Five Eyes agentic AI guidance lands. The asks are more cautious than the market wants.

The Australian Signals Directorate’s Australian Cyber Security Centre published a joint guidance document on 1 May titled “Careful adoption of agentic AI services”. CISA, NSA, NCSC-UK, NCSC-NZ and the Canadian Centre for Cyber Security all co-sealed it. It is the first piece of cross-jurisdictional government guidance authored specifically about agentic AI — autonomous software that holds credentials, takes actions, and chains tools — rather than general AI risk.

The headline ask is unusually cautious for a Five Eyes document. “Organisations should only use agentic AI for low-risk and non-sensitive tasks.” Don’t grant agents “broad or unrestricted access, especially to sensitive data or critical systems”. Assume that agentic systems “may behave unexpectedly” until practices, evaluation methods and standards mature, and “prioritise resilience, reversibility and risk containment over efficiency gains”.

That position is a long way from what the platform vendors have been selling. The same week the guidance landed, Cisco announced its $400m acquisition of Astrix Security, pitched explicitly at agentic-AI-driven enterprise scale. Two months earlier Anthropic launched Claude Security, pitched as the AI-native defender’s answer to AI-compressed offensive timelines. The market message is: agentic AI is here, scale it, here are the controls. The Five Eyes message is: don’t let agents near anything important until the controls are evidenced. Both can be true. They are not the same message.

What the document actually contains

The guidance is structured around a four-phase lifecycle — design, develop, deploy, operate — with explicit audiences (developers for the first two phases, vendors and operators for the latter two). It runs roughly 6,000–7,000 words across the body and a substantial reference list, plus a 1.28 MB PDF.

Five risk categories are named. Privilege risks cover privilege compromise, scope creep, identity spoofing, agent impersonation, and the “‘confused deputy’ pattern” where a low-privileged user manipulates a high-privileged agent. Design and configuration risks cover unvetted third-party components, “stale ‘allow’ decisions” and incomplete allow-lists. Behaviour risks cover goal misalignment (“specification gaming”), deceptive behaviour (“strategic deception”), emergent capabilities, and malicious exploitation including prompt injection, jailbreaks, data poisoning, and what the document calls agent-as-insider-threat. Structural risks cover orchestration and resource exhaustion (“sponge attacks”), two-way tool integration, “tool or agent squatting”, data aggregation, and “rogue agents” — a single compromised agent triggering cascading multi-agent failure. Accountability risks cover opaque actions, hallucination, and visibility gaps where “tools may operate outside of the system’s monitoring boundary”.

The threat taxonomy is the part most worth lifting verbatim. Rogue agents, sponge attacks, tool squatting and the confused deputy pattern are all named with definitions in plain prose. They are usable in a board paper as-is.

Identity is the centre of gravity

The identity recommendations are the strongest section, and the reason this guidance pairs neatly with the Cisco-Astrix deal. The guidance recommends treating each agent as “a distinct principal, a cryptographically anchored identity with its own unique keys or certificates”. Mutual TLS for all inter-agent and agent-to-service calls. A trusted registry of agents. Deny-by-default for unknown identities. Just-in-time, ephemeral credentials replacing static long-lived secrets. Cryptographic signing of commands. Cryptographic attestation that agents run “expected and unmodified code”. Centralised policy decision points evaluated per request at runtime — Zero Trust framing without naming the vendor category. Separation of duties roles (“Orchestrator”, “Reader”, “Actuator”) with delegation expiry. Multi-agent consensus for moderate-stakes actions. Human-in-the-loop plus consensus for high-stakes ones. Quarantine of any request to delete logs or audit records until human-approved. Agents prohibited from modifying their own privileges or initiating unapproved delegation.

The document does not use the phrase “non-human identity”. The substance is exactly the same thesis the platform vendors are buying into, expressed in cryptographic-identity language rather than IAM-product language.

Segmentation gets a paragraph it does not always get

For the segmentation crowd, the guidance is unusually direct. Isolate agents into enclaves with no write access to logs. Separate high-risk agents into distinct domains. Sandbox both training simulations and production. Phased “graduated autonomy” deployment with continuous evaluation and rollback. Fail-safe defaults and explicit “blast radius” containment. Versioning and rollback for every agent. Multiple independent monitoring systems that cross-validate. Goal-drift monitoring against approved baselines. The lineage to existing operational-resilience expectations — DORA, the FCA’s regime, the NCSC-UK Cyber Assessment Framework — is unsubtle.

Why the gap between the guidance and the market matters

The guidance and the vendor narrative are not contradictory. They are operating on different time horizons. The Five Eyes are saying: today, agentic AI does not yet have the cryptographic-identity, audit and isolation controls in place to be safely entrusted with sensitive workloads, so don’t entrust it with them. The platform vendors are saying: we are building those controls now, and you should buy our version. Both statements may be defensible. The CISO’s job is to read the gap honestly.

Three practical things to take from the guidance, in order of cost.

Adopt the threat taxonomy. Rogue agents, confused deputy, sponge attacks, tool squatting, agent impersonation. They are precise enough to brief to a board, and they survive the next hype cycle whether or not any individual product does. They cost nothing to adopt.

Apply the cautious posture as an internal default. If you are running agentic AI in production today, the guidance asks you to evidence why you are doing so against any non-trivial process. Make the evidence portable. Inventory the agents, document their credentials and scope, document their human checkpoints, document the rollback path. The cost is one quarter of structured work.

Take the cryptographic-identity recommendations seriously, irrespective of vendor choice. Each agent as its own principal, mutual TLS, ephemeral credentials, deny-by-default, log-deletion quarantine. The Cisco-Astrix and equivalent deals over the next 18 months will package some of this. The guidance is the standard against which any of those products should be evaluated.

The wider posture point. The Five Eyes have moved from “AI is risky in general” guidance to “agentic AI specifically, here is the threat taxonomy, here are the controls” inside about 12 months. The cadence is quickening. The controls are getting specific. Anyone treating agentic AI as a 2027 problem is now formally behind their regulators, not just behind the market.