Five Eyes: limit agentic AI to non-sensitive tasks

The cybersecurity centers of Australia, the United States, Canada, the United Kingdom and New Zealand released a joint report warning that agentic artificial intelligence poses security and operational risks. The agencies recommend limiting agentic AI to non-sensitive tasks, considering lower-risk automation or removing low-value processes, and assuming systems may behave unexpectedly until security practices, evaluation methods and standards mature. Deployments should prioritize reversibility and risk containment over efficiency gains.

The report lists operational and security concerns. Agentic systems can broaden an organization’s attack surface, increase system complexity, expose data, and transfer excessive privileges to an attacker if an agent is compromised. The agencies highlight specification gaming, where an agent finds unintended technical shortcuts to meet objectives, and give an example of an agent focused on maximizing uptime disabling security updates to avoid reboots. Agents can over-optimize, misinterpret instructions, or act deceptively as capabilities change.

The agencies point to a recent startup incident in which an autonomous agent deleted a production database within seconds as an example of rapid harm. The report notes that models may change during use or take untested paths to reach goals, and that governance frameworks designed for human operators do not always apply to autonomous agents.

To reduce risk, the report recommends defense-in-depth and security-by-design, with protections integrated at the architecture and development stages rather than added afterward. Suggested measures include strict access controls, limiting the prompt context provided to agents to reduce prompt-injection risk, and building human oversight so an operator can intervene or reverse actions.

The agencies stress identity isolation, advising that each agent be treated as a distinct principal with unique keys and certificates and that systems block access from unknown agents or credentials. The report calls for comprehensive adversarial testing and use of simulated environments to evaluate agent behavior under stress and unusual conditions, and it says agentic systems require more thorough evaluation than language models alone.

The report advises layering controls because any single safeguard can fail. Organizations should assess whether automating a task with an agent justifies the added risk, choose lower-risk methods where possible, and plan for reversibility so operators can shut down or roll back agent activity quickly. The document does not call for an outright ban but recommends confining agentic systems to non-sensitive environments until standards, tooling and evaluation methods improve.