The cybersecurity authorities of the United States and its allies recently jointly issued security deployment guidelines for "agent AI" (agent AI), emphasizing that such AI systems that can act autonomously on the Internet have entered highly sensitive areas such as critical infrastructure and defense, but most organizations give them access rights that far exceed their own monitoring and control capabilities. The document calls on various organizations to regard autonomous AI agents as core cybersecurity issues and prioritize resilience, reversibility and risk containment rather than simply pursuing efficiency improvements.

Full text download:

https://cyberscoop.com/wp-content/uploads/sites/3/2026/05/CAREFUL-ADOPTION-OF-AGENTIC-AI-SERVICES_FINAL.pdf

The guidance was jointly written by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), the Australian Cyber ​​Security Center of the Australian Signals Agency, the Canadian Cyber ​​Security Center, the New Zealand National Cyber ​​Security Center and the British National Cyber ​​Security Center, and was released on Friday local time. The “agent AI” that the guide focuses on is a software system built on a large language model that has the ability to plan, make decisions, and execute actions autonomously within established authority. To complete complex tasks, such systems often need to interface with external tools, databases, memory warehouses, and automated workflows to perform multi-step tasks without manual review of each step.

The joint release agencies emphasized in the document that deploying agent AI does not mean that a complete security system must be rebuilt, but that it should be integrated into the existing network security framework and governance structure. Suggestions include: systematically applying existing principles such as zero trust, defense depth, and least privilege to AI agents; treating AI agents as "highly sensitive, strong permissions" technical components for governance in aspects such as identity and access management, audit logs, and change control.

The guidance summarizes the risks associated with agent-based AI into five broad categories. The first is "permission risk": Once an AI agent is granted too high or too broad access rights, a successful intrusion may cause damage far beyond traditional software vulnerabilities, such as centralized tampering of critical configurations or disruption to large-scale businesses. The second category is the risk of design and configuration defects, that is, before the system goes online, due to improper architecture design, too loose default configuration, or vague security boundary definition, there are inherent security gaps that are difficult to make up.

The third type of risk is classified as “behavioral risk,” which refers to the fact that in pursuit of goals, agents may take paths that the designers did not anticipate, or even never envisioned, triggering security or compliance incidents. The fourth category is "structural risk". When multiple agents are intertwined with complex business systems into a network, a fault or abnormal behavior may cascade and spread within the system, triggering a chain reaction across systems and departments.

The fifth type of risk relates to “accountability.” The guide points out that the decision-making process of agent AI is often difficult to fully examine, and the operation logs and decision records it generates are not easy to parse, which makes it extremely challenging to trace the root cause of the problem and clarify responsibilities afterwards. Once a failure occurs in such a system, the consequences will not remain at the "virtual level", but will be reflected in specific IT assets, such as files being tampered with, access controls being changed, audit trails being deleted, etc., directly affecting evidence collection and recovery work.

The document also specifically warns about the risk of attacks caused by "prompt injection". Attackers can quietly embed instructions in data or content to guide the AI ​​agent to deviate from its original mission and perform malicious operations. Hint injection has always been regarded as a chronic disease in the large language model ecosystem. Some companies have publicly admitted that this problem may not be completely eradicated for a long time. This also makes the potential harm of this type of attack particularly prominent in more automated proxy scenarios.

At the level of specific protective measures, identity management occupies an important position throughout the guide. The joint agency recommends that each AI agent should have a verifiable independent identity protected by cryptography; the credentials it uses should be valid for a short period of time; all communications between the agent and other agents and services should use encrypted channels. For any operation that may have a significant impact, such as modifying critical configurations, elevating user privileges, or deleting large-scale data, the guidelines clearly require that approval must be done by humans, and that the system designer, not the agent itself, defines which operations are "high-impact behaviors."

At the same time, the issuing agency also admitted that existing security industry practices have not yet fully caught up with the development speed of agent-based AI. Some risks with distinctive "AI agent characteristics" have not been fully covered by the existing security framework, and more cross-agency and cross-industry research and cooperation are urgently needed. The guide points out that before security methodologies, assessment methods, and related standards are immature, organizations should assume that agent AI "may exhibit unexpected behaviors" and make deployment plans accordingly, giving priority to ensuring resilience, reversibility, and risk controllability in system design, rather than blindly pursuing the efficiency dividends brought by automation.