Five Eyes + CISA/NSA joint guidance on agentic AI security — five risk categories for autonomous AI in enterprise and critical infrastructure

Published 2026-05-01, "Careful Adoption of Agentic AI Services" (CISA, NSA, ASD ACSC, CCCS, NCSC-NZ, NCSC-UK) is the first coordinated international guidance specifically addressing agentic AI deployment risks. Five risk categories:

1. Privilege risks — agents operating with excessive permissions enabling lateral movement when compromised (mitigated by least-privilege tool-permission scoping).
2. Design and configuration risks — prompt injection and goal-misspecification allowing unexpected autonomous actions (mitigated by input validation and bounded goal-spaces).
3. Behavioral risks — hallucination or adversarial manipulation leading to harmful autonomous decisions (mitigated by human-in-the-loop gates for irreversible or high-impact actions).
4. Structural risks — agent-to-agent trust escalation in multi-agent orchestration where one compromised agent impersonates a higher-privileged agent (mitigated by agent-identity isolation and mutual authentication between orchestrators).
5. Accountability risks — audit trail gaps when automated reasoning is opaque (mitigated by mandatory logging of all agent reasoning traces and tool invocations to an append-only audit log).

Notable absence: BSI, ANSSI, and NCSC-CH are not co-authors. DORA-regulated entities should assess how these five risk categories interact with ICT risk management obligations for novel technology; ENISA agentic AI guidance is anticipated but not yet published. Swiss federal entities operating AI-agent-driven procurement or case-management systems face a guidance gap until a CH-specific equivalent emerges.