The U.S. Cybersecurity and Infrastructure Security Agency (CISA), alongside the Australian Cyber Security Centre and other international partners, published new guidance on the secure adoption of agentic artificial intelligence (agentic AI) on Friday, outlining cybersecurity risks tied to deploying these systems. The document comes as critical infrastructure and defense sectors increasingly adopt agentic AI to support mission-critical operations and drive automation. As agentic AI systems play a growing operational role, defenders must implement security controls to protect national security and critical infrastructure from agentic AI-specific risks.
While the benefits are clear, the agencies warn that these systems introduce new risks, including expanded attack surfaces, privilege escalation, behavioral misalignment, and limited auditability. Titled ‘Careful Adoption of Agentic AI Services,’ the document provides developers, vendors, and operators with best practices to secure agentic AI systems and strengthen resilience against emerging threats.
Organizations adopting agentic AI are advised to avoid granting broad or unrestricted access, particularly to sensitive data or critical systems. Initial deployments should focus on low-risk, non-sensitive use cases, while security considerations for agentic AI should be fully integrated into the organization’s overall security model and risk posture.
“CISA is committed to supporting the US’s adoption of AI that includes ensuring it aligns with President Trump’s Cyber Strategy for America and is cyber secure,” Nick Andersen, CISA acting director, wrote in a Monday media statement. “We actively collaborate with government and international partners on shared priorities with AI advancements while addressing cybersecurity challenges and risks. CISA encourages agentic AI developers, vendors and operators to review this guide.”
Agentic AI systems are intended to operate without continuous human intervention. While a human typically designs and configures the system, some agentic AI systems are also capable of autonomously creating, or ‘spawning’, sub-agents to accomplish specific sub-tasks.
System design includes defining goals, providing conditions on which to act (called ‘triggers’) and making information available to the AI service. Agents have some key attributes, including information input, such as user input, operating context and configuration parameters; measurable goals identified from user directions, such as ‘minimise downtime for this server’; and statistical models, such as LLMs to identify what actions to take.
It also covers action and execution privileges, such as permissions to interact with tools, users, systems and operating environments; tool or service access, such as system software and interfaces, to take identified actions; and metrics, such as measurable indicators used by the designer to evaluate operational effectiveness and improve efficiency.
The guidance identifies that agentic AI cybersecurity spans both AI-specific security and traditional cybersecurity. Information continuously flows between AI and non-AI systems, increasingly blurring defensive boundaries and making it difficult to isolate AI-related risks from broader cyber threats. Agentic AI systems are also inherently complex, often involving multiple interconnected components that plan, reason and act across sequential steps. This complexity introduces new systemic risks, including cascading failures and multi-step attacks, where unexpected or compromised behaviour in one component can propagate across subsequent steps and affect the entire system.
Thus, securing agentic AI systems is more challenging than traditional digital systems. Organisations should therefore focus on strengthening both established cybersecurity controls and AI-specific security practices, adopting holistic lifecycle approaches, continuous monitoring and resilient design principles to manage these emerging risks.
The document calls upon organisations to address AI security, including agentic AI systems, within established cybersecurity frameworks rather than treating it as a separate or standalone discipline. “AI systems are fundamentally IT systems, as they run on software and hardware, operate over networks and interact with other digital services, exposing them to many of the same threats as traditional IT.”
As organisations embed AI across business processes and critical infrastructure, the distinction between AI and non-AI security risks increasingly disappears. Managing AI-related risks within existing cybersecurity frameworks allows organisations to apply proven principles, such as secure by design, defense in depth, identity and access management, continuous monitoring and incident response across the full AI system lifecycle. This approach is especially important for agentic AI, whose autonomy and complexity can amplify conventional cyber risks.
By embedding AI security into existing frameworks, organisations ensure consistent governance of new capabilities, holistic risk assessment and the evolution of security practices in line with technological advances and organisational cyber maturity.
The document identified the various kinds of agentic AI security risks. Privilege risks are when AI agents are granted more access than they actually need; the consequences of a single compromise multiply fast. Attackers who breach even a low-risk component can inherit excessive privileges, modify contracts, approve payments, and move through systems undetected, while producing audit logs that look completely legitimate.
Design and configuration risks are insecure design decisions made at deployment, such as broad permissions, static role checks, and poor environment segmentation create structural weaknesses that persist long after go-live. A single misconfigured third-party component can give attackers a foothold that cascades across the entire agent ecosystem, reaching billing systems, account management, and beyond.
Behaviour risks arise when AI agents don’t always behave as intended. They may find shortcuts that technically meet their objective but violate its intent, misinterpret ambiguous instructions, or be manipulated through prompt injection into executing unauthorized actions. In some cases, agents have demonstrated strategic deception, concealing their true actions or capabilities to avoid being shut down.
Structural risks focus on the interconnected nature of agentic systems, which is both their strength and their vulnerability. A single orchestration flaw can trigger cascading failures, as agents endlessly re-plan, hallucinate outputs that downstream agents accept as fact, and open the door to compromised third-party tools injecting malicious instructions across the entire system.
Accountability risks occur when something goes wrong in a multi-agent system, pinning down what happened and why is genuinely difficult. Decisions are distributed across planning, retrieval, and execution agents, logs are fragmented and often superfluous, and the reasoning behind individual actions is frequently opaque, making compliance, attribution, and correction all significantly harder.
The guidance recognized that security must be built in from the start, not added later. Agents should operate on strict least-privilege principles, with strong identity management, cryptographically anchored credentials, and clearly defined roles. Defence-in-depth means no single security mechanism is relied upon and controls should be applied at every point where data enters or exits the system. During development, comprehensive testing, including adversarial training, red teaming, and prompt injection filtering, helps harden agent behaviour before deployment.
Deployment should be progressive, by starting with limited access and autonomy, expanding only as operators build confidence in how the agent behaves. Threat modelling should be performed before integration, and agents should be configured to fail-safe by default, escalating to human reviewers when uncertain. Clear guardrails, explicit constraints, isolation between agent environments, and multi-agent or human approval for high-stakes actions all reduce the blast radius if something goes wrong.
Once live, continuous monitoring is non-negotiable. Operators should track not just inputs and outputs, but internal reasoning, tool calls, privilege changes, and goal drift. Human-in-the-loop checkpoints must be maintained for high-impact or irreversible actions and critically, the decision about when human approval is required should be made by system designers, not delegated to the agent itself. Regular security assessments, output validation, and just-in-time credentials for privileged actions are essential to maintaining long-term security.
In conclusion, the guidance recognizes that agentic AI systems offer powerful automation benefits, but their ability to act autonomously across interconnected tools, data and environments introduces security risks that extend beyond those associated with traditional software or GenAI. “Privilege escalation, emergent behaviours, structural dependencies and accountability gaps can interact in unpredictable ways. As organisations grant agentic AI systems greater authority and operational scope, these combined risks become increasingly difficult to predict, observe and contain.”
It urged organisations to approach adoption with security in mind, recognising that increased autonomy amplifies the impact of design flaws, misconfigurations and incomplete oversight. Deploy agentic AI incrementally, beginning with clearly defined low‑risk tasks and continuously assessing it against evolving threat models.
Strong governance, explicit accountability, rigorous monitoring and human oversight are not optional safeguards but essential prerequisites. Until security practices, evaluation methods and standards mature, organisations should assume that agentic AI systems may behave unexpectedly and plan deployments accordingly, prioritising resilience, reversibility and risk containment over efficiency gains.
