What happened
The US Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with Australia's Australian Signals Directorate (ASD), the Canadian Centre for Cyber Security, New Zealand's National Cyber Security Centre, and the UK's National Cyber Security Centre (NCSC), published a joint advisory outlining design, development, and deployment guidelines for agentic AI systems. The advisory mandates strict adherence to least-privilege principles, continuous monitoring and auditing, human-in-the-loop controls for non-sensitive tasks, secure development practices per DevSecOps fundamentals, and regular incident response testing.
Why it matters
This is the first coordinated, multi-nation guidance specifically targeting agentic AI security. The advisory explicitly addresses prompt injection, tool misuse, privilege creep, identity spoofing, and agent impersonation—attack vectors that traditional application security models were not designed to handle. CISA's emphasis on least privilege for agents (not just users) and continuous auditing reflects growing recognition that AI agents operate at machine speed across distributed systems, making them difficult to secure with static trust boundaries. Organizations that deploy agents without implementing these controls risk giving attackers a persistent, automated foothold with elevated permissions.
Action needed
CISOs should conduct an inventory of all deployed AI agents, documenting what data, tools, and systems each agent can access. Implement least-privilege policies that constrain agent permissions to the minimum necessary for each task. Establish continuous monitoring to flag deceptive agent behavior, unusual API calls, or scope creep. For agents with tool-use capabilities (e.g., MCP servers, LangChain tools), enforce human approval for actions that modify infrastructure, access sensitive data, or execute code. Review and test incident response plans specifically for agentic AI compromise scenarios.