US, Australia, UK, Canada, and New Zealand Release Joint Guidance, Calling for Inclusion of Autonomous AI Agents in Core Cybersecurity Governance
The United States and its allies' cybersecurity authorities have jointly released security deployment guidance for "agentic AI," emphasizing that these AI systems capable of autonomous action online have entered highly sensitive areas such as critical infrastructure and defense. However, most organizations grant them access permissions exceeding their monitoring and control capabilities. The document calls on organizations to treat autonomous AI agents as a core cybersecurity issue, prioritizing resilience, reversibility, and risk mitigation over simply pursuing efficiency gains.
Full text download:
This guidance was jointly written by the US Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), the Australian Cyber Security Centre under the Australian Signals Directorate, the Canadian Centre for Cyber Security, the New Zealand National Cyber Security Centre, and the UK National Cyber Security Centre, and was released publicly on Friday local time. The “agentic AI” focused on in the guidance is a software system built on large language models, with the ability to plan, make decisions, and autonomously execute actions within given permissions. To complete complex tasks, these systems often need to connect to external tools, databases, memory repositories, and automated workflows, allowing them to perform multi-step tasks without step-by-step human review.
The jointly issuing organizations emphasized in the document that deploying agentic AI does not necessarily require rebuilding the entire security system, but rather integrating it into existing cybersecurity frameworks and governance structures. Recommendations include systematically applying existing principles such as zero trust, defense in depth, and least privilege to AI agents; and governing AI agents as “highly sensitive, high-permission” technical components in areas such as identity and access management, audit logs, and change control.
The guidance categorizes risks associated with agentic AI into five categories. First is “permission risk”: once an AI agent is granted excessive or broad access permissions, a successful intrusion could cause damage far exceeding that of traditional software vulnerabilities, such as the centralized modification of critical configurations or the disruption of large-scale business operations. The second category is design and configuration defect risk, meaning that the system inherently has security gaps that are difficult to patch due to improper architectural design, overly permissive default configurations, or blurred security boundaries before it goes online.
The third risk is categorized as “behavioral risk,” referring to the possibility that an agent may take paths not anticipated, or even never conceived of, by the designer when pursuing its goals, thereby triggering security or compliance incidents. The fourth category is “structural risk”: when multiple agents are intertwined with complex business systems, a fault or abnormal behavior in one place can cascade and spread within the system, causing a chain reaction across systems and departments.
The fifth risk concerns “accountability.” The guidance points out that the decision-making process of agentic AI is often difficult to fully examine, and its generated operation logs and decision records are not easy to parse, making it extremely challenging to trace the root cause of problems and clarify responsibility after the fact. Once such systems make mistakes, the consequences will not remain at the “virtual level,” but will be reflected in specific IT assets, such as file tampering, access control changes, and audit trail deletion, directly affecting forensics and recovery efforts.
The document also specifically warns of the attack risks posed by “prompt injection.” Attackers can quietly embed instructions in data or content to guide AI agents to deviate from their original tasks and perform malicious operations. Prompt injection has long been considered a persistent problem in the large language model ecosystem, and some companies have publicly acknowledged that this problem may be difficult to eradicate completely, making the potential harm of such attacks even more prominent in more automated agent scenarios.
In terms of specific protective measures, identity management occupies an important position throughout the guidance. The joint agencies recommend that each AI agent should have a verifiable