Five nations release framework for deploying autonomous AI safely in government
Cybersecurity agencies from the United States, Australia, Canada, New Zealand and the United Kingdom published joint guidance Friday on how to deploy autonomous artificial intelligence systems without creating new security vulnerabilities. The document warns that agentic AI is already operating in critical infrastructure and defense sectors with insufficient safeguards in place.
Agentic AI refers to software built on large language models that can plan, decide and act without human intervention at each step. These systems connect to external tools, databases and workflows to execute multi-step tasks autonomously.
The guidance was co-authored by the U.S. Cybersecurity and Infrastructure Security Agency, the National Security Agency, Australia's Signals Directorate, Canada's Centre for Cyber Security, New Zealand's National Cyber Security Centre and the UK's National Cyber Security Centre.
Apply existing security principles
The agencies argue that agentic AI does not require an entirely new security discipline. Organizations should integrate these systems into existing cybersecurity frameworks using established principles: zero trust, defense-in-depth and least-privilege access.
The guidance identifies five categories of risk. Privilege risk occurs when agents receive excessive access, allowing a single compromise to cause widespread damage. Design and configuration flaws create security gaps before deployment begins.
Behavioral risks arise when agents pursue goals in ways designers never intended. Structural risks emerge when interconnected agent networks trigger cascading failures across systems. Accountability gaps occur because agent decision-making processes are difficult to inspect and logs are hard to parse.
When these systems fail, the consequences are concrete: altered files, changed access controls and deleted audit trails.
Identity and human oversight matter
The guidance emphasizes identity management as a core control. Each agent should carry a verified, cryptographically secured identity and use short-lived credentials. All communications between agents and services must be encrypted.
For high-impact actions, a human must approve the system's decision. The agencies stress that system designers-not the agents themselves-must decide which actions require human sign-off.
Prompt injection remains a persistent threat. This attack method embeds malicious instructions inside data to hijack an agent's behavior. The guidance flags this as a lingering problem with AI for government systems that may never be fully solved.
Security field still catching up
The agencies acknowledge that security practices have not fully matured around agentic AI. Some risks unique to these systems fall outside existing frameworks, and the guidance calls for additional research and collaboration as the technology takes on more operational roles.
The document states: "Until security practices, evaluation methods and standards mature, organisations should assume that agentic AI systems may behave unexpectedly and plan deployments accordingly, prioritising resilience, reversibility and risk containment over efficiency gains."
Your membership also unlocks:
