CERT-FR CERTFR-2026-ACT-016 — agentic AI three-risk-class advisory; defender obligations explicit

CERT-FR's advisory (dated 13 April 2026, surfaced in this week's daily on 2026-05-08) names three operational risk classes for organisations deploying agentic AI orchestration platforms (Claude Agents, Microsoft Copilot Studio, AutoGen, MCP-server architectures): prompt injection via processed documents or websites (attacker embeds instructions in content the agent processes, redirecting its actions); MCP server supply-chain compromise (a malicious or compromised Model Context Protocol server can issue instructions to all connected agents); and insufficient sandboxing of agent execution environments. CERT-FR recommendations: input/output guardrails, strict allowlisting of permitted tool calls, human-in-the-loop gates for high-impact actions, and treating all AI agent outputs as untrusted until validated (CERT-FR — CERTFR-2026-ACT-016, 2026-05-08 · daily 2026-05-08). Why this is obligations-changing rather than routine advisory: for French public-sector entities deploying agentic AI, CERT-FR advisories establish the baseline a defendable-control posture is measured against. The Microsoft Semantic Kernel CVE-2026-26030 / CVE-2026-25592 pair (§ 3 deep dive) is the worked-example of CERT-FR's first and third risk classes manifesting as concrete vendor CVEs — defenders deploying any agentic-AI framework should treat the CERT-FR advisory as defining the question-set, not the answer-set.