CISA, the NSA and allied cybersecurity agencies have warned organizations not to give agentic AI systems broad or unrestricted access, especially to sensitive data or critical systems.
The joint guidance tells government, critical infrastructure and industry organizations to start with low-risk, non-sensitive tasks before expanding agent autonomy.
NSA described the document as a cybersecurity information sheet on the “careful adoption” of agentic AI services, with a focus on critical infrastructure and the defense sector.
The guidance was co-authored by the Australian Signals Directorate’s Australian Cyber Security Centre, CISA, NSA, the Canadian Centre for Cyber Security, New Zealand’s National Cyber Security Centre and the U.K. National Cyber Security Centre.
Defining the risks of autonomy
The systems use large language models alongside external tools, data sources, memory and planning workflows to reason, plan and take actions. Some systems can also create sub-agents to carry out subtasks without continuous human intervention.
NSA’s release lists five risk areas: privilege risks, design and configuration risks, behavior risks, structural risks and accountability risks. The agencies warn that over-privileged agents can amplify a single compromise, while opaque agent systems can make auditing and compliance harder.
The guidance describes a “confused deputy” scenario in which a low-privileged actor manipulates a trusted agent into taking actions the actor could not perform directly. Because the action runs under the agent’s trusted identity, audit logs may look legitimate and delay detection.
Treating agents as governed identities
The agencies’ recommended controls treat AI agents as governed digital identities. Developers should construct each agent as a distinct cryptographic principal with its own keys or certificates.
Operators should authenticate inter-agent and agent-to-service calls with mutual TLS, maintain a trusted registry, bind identities to authorized roles and deny access to any agent or key missing from that registry.
That approach aligns agentic AI security with zero-trust architecture rather than a separate AI control layer. NIST’s zero-trust guidance says no implicit trust should be granted based only on network location or asset ownership, with authentication and authorization performed before access to enterprise resources.
Rapid enterprise adoption vs. visibility gaps
The guidance arrives as analysts and security groups report faster enterprise adoption of AI agents. Gartner predicted that up to 40% of enterprise applications will be integrated with task-specific AI agents by the end of 2026, up from less than 5% in 2025.
A Cloud Security Alliance survey report, commissioned by Token Security and published in April, found that 82% of enterprises had unknown AI agents in their IT environments and 65% reported AI agent-related incidents in the previous 12 months.
Supply chain transparency and monitoring
The guidance also moves agentic AI into procurement and supply-chain review. Agentic systems may rely on third-party tools, external components or dynamically loaded packages.
The agencies recommend trusted registries for third-party components, approved tool allow lists, human-readable logs of tool use and software bills of materials for agentic workflows.
That Software Bill of Materials (SBOM) recommendation connects agent governance to existing software transparency work. CISA’s 2025 SBOM guidance describes an SBOM as a detailed inventory of software components that helps organizations identify vulnerabilities, assess risk and make informed decisions about software they use and deploy.
Monitoring recommendations are similarly specific. Operators are told to monitor all agent operations, not just inputs and outputs, including user prompts, tool calls, memory interactions, internal reasoning, decisions and actions.
The guidance also calls for logging identity and privilege changes, watching for drift or impersonation and using multiple independent monitoring systems to cross-check agent reports and system logs.
Human intervention and risk containment
The agencies also say human approval should be required for high-impact or difficult-to-reverse actions. The agencies cite system resets, network egress and deletion of critical records as examples, and recommend quarantining requests to delete logs or audit records until a human reviewer approves them.
For enterprises, the guidance changes the deployment test for agentic AI. Products that arrive with broad default permissions, unclear third-party components or limited auditability are likely to face tougher review from security, legal and procurement teams.
The document concludes that until standards and evaluation methods mature, organizations should assume agentic AI systems may behave unexpectedly and prioritize resilience, reversibility and risk containment over efficiency gains.