CISA + Five Eyes publish the first joint guidance on agentic-AI adoption
On May 1, 2026, CISA, NSA and the Five Eyes cyber agencies released 'Careful Adoption of Agentic AI Services' — a 5-risk taxonomy and a deployment playbook that critical-infrastructure operators are now expected to fold into their existing cybersecurity frameworks.
What is this?
On May 1, 2026 (the document itself is dated April 30), the US Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) co-published Careful Adoption of Agentic AI Services jointly with the four other Five Eyes cyber authorities: Australia’s ASD ACSC, the Canadian Centre for Cyber Security, New Zealand’s NCSC and the United Kingdom’s NCSC.
It is the first joint Five Eyes document specifically scoped to agentic AI — defined in the guidance as software built on large language models that can plan, decide and execute multi-step actions across tools, data and other agents without continuous human review. The document is 22 pages, free to download, and explicitly addressed to “developers, vendors and operators” of those systems, with a strong sub-audience of critical-infrastructure and defense organisations already deploying them. Press uptake was immediate: CyberScoop, Industrial Cyber and the UK NCSC’s companion blog post all surfaced it between May 1 and May 4.
This is the article on the document — what it says, where it lands in the policy stack, and what an operator should do this quarter.
How it works
The guidance is built around a five-category risk taxonomy and a deployment posture that the agencies frame as a series of refusals: refuse broad permissions, refuse fully autonomous high-impact actions, refuse “AI-specific” silos that bypass the existing security program.
The taxonomy:
Risk category What it covers Concrete failure mode
------------------ ---------------------------------------------- -------------------------------------------
Privilege Over-broad access granted to the agent A single compromise inherits the agent's
rights — modify contracts, approve payments,
move laterally, with clean-looking logs
Design / Insecure architecture decisions taken at Broad role checks, weak segmentation, a
configuration deployment time misconfigured third-party tool that
cascades to billing or IAM
Behavioral The agent meets its stated goal in a way the Goal hacking, ambiguous-instruction
designer did not intend misinterpretation, prompt-injection-driven
unauthorised actions, strategic deception
Structural Cascading failure across an interconnected One agent hallucinates, downstream agents
multi-agent system treat the output as ground truth, third-
party tool injects across the chain
Accountability Inability to reconstruct what happened Fragmented logs, distributed decisions,
opaque reasoning — compliance and
attribution both breakThe deployment posture sits on top of that taxonomy. Three pieces of it matter most to a working operator:
Identity is per-agent, cryptographic, and short-lived. Every agent (and every spawned sub-agent) must carry a verified identity anchored in cryptography, use short-lived credentials, and encrypt all inter-agent and agent-to-service traffic. This kills the “shared service account” pattern that has crept into early agent deployments, and aligns the agent fleet with the same identity baseline you already run for humans and workloads under zero trust.
Human approval is reserved for high-impact actions — and the designer decides which ones. The guidance is unusually direct here: the decision about which actions require human sign-off “is a job for system designers, not the agent”. An agent should never be empowered to declare that an action it wants to take is low-impact enough to skip the human checkpoint.
Agentic AI security is folded into the existing cyber program, not split off. The document is explicit that “AI systems are fundamentally IT systems” and should be governed by the same frameworks an organisation already uses — secure-by-design, defense-in-depth, IAM, continuous monitoring, incident response. The risk of running a parallel “AI security” track, in the agencies’ read, is that it lets agentic capability bypass controls the rest of the organisation has spent a decade hardening.
The deployment cadence the document recommends is progressive: start with low-risk, non-sensitive use cases, expand only as the operator has earned confidence in the agent’s behaviour, threat-model before integration, fail-safe by default (escalate to a human when uncertain), and re-test continuously against an evolving threat model.
Why it matters
Three things make this document worth reading even if you do not own a critical-infrastructure network.
It is the first time the Five Eyes have spoken with one voice on agentic AI. Previous joint products from this coalition have shaped procurement decisions across regulated sectors — secure-by-design, ransomware response, supply-chain security. Careful Adoption of Agentic AI Services now joins that shelf and will be cited in RFPs, audits and board briefings well before any agentic-AI-specific regulation lands. If you build or sell agents into regulated sectors, the document is now part of your customer’s procurement checklist.
The risk taxonomy will be reused. The five categories (privilege, design/configuration, behavioral, structural, accountability) are general enough to map directly onto OWASP’s Top 10 for LLM Applications and MITRE ATLAS, and specific enough to produce a usable control checklist. Expect to see it embedded in internal threat models and in commercial scanners over the next two quarters. The “structural” category in particular — cascading failure across agent meshes — is the first time a government document names that risk distinctly from single-agent prompt injection.
The document is honest about what is still unsolved. Two passages stand out. First: “until security practices, evaluation methods and standards mature, organisations should assume that agentic AI systems may behave unexpectedly and plan deployments accordingly, prioritising resilience, reversibility and risk containment over efficiency gains.” Second: the agencies explicitly acknowledge that some agentic-specific risks are not yet covered by existing frameworks and call for more research. That is a meaningful signal — read alongside the same week’s CyberScoop reporting that some vendors now privately admit prompt injection may never be fully solved, the Five Eyes are quietly telling operators to plan as though the underlying capability gap will persist.
Defenses
The document is itself a defensive playbook. The condensed action list, mapped to what an operator can do this quarter:
-
Inventory your agents and their privileges. Build (or update) a register of every deployed agent, the tools and data it can reach, the credentials it carries, and which sub-agents it can spawn. The privilege category exists because most early deployments granted excessive scope by default. Reduce to least privilege and re-test.
-
Issue per-agent cryptographic identities with short-lived credentials. Replace any long-lived API keys or shared service-account tokens with workload identities (mTLS, signed JWTs with short TTL, or your existing zero-trust identity plane). Treat every spawned sub-agent as a new principal, not a continuation of the parent.
-
Codify a human-approval matrix that the agent cannot rewrite. Decide, at design time, which actions require a human in the loop — fund movement, IAM changes, file deletions, outbound communications, configuration changes on production systems. Enforce the matrix in the orchestration layer, not in the agent’s own prompt or tool description.
-
Map the five risk categories to your existing controls. Walk through privilege, design/configuration, behavioral, structural and accountability and identify which of your current controls (IAM, segmentation, observability, change management, IR runbooks) cover them and where the gaps are. Treat gaps as items in your existing risk register, not as a separate “AI risk” stream.
-
Instrument internal reasoning, not just inputs and outputs. The accountability category is unsolvable without telemetry on tool calls, retrieved context, intermediate reasoning steps and goal drift. Whatever your agent platform is, demand structured logs at each of those stages and pipe them into your existing SIEM. For incident response, the question “what did the agent decide and why” needs an answer that does not depend on the agent’s own post-hoc explanation.
-
Threat-model before integration, not after. Before connecting an agent to a new tool or data source, walk the chain: what untrusted content does this expose the agent to (the lethal trifecta test still applies), what is the blast radius if the agent is hijacked, can the action be made reversible. The guidance is explicit that integration choices made at deployment time create structural weaknesses that persist long after go-live.
-
Adopt incrementally, fail-safe by default. Start with low-risk, non-sensitive use cases. Configure the agent to escalate to a human reviewer when uncertain rather than improvising. Expand scope only when operational telemetry justifies it. Resist pressure to skip the progressive ramp because a competitor announced a more aggressive rollout — the guidance is unambiguous that resilience and reversibility outrank efficiency at this stage of the technology.
Status
| Item | Reference | Date | Notes |
|---|---|---|---|
| Document publication | CISA / NSA / ASD ACSC / CCCS / NCSC-NZ / NCSC-UK | 2026-05-01 (doc dated 2026-04-30) | First joint Five Eyes guidance scoped to agentic AI |
| Official PDF (DoD mirror) | media.defense.gov | 2026-04-30 | 22 pages |
| Official PDF (ASD mirror) | cyber.gov.au | 2026-05 | Identical content |
| Press coverage | CyberScoop, Industrial Cyber, UK NCSC blog | 2026-05-01 → 2026-05-04 | Aligned reading of the five-risk taxonomy |
| Companion CISA news release | cisa.gov | 2026-05-01 | Confirms CISA acting director Nick Andersen’s framing |
The right framing for this release is not “another government guidance document”. It is the moment the five-risk taxonomy for agentic AI entered the procurement language of regulated sectors. Operators who want to be ahead of the audit question six months from now should already be mapping their agent fleet against the five categories — and shrinking privilege, hardening identity, and instrumenting reasoning telemetry until the map comes back clean.
Sources
- → https://www.cisa.gov/news-events/news/cisa-us-and-international-partners-release-guide-secure-adoption-agentic-ai
- → https://www.cisa.gov/resources-tools/resources/careful-adoption-agentic-ai-services
- → https://www.cyber.gov.au/business-government/secure-design/artificial-intelligence/careful-adoption-of-agentic-ai-services
- → https://www.cyber.gov.au/sites/default/files/2026-05/careful_adoption_of_agentic_ai_services.pdf
- → https://media.defense.gov/2026/Apr/30/2003922823/-1/-1/0/CAREFUL%20ADOPTION%20OF%20AGENTIC%20AI%20SERVICES_FINAL.PDF
- → https://cyberscoop.com/cisa-nsa-five-eyes-guidance-secure-deployment-ai-agents/
- → https://industrialcyber.co/ai/cisa-and-partners-release-agentic-ai-security-guidance-to-protect-critical-infrastructure-outline-mitigation-action/
- → https://www.ncsc.gov.uk/blogs/thinking-carefully-before-adopting-agentic-ai