & Partners: Agentic AI Security Guidance

2. Five Eyes Official: Careful Adoption of Agentic AI Services

3. Forrester: AEGIS Framework and Five Eyes Alignment

4. NSA/CISA Joint Cybersecurity Advisory

---

Lyrie.ai Cyber Research Division