Earlier this month, the Cybersecurity & Infrastructure Security Agency (CISA), in collaboration with the National Security Agency and other international partners, released guidance for organizations on adopting agentic artificial intelligence systems (i.e., systems composed of one or more agents that fundamentally rely on an AI model, such as an LLM, to interpret and reason about the state of the world and can autonomously make decisions and take actions). The guidance highlights the primary security risks and challenges linked to agentic AI and offers practical guidance for safely designing, implementing, and managing these systems.
Agentic AI Security Risks
The guidance identifies five primary categories of security risk associated with agentic AI deployments. Collectively, these risks highlight the potential for the adoption of agentic AI systems to give rise to a variety of security-related risks, including service disruption, data exposure, and loss of auditability.
- Privilege risks: Overly broad access permissions can allow a compromised agent to cause significant harm across systems. Specifically, because agentic systems often aggregate permissions across multiple tools and environments, a single point of compromise can provide malicious actors with wide-ranging access.
- Design and configuration risks: Risks can also arise from poor system design and configuration choices, such as integrating third-party components with excessive permissions or relying on static access controls that do not account for dynamic workflows. These weaknesses can enable attackers to exploit stale permissions, move laterally across environments, and gain broader access.
- Behavioral risks: Agents may act unpredictably, pursue goals in unintended ways, or be subject to manipulation by malicious actors through techniques such as prompt injection or data poisoning.
- Structural risks: Interconnected systems and multi-step workflows can lead to cascading failures or expanded attack surfaces. This interconnectedness can also obscure where failures originate, making remediation more difficult, and increase systemic risk, particularly in environments where agents operate across business-critical functions or shared infrastructure.
- Accountability risks: The complexity and opacity of agentic systems can make it difficult to trace decisions, audit actions, or assign responsibility, particularly when actions occur autonomously and at scale.
Best Practices for Securing Agentic AI Systems
To mitigate these risks, the guidance outlines a number of practical steps across the AI system lifecycle. The guidance recommends that operators reference these best practices when designing, implementing, and managing AI agents.
- Designing Secure Agents:AI developers should ensure a clear instruction hierarchy so that agent behavior aligns with the intended outcomes. AI developers should also embed strong identity management mechanisms into agents, include mechanisms to facilitate human oversight, and implement overlapping layers of security controls to help avoid a single point of failure.
- Developing Secure Agents: During development, organizations should implement comprehensive testing strategies (e.g., adversarial testing and red teaming) and conduct appropriately thorough evaluations of agents (e.g., using threat models, testing in varied contextual conditions, and testing across different autonomy levels). Developers should also build in fail-safe defaults that limit the blast radius of unexpected behaviors and produce comprehensive artefacts to document agent actions for improved accountability.
- Deploying Secure Agents:Initial deployments should progressively increase levels of access and autonomy to limit early exposure. Organizations should enforce strong guardrails (e.g., deny lists, “do-not-do” rules, and non-overridable safety constraints) while maintaining least-privilege access, system isolation, and robust authentication controls.
- Operating and Monitoring Agents:Ongoing monitoring is essential to detect anomalous behavior, unauthorized actions, or emerging risks. Organizations should maintain detailed logs of agent decisions and actions to support auditing and accountability.
As organizations increasingly adopt agentic AI, this guidance underscores the importance of embedding security, governance, and oversight from the outset.